The .gitlab-ci.yml configuration file should not be exposed to any user with the "developer" rule since it might grant unwanted access to variables and infrastructure or make different kinds of exploiting behaviour or simply unwanted changes possible.
therefore, according to https://gitlab.com/secure-ci-config-poc/ci-configs, i made projects and pipelines; but if the user who pushes don't have reporter or developer or other high permissions on ci-configs project which contains all configurations, pipeline fails!!
Found errors in your .gitlab-ci.yml:
Project `root/ci-configs` not found or access denied!
now, how can I fix this error?! so developers can run pipelines, but can not access the configuration files and .gitlab-ci.yml files?
Thanks All
You cannot stop users from reading the configuration. A user triggering a pipeline must have at least read access to the CI yaml file. However, secrets should never be stored in the YAML file, so read access should generally not be problematic.
You can prevent write access, but users triggering pipelines must be able to read all the configuration files. That is really the primary goal in securing your CI configurations -- preventing execution of malicious changes to the CI configuration.
if the user who pushes don't have reporter or developer or other high permissions on ci-configs project which contains all configurations, pipeline fails
The configuration project should have either public or internal visibility to avoid this problem, as described in the GitLab documentation:
If the configuration file is in a separate project, you can set more granular permissions. For example:
Create a public project to host the configuration file.
Give write permissions on the project only to users who are allowed to edit the file.
Then other users and projects can access the configuration file without being able to edit it.
(emphasis added)
If you absolutely needed the project to be set to private visibility, you might consider granting developer access, but creating protected branch rules that require maintainer access or higher to push changes.
Additional considerations
Even if you prevent access to writing changes to the CI configuration file, if the CI configuration executes any code written in the repository (say, for example running unit tests) then you really haven't solved any problems. Consider, for example, that malicious code can be embedded in test code!
It is possible to have a CI configuration that does not execute user code, but it's something you need to consider. If you need CI configurations to execute user-provided code (like running tests) then it's likely not very advantageous to protect your CI configuration in this way as a matter of securing your environment/variables.
Related
We are using includes from project B within project A within the .gitlab-ci.yml as follows:
include:
- project: pathto/projectb
file:
- "/pathto/myfile.yml"
which works well when the user has access rights to both projects but breaks with a linting error when the user has only access rights for project A:
Found errors in your .gitlab-ci.yml:
Project `pathto/projectb` not found or access denied! Make sure any includes in the pipeline configuration are correctly defined.
Now the problem is that we want to use the include (and pipeline to succeed) also when the user who starts the pipeline has only access rights to project A.
Are there any ways to achieve this?
Background: Project B holds some general CI files and the user is an external developer and should have limited access only.
Thanks in advance!
No, for an include: from a project to work, the user that triggers the pipeline must have at least read access to the referenced CI YAML files.
You must either (1) make Project B have internal or public visibility or (2) provide membership access to users who trigger pipelines using includes in the project.
There may be ways you can separate the yaml files from Project B (like publishing them elsewhere), but in all cases, users can (must be able to) read all includable files.
I’m trying to set up GitLab CI/CD for an old client-side project that makes use of Grunt (https://github.com/yeoman/generator-angular).
Up to now the deployment worked like this:
run ’$ grunt build’ locally which built the project and created files in a ‘dist’ folder in the root of the project
commit changes
changes pulled onto production server
After creating the .gitlab-ci.yml and making a commit, the GitLab CI/CD job passes but the files in the ‘dist’ folder in the repository are not updated. If I define an artifact, I will get the changed files in the download. However I would prefer the files in ‘dist’ folder in the to be updated so we can carry on with the same workflow which suits us. Is this achievable?
I don't think commiting into your repo inside a pipeline is a good idea. Version control wouldn't be as clear, some people have automatic pipeline trigger when their repo is pushed, that'd trigger a loop of pipelines.
Instead, you might reorganize your environment to use Docker, there are numerous reasons for using Docker in a professional and development environments. To name just a few: that'd enable you to save the freshly built project into a registry and reuse it whenever needed right with the version you require and with the desired /dist inside. So that you can easily run it in multiple places, scale it, manage it etc.
If you changed to Docker you wouldn't actually have to do a thing in order to have the dist persistent, just push the image to the registry after the build is done.
But to actually answer your question:
There is a feature request hanging for a very long time for the same problem you asked about: here. Currently there is no safe and professional way to do it as GitLab members state. Although you can push back changes as one of the GitLab members suggested (Kamil Trzciński):
git push http://gitlab.com/group/project.git HEAD:my-branch
Just put it in your script section inside gitlab-ci file.
There are more hack'y methods presented there, but be sure to acknowledge risks that come with them (pipelines are more error prone and if configured in a wrong way, they might for example publish some confidential information and trigger an infinite pipelines loop to name a few).
I hope you found this useful.
i have gitlab omnibus, 8.0.4 version, installed on private server, we need to remove access right from reporter to read/pull/download code,
so we dont want reporter to viewer the source code
I think it can be done through editing some file on the server, right?
how can we do it?
Reporter always has read access to files, issues and merge requests. This cannot be altered (and we do not recommend modifying source files since it makes upgrades more difficult).
My suggestion is to create a separate project with only the issue tracker enabled and add the user as a reporter there. Keep the project with source code private.
Danger section ;)
If you really want to modify the code, look in app/models/ability.rb. In the project_report_rules method remove the rights you do not wish 'reporter' to have.
We are running CRM in an enterprise style environment, with 4 environments that changes need to propagate through before entering production. We are also dealing with a very large dynamic dataset and complex logic implemented in SQL server working from this dataset, along side the CRM components.
Our environments are as follows:
Development
Test
Staging
Production
To facilitate development, testing, etc we restore our dataset and CRM from Production back to the various environments as needed, in Development we restore very frequently (usually nightly).
One of the challenges we have encountered with this is that when restoring the CRM tennant automatically using the powershell tools, we need an accurate UserMap XML file available which contains all the users existing in our production environment. Currently whenever a new user is added to production we our automated restore fails and we have to manually update the file.
In looking to automate file creation, I was unable to find the answer to the following question: Does the UserMap.xml file need to also include disabled users?
To resolve this we produced a new UserMap.xml file from the production environment and manually checked to confirm that in face Disabled users ARE included in the UserMap.xml file.
I have a team that will be using CruiseControl for continuous integration, and CC will be running on a Linux server. More than one team member may need to access the CC configuration itself: changing how tests are run, changing notification rules, etc.
What is the best practice for this?
My first thought was to set up a cc-users group, then make a shared directory somewhere (such as /usr/local, I suppose, or a new directory like /projects), where the directory has r/w for the group.
Am I missing any complications with this plan? Obviously, I've never been in charge of such a project before, otherwise I wouldn't ask such a question.
FWIW, my intention is to have all the cc configuration files under mercurial so we can roll back in case of breakage.
I have version-controlled the whole of cruisecontrol configuration, along with the project specific config files underneath it.This way, the write-access can be controlled per requirement, using your source control tool's access control method (in our case subversion) thus providing tracking as well. Whomsoever needs to make a change can checkout the file config.xml in their own workspace and make their changes and then commit. You may want to consider the same approach.