Best practice for verifying a GitLab user? - gitlab

Given I have a existing project and I want to add an external GitLab user to the project.
The user can enter his/her GitLab username (and additional fields if needed) in a UI.
What is the best practice to verify that the user is valid and that the user is the real owner of the entered account over the GitLab API?
This should also support external login methods (GitHub, ...).

Related

Private project access token in GITLAB

I am developing a utility where I need to validate the user by taking username and validate it with a specific gitlab private repository members. If the user exists in that repository members then only the executable will run. As this utility will be used by many users,I do not want to use my personal access token.
I am new to Gitlab, would be great help if you can show possible options here.

JHipster "anonymoususer" login

I generated a monolithic application using JHipster and it has by default generated some users for me (admin,system,user and anonymoususer) "anonymoususer". I tried to log in with anonymoususer but I can't because I don't have the password. Can anyone tell me the purpose of this user?
By default, JHipster comes with 4 different users:
“system”, who is mainly used by our audit logs, when something is done automatically
“anonymousUser”, who is given to anonymous users when they do an action
“user”, who is a normal user with “ROLE_USER” authorization. His default password is “user”
“admin”, who is an admin user with “ROLE_USER” and “ROLE_ADMIN” authorizations. His default password is “admin”
https://www.jhipster.tech/security/

Custom Users when using Jenkins Google Login Plugin

I am attempting to our company's Jenkins from the Jenkins user database + matrix based security to using Google Login Plugin and Role based strategy plugin to give us better control of our user accounts.
With this new set up I am wondering how I could go about creating a designated user which is used by scripts which trigger Jenkins jobs remotely. I would like to do this without having to add a user to our company's GSuite account as this costs a few $ per month. Before the switch to Google Login I could just create a user manually in the Jenkins user database and take the API token from there but since switching to Google Login there is no option to add a user (which makes sense given than the users are managed by Google now). At the moment it seems like I have to choose from:
Use the old approach and forget about authenticating through google. This is not a great result as we want to minimize the number of user accounts we have to set up for new people joining the company to overhead of onboarding.
Use Google Login Plugin and create a new dedicated "Jenkins" user in GSuite for these scripting / requirements. This costs money.
Use an existing users API Token to avoid the cost of a new Google User in our GSuite account. This seems like bad practice which I'll regret at some point.
Is there a workaround which doesn't require a designated GSuite user or repurposing an existing Google users credentials just for this purpose?
I did a similar research a while ago and it seems like there is no way to do so right now.
However, I'm using SAML plugin with GSuite instead of Google Login Plugin, but from Jenkins security perspective I assume they work in the same way.
When you're using such plugin, Jenkins creates a securityRealm in its config. In my case it is:
<securityRealm class="org.jenkinsci.plugins.saml.SamlSecurityRealm" plugin="saml#1.0.7">
Therefore, to have SAML and Jenkins security matrix work simultaneously, you have to have several security realms.
Here is a ticket, which describes this issue, but it's still open
Regards!
I was also looking at how to trigger builds remotely when using the Google Login Plugin.
I ended up using the "Build Token Root Plugin" which solved this problem, without any need to create a dedicated user for this.
This plugin offers an alternate URI pattern which is not subject to the usual overall or job read permissions. Just issue an Http GET or POST to buildByToken/build?job=NAME&token=SECRET. This URI is accessible to anonymous users regardless of security setup, so you only need the right token.
https://wiki.jenkins.io/display/JENKINS/Build+Token+Root+Plugin

gitlab signup users without email confirmation

I want to setup a gitlab instance for internal use. Since the instance can only be reached over a local network I haven't setup the email setup. Unfortunately gitlab still wants to sent new users confirmation emails with a temporary password, but they never receive this email.
Is there a way to configure gitlab so that it doesn't send these confirmation mails? I already tried to set email_enabled: false in gitlab.yml but it didn't work.
Update:
It should work without me having to interfere manually in the signup process.
Admin can confirm user manually!
Login gitlab with admin account and create a new user (Mini), ignore password.
Admin area ---> users ---> edit Mini user ---> set password.
User Mini can login gitlab.
I think GitLab takes security seriously and from what I have seen so far, it looks like either your users need to confirm their accounts or an admin has to confirm manually.

Create user with SSH key, without password

My campus runs a gitlab server. I am a user, not an admin. Campus policy forbids giving LDAP access to off-campus collaborators/co-authors, but has no problem in principle with allowing such folks to have "Developer" level access to non-public repositories on an invitational basis. Is it possible to have my off-campus colleagues send me an SSH key, and have the gitlab admin create a no-login user with that key who I could then add as a "Developer" member to selected projects? If it's do-able, what's the magic process so I can pass it along to the IT support folks?
Ask your IT support team to create Gitlab account with specific permissions for those developers without LDAP account. And then simply add them to the repositories and ask them to upload ssh keys.

Resources