go-gitea
Organization and Repository level access token
Feature Description
It would be nice to have a more limited access token than user access token.
-
A Repository-level access token should only be able to read/write its repository, call
/repos/API endpoints and configure repository webhooks. -
An Organization-level access token should be able to authenticate to
/orgs/endpoints and do the same things as Repository-level access token for all the repositories inside it.
I'm a long time GitLab user, so this is just my way of wanting its feature in Gitea. Also, Repository and Organization access token should also have configurable scopes at creation time.
Ref: https://docs.gitlab.com/ee/security/token_overview.html
Screenshots
No response
I just discovered that someone already asked the same question in https://discourse.gitea.io/t/are-there-organisation-access-tokens/7082.
It seems to be the solution of #26746. A workaround based on service account is provided in #26754.
Hello
Looks interesting. At repository level we have yet keys application to allow external acces with ssh key. In other case, we need an http access and token use. If it's possible to manage application access with ssh or token could be very nice.
Thanks a lot
I think an organization-level access token could be the first target because it's similar to a user-level one.
This would make it way more secure when using ArgoCD in a kuberentes setup. This way we could give a more fine grained access based on the orgs.
I think an organization-level access token could be the first target because it's similar to a user-level one.
I think it can be solved with "bot account" #13044, and reuse current user-level token mechanism. But I would name it "Role User" in this context to make it less confusing.
#13044 has already mentioned a lot properties, and here are those especially useful for the org/repo level access problem here
- A regular user can create Role Users
- A Role User has no password and cannot login
- The owner can create PAT for Role Users
- A Role User with "priviate" visibility is only visible by its owner.
I think an organization-level access token could be the first target because it's similar to a user-level one.
I think it can be solved with "bot account" #13044, and reuse current user-level token mechanism. But I would name it "Role User" in this context to make it less confusing.
#13044 has already mentioned a lot properties, and here are those especially useful for the org/repo level access problem here
- A regular user can create Role Users
- A Role User has no password and cannot login
- The owner can create PAT for Role Users
- A Role User with "priviate" visibility is only visible by its owner.
How can I create a Role User? I can only select public, restricted and private. In all three cases a password is required. After creating the user it is possible to prohibit any login but I don't see any other options.
In the source code there is a --user-type bot CLI parameter which creates a user type UserTypeBot.
Basically I want to create a user for API read access to certain repositories. Any other access should be blocked.
Well, with the CLI I could create a bot account which did not require a password but a unique email address was still necessary:
gitea admin user create --username test --user-type bot --email [email protected]
Update:
Creating an access token requires the CLI too and the GUI integration is very limited or confusing right now (see https://github.com/go-gitea/gitea/issues/33469). Therefore it is difficult to manage bots and their tokens. Similar with other user accounts where a full log-in is necessary to manage tokens.
I would like to see a "log-in as" (another user) feature for admins. This would allow to modify all settings of a user and probably bots too.