I am using Gitlab CE 9.0 . Please tell me how to restrict a external guest user from download/clone an internal repository
Thanks !
According to the gitlab documentation "On public and internal projects, all users are able to perform this action".
In other words, guest users have permission to download (i.e. clone) projects they have access to.
First of all: keep your GitLab up-to-date. 9.0 is over a year old; you will be missing a lot of security updates.
GitLab CE User permissions table:
Second: Guests can access public and internal repositories, but not private ones. So you can set the project to private.
Third: You can flag the external users to be external in the Access tab when editing the user:
External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups.
Related
I want to assign permission to a user just to pull gitlab's registry container and can't download raw project while even guests on gitlab can download project and pull container both, any solution?
You cannot assign/revoke granular permissions for users. User access it determined by their assigned (or inherited) role in the project and the project visibility settings.
If your project has internal or public visibility, any logged in user will be able to download the project files. To prevent users from seeing the project, you must make it private and revoke membership.
You can, however, create a project access token and assign it the read_registry scope only. Then, that token can only be used to download images from the container registry and does not provide any other access.
We have an issue. User is in the Contributors group of the VSTS project. Able to view dashboard and work items. Unable to view Repos. Need help. Any suggestions?
User needed an MSDN license to use Visual Studio in addition to being in the correct group of the VSTS project. Trial license was not good enough.
According to your description, highly doubt those users only have Stakeholder access level.
People with Stakeholder access level could not commit their work on branch and unable to view repos.
Assign Stakeholder access to those users who need to enter bugs,
view backlogs, boards, charts, and dashboards, but who don't buy basic access. Stakeholders can also view releases and manage release
approvals. Stakeholder access is free.
Source Link: About access levels
See Stakeholder access for details of features available to stakeholders.
The user should have either Basic access or Visual Studio subscription which include code feature.
Moreover, if it's still not able to see any other projects after giving them those access. There is another concept called Permissions in Azure DevOps. Double check the permission for Contributor group.
Also make sure you have not add them to any other project team group expect the contribute group.
Once deny the Read permission for repos level, user will not be able to see the repos.
Read
Can read the contents of a file or folder. If a user has Read
permissions for a folder, the user can see the contents of the folder
and the properties of the files in it, even if the user does not have
permission to open the files.
Why an external user with guest role cannot access an internal repo when it is granted to?
Objective
I have a problem giving permissions in gitlab. I want to have externals users with guest (role) permissions to download one internal project.
The gitlab documentation says the following:
Users with Guest role can download the project only if it is public or internal.
Externals users can only access projects to which they are explicitly granted access, thus hiding all other internal or private ones from them. Access can be granted by adding the user as member to the project or group.
Environment
I have the next configuration in gitlab:
One user created as external user named userexternal.
One internal project named internalproject.
The internalproject has userexternal as member with the guest role.
Expected behaviour
userexternal can download (clone, etc) the internalproject because he has access granted.
Actual behaviour
userexternal cannot download internalproject. The page returns a 403 error (forbidden access).
Cloning into 'internalproject'...
remote: You are not allowed to download code from this project.
fatal: unable to access 'https://userexternal:PASS#example.com/internalproject.git/': The requested URL returned error: 403
This may not apply directly to your situation, but we wanted to do something similar with a client. We created deploy keys with read only access to one project in our gitlab. Since the ssh keys are only associated to that project and not to a user, they can't touch anything else besides that repo. Mixed with the read only option, they can only pull and clone.
We wanted to keep this user separate from any other account so we created another user within our system with admin capabilities (only drawback), a random password that they won't be given, no ssh login keys, and we ticked the external user checkbox (yeah somehow you can be an external admin?).
Again, not ideal but a workaround... :(
Cheers
I'm trying to get to the admin area so I can set the time-to-live for the gitlab container registry token. However, I don't see where that's available to me. I am the sole owner and creator of the project after I signed up for a Gitlab account and clicked to create a new project. My problem is similar to this person:
https://forum.gitlab.com/t/where-is-the-admin-area/5936
except I'm not using Gitlab CE.
So how can I become an admin for my own project so I can change some admin settings?
You can't have access to the admin area of gitlab.com. It is a private instance of Gitlab Enterprise Edition, belonging to Gitlab. They do allow anyone to have unlimited access (any number of public or private repositories as well as groups etc) but you can't be an admin.
Being an admin would mean you could see anyone's projects or delete them etc. That's not reasonable...
I have a project which our research lab is working, but only a few members can have access to the codes. We are using Git and BitBucket, but we want to use the server lab as our main repository. I have the following constraints:
We don't have admin rights;
Only a few members can have access to the files;
Every lab member already has its own login in the server.
How can I make this work?
I was thinking to ask the admin to add a group in the server, which would have read/write rights in our Git repository folder. Does it work? Is there a better way to manage these Git repositories with these constraints?
In addition to what Borealid wrote in his answer, you could also use gitolite. It allows you to have much more fine-grained access control (e.g. you can prevent users from deleting your repositories or prevent (some of) them from pushing to certain branches). It doesn't require root access.
Having a POSIX group which is granted access to the repository directory is a fine way to do things.
Just be aware that you have to trust the other group members - they could delete the directory entirely, without using the git client.