gitlab permission just for pulling container not anything else - security

I want to assign permission to a user just to pull gitlab's registry container and can't download raw project while even guests on gitlab can download project and pull container both, any solution?

You cannot assign/revoke granular permissions for users. User access it determined by their assigned (or inherited) role in the project and the project visibility settings.
If your project has internal or public visibility, any logged in user will be able to download the project files. To prevent users from seeing the project, you must make it private and revoke membership.
You can, however, create a project access token and assign it the read_registry scope only. Then, that token can only be used to download images from the container registry and does not provide any other access.

Related

Is there any mechanism on GitLab where user can request the access for Private Project?

I want some mechanism, which will have a way to any git user to request access for private project
I can see a way where I (owner) can add any member to the project, But I want process where developers will request the access permission and I as owner will approve that instead of adding it manually
Is there any way?
It is possible to request access to a group or project. However, the group or project must be visible to the user (must be public or internal visibility).
Requesting access must also be enabled in the group or project settings.
You cannot request access to private groups or projects because you can't see them. For private visibility groups or projects, you can only be invited by existing members. However, you can have a private project inside of a public group (or subgroup). So you could make your group public and have users request access to the group (or subgroup) rather than the project directly.
Another alternative would be to have "permission" groups that have no projects. Have these groups public so users can request access. Then share access to the private project with that group.

How to restrict project admin only to create new repository, the master branch in azure devops

Also i need to know how to make project admin to get notification when a contributor makes a pull request in azure devops.
How to restrict project admin only to create new repository, the
master branch in azure devops
It's is not possible to modify any Permissions to Project Admin by default Project Admin has all the permissions (As the name indicates he/she will be the project admin)
You will see the below error when you tried to modify the permission
Also i need to know how to make project admin to get notification when
a contributor makes a pull request in azure devops.
ProjectSetting->Notification->New Subscription->Code(git)->A pull Request is created or updated
Under the Deliver to you have the options called
Members of xxx by role
Team Preference
Custom Email address
Members of xxx Team
SOAP
You can set this to a custom email address and point the project admin email address there.

Why an external user with guest role cannot access an internal repo when it is granted to?

Why an external user with guest role cannot access an internal repo when it is granted to?
Objective
I have a problem giving permissions in gitlab. I want to have externals users with guest (role) permissions to download one internal project.
The gitlab documentation says the following:
Users with Guest role can download the project only if it is public or internal.
Externals users can only access projects to which they are explicitly granted access, thus hiding all other internal or private ones from them. Access can be granted by adding the user as member to the project or group.
Environment
I have the next configuration in gitlab:
One user created as external user named userexternal.
One internal project named internalproject.
The internalproject has userexternal as member with the guest role.
Expected behaviour
userexternal can download (clone, etc) the internalproject because he has access granted.
Actual behaviour
userexternal cannot download internalproject. The page returns a 403 error (forbidden access).
Cloning into 'internalproject'...
remote: You are not allowed to download code from this project.
fatal: unable to access 'https://userexternal:PASS#example.com/internalproject.git/': The requested URL returned error: 403
This may not apply directly to your situation, but we wanted to do something similar with a client. We created deploy keys with read only access to one project in our gitlab. Since the ssh keys are only associated to that project and not to a user, they can't touch anything else besides that repo. Mixed with the read only option, they can only pull and clone.
We wanted to keep this user separate from any other account so we created another user within our system with admin capabilities (only drawback), a random password that they won't be given, no ssh login keys, and we ticked the external user checkbox (yeah somehow you can be an external admin?).
Again, not ideal but a workaround... :(
Cheers

How to become admin for Gitlab.com project?

I'm trying to get to the admin area so I can set the time-to-live for the gitlab container registry token. However, I don't see where that's available to me. I am the sole owner and creator of the project after I signed up for a Gitlab account and clicked to create a new project. My problem is similar to this person:
https://forum.gitlab.com/t/where-is-the-admin-area/5936
except I'm not using Gitlab CE.
So how can I become an admin for my own project so I can change some admin settings?
You can't have access to the admin area of gitlab.com. It is a private instance of Gitlab Enterprise Edition, belonging to Gitlab. They do allow anyone to have unlimited access (any number of public or private repositories as well as groups etc) but you can't be an admin.
Being an admin would mean you could see anyone's projects or delete them etc. That's not reasonable...

GitHub access token with read-only access to private repositories

I have a project with a Node dependency on a private Git repository. I need to be able to run npm install without being prompted to enter a password or allow an SSH connection, so I'm using an access token that I created on GitHub in my package.json:
"dependencies": {
"sass-theme": "git+https://[token]:x-oauth-basic#github.com/MyOrg/sass-theme.git#v1.0.2",
"node-sass": "^4.5.0"
}
This project is shared with dozens of other people, so obviously I don't want to keep my token in source control. I know I can create a read-only deployment key on GitHub, but I believe that would require other developers to import the SSH key to build the project locally.
Is it possible to create an access token that can be shared but that has read-only access to clone the repository?
The most straightforward way I can think of to create a token that provides read-only access to a private repo is to:
Have a user who has read-only access to the given private repo
(and ideally, not much else)
As that user create a Personal Access Token with the "repo" scope
It would be best if they didn't have access to other orgs/repos, since the "repo" scope grants the user total control over any repos that user has write access to.
I know in an Enterprise solution we would do that with a System ID, but on GitHub you can instead create a Machine User.
Deploy keys are the way to go. By default they don't allow write access and they are scoped to the specific repository (unlike the GitHub personal access token). So you can now generate a private/public key pair, set one as read/pull only deploy key on a single repository in GitHub and use the private key in your CI.
For instance run a bash script:
eval "$(ssh-agent -s)";
ssh-add <your private deploy key>;
Now your CI has rights to access private repo's during the build.
You can add a Deploy key by going to your repository on Github and then clicking Settings > Deploy keys > Add deploy key
If you think it's a bad idea to put your credentials in your source code (as you should!) then you have few options:
Keep it hosted in a private GitHub repo but add those dozens of other people as collaborators to this repo (with read only access).
Keep it hosted in a private GitHub repo but owned as an organization and add those people to the organization.
Publish it as a private npm module.
Publish it in a private npm registry.
Include the dependency in the source code of the program that needs it.
The last one is basically like including the node_modules in the original code that uses that module so of course it's not pretty. Hosting your own npm registry is not trivial but you can automate adding users that way. Publishing private npm module is not free. Maintaining an organization full of people who should be able to access your repo is annoying.
Keep in mind one thing: if you share your credentials with more than one person, expect everyone to eventually have access to it, it's just a matter of time. The credentials could have a limited scope, it can be a read only deploy key or a machine user with restricted access, but if it is distributed it will leak eventually as it always does, especially when you share it with dozens of people. It's much better to keep a list of people who can access the code, and you can automate keeping that list up to date using the GitHub API.
I would never recommend distributing credentials in the source code of the project, no matter how limited access those credentials provide.
It's ugly that there are no scope for Read-only access to private repo.
What I suggest is to create a new token even with read/write as a Temporary token. Then pull/fetch the changes and delete the Token directly.
Apparently, GitHub has heard you and added a new beta feature called "Fine-Grained Tokens"!
https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/
"Create a fine-grained, repository-scoped token suitable for personal API use and for using Git over HTTPS"
Go to setting/developer settings/Personal Access Tokens/Fine grained token

Resources