Hi @hcai
Granting REANA access to your GitLab repository, as mentioned on the REANA-GitLab documentation page, is used for fetching restricted images stored in your restricted GitLab project registries.
However, I assume that you are using an explicit git clone command-line call as part of your workflow steps? If yes, then the above isn’t sufficient.
Let’s assume the following reana.yaml serial workflow example with the HTTPS git clone command:
inputs:
files:
- reana.yaml
workflow:
type: serial
specification:
steps:
- environment: 'python:3.8'
kerberos: true
commands:
- git clone https://gitlab.cern.ch/johndoe/myrepo
If you have the two-factor authentication enabled for your CERN account, then the Kerberos authentication wouldn’t work (even with KRB5 git clone command) regardless of kerberos: true settings. GitLab requires to use a custom Personal Access Token (PAT), as the error message that you quoted indicated.
Have you created your PAT token on GitLab as mentioned in the GitLab PAT documenation page and have you granted it at least the read_repository scope? If yes, then the cloning should work in the following manner.
Let’s say that your GitLab PAT token value is “abcd1234”. You can store it as a custom secret with REANA:
$ reana-client secrets-add --env GITLABPAT=abcd1234
This will make it available to your workflow jobs as an environment variable called GITLABPAT.
Afterwards, the git clone command in the above example should be modified to include the new secret:
- git clone https://johndoe:$$GITLABPAT@gitlab.cern.ch/johndoe/myrepo
This change should allow the cloning of your restricted personal repositories. (Tested on the above toy example.)
Does this help to address your problem?