From 3b2efa41ffcdc7c9d7bfcd15bcd38c7566a2c980 Mon Sep 17 00:00:00 2001 From: Ben Bodenmiller Date: Mon, 10 Jun 2019 02:02:51 +0000 Subject: Clarify that GitLab CI token does not have write permissions --- doc/user/project/new_ci_build_permissions_model.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/user/project/new_ci_build_permissions_model.md b/doc/user/project/new_ci_build_permissions_model.md index d36312c9b8d..c07c4099f22 100644 --- a/doc/user/project/new_ci_build_permissions_model.md +++ b/doc/user/project/new_ci_build_permissions_model.md @@ -28,10 +28,10 @@ The reasons to do it like that are: and maximizing security. With the new behavior, any job that is triggered by the user, is also marked -with their permissions. When a user does a `git push` or changes files through +with their read permissions. When a user does a `git push` or changes files through the web UI, a new pipeline will be usually created. This pipeline will be marked as created be the pusher (local push or via the UI) and any job created in this -pipeline will have the permissions of the pusher. +pipeline will have the read permissions of the pusher but not write permissions. This allows us to make it really easy to evaluate the access for all projects that have [Git submodules][gitsub] or are using container images that the pusher @@ -67,9 +67,10 @@ Let's consider the following scenario: ## Job token -A unique job token is generated for each job and it allows the user to +A unique job token is generated for each job and provides the user read access all projects that would be normally accessible to the user creating that -job. +job. The unique job token does not have any write permissions, but there +is a [proposal to add support](https://gitlab.com/gitlab-org/gitlab-ce/issues/18106). We try to make sure that this token doesn't leak by: -- cgit v1.2.1