Should I use a dedicated user for GitLab integration? - gitlab

YouTrack supports integration with GitLab, which I would like to use.
When I create a new integration, YouTrack asks for a private token and gives me the option to navigate to my own user profile on our GitLab server to copy my token.
Does that mean that all future actions performed by YouTrack will be performed with my user account? Should I create a separate user for YouTrack?

It does mean that all future actions are performed with this user, but all those actions are read-only. The only modifying action is that if you delete/disable the integration, YouTrack will delete a web hook that it registers in GitLab.

Related

Is There a Way to clone a B2C User Flow?

We're in the process of implementing AD B2C as our sso and will have to go through multiple versions of user flows during testing. They will be used for different environments and some in parallel in testing so we won't be able simply change existing versions. We'd like to establish a base flow for our sign in and our multiple sign ups as starting points that we could then clone when we create a new version. Is there any way to clone an existing User Flow either directly or by download/upload to a new flow? I know we could do something similar with custom policies but we've made the decision to stick with user flows.
Thanks!
User flows cannot be cloned as user flows, but you can download their source code and clone them as custom policies. User flows are custom policies anyways. You can download their source code from the Azure Portal as shown in the following picture.
You can opt to append the base policies code to the user flow code using the following API call. Please keep in mind this API is not publicly supported and only provided AS IS:
GET https://main.b2cadmin.ext.azure.com/api/trustframework/GetAsXml?sendAsAttachment=true&tenantId=<TENANT NAME>.onmicrosoft.com&policyId=<USER FLOW ID>&getBasePolicies=true
You will need an access token for scope https://management.core.windows.net/user_impersonation
Let me know if you need additional help!

GitLab Account Pending approval from administrator

Your account is pending approval from your GitLab administrator and hence blocked. Please contact your GitLab administrator if you think this is an error
Well as the message states. You have created an account on a self-hosted GitLab instance.
The administrators of that instance have configured it so that they have to manually approve every account that is created. This is usually to prevent spam and exploiting of publicly reachable instance.
When this setting is enabled, any user visiting your GitLab domain and signing up for a new account using the registration form must be explicitly approved by an administrator before they can start using their account. In GitLab 13.6 and later, this setting is enabled by default for new GitLab instances. It is only applicable if sign ups are enabled.
- gitlab docs; link
The first time you access your self-hosted Gitlab it asks you to set up a password. Then you can access using user root and the password you set up. Hope it helps!
I just ran into the same problem (Vbox, VM; self-managed gitlab on my VM's static IP).
I remembered installing with export GITLAB_HOME=/srv/gitlab
sudo more /srv/gitlab/initial_root_password
in that file is a long password which I used along with root as the user.

How do I deploy my Gatsby site to Azure when new Prismic content is published?

My current workflow sucks! It's due to inexperience with static site generators. I have a site built with Gatsby. The content is sourced from the Prismic headless CMS. I deploy to Azure Static Web Apps via command line Git. When I push or manually run a Github Action, the site grabs all the content from Prismic, builds and deploys. You have to first publish in Prismic, then open up Github and run the actions.
Prismic has a webhook option. You give it an API endpoint and auth credentials and whatever is at the other end gets executed when content is published. I also have an API endpoint set up in Azure but it does nothing right now but return a string when you access it.
How do I bridge the two so the site builds and redeploys whenever content is published at Prismic?
This is totally feasible (I didn't try it myself) but needs some configurations.
To do this you need to use Github Actions
using Github Actions require users to add a personal access token with the repo scope key. To learn more refer to Github's docs.
You need to add the header key & value in your Prismic Webhooks settings such as
Note: Currently, the custom headers feature is in the testing phase and it will be released soon check this page to follow the progress of the feature.
Also, you can check this article article to get some inspiration, and it will be cool if you can share your work with the community.

Custom Users when using Jenkins Google Login Plugin

I am attempting to our company's Jenkins from the Jenkins user database + matrix based security to using Google Login Plugin and Role based strategy plugin to give us better control of our user accounts.
With this new set up I am wondering how I could go about creating a designated user which is used by scripts which trigger Jenkins jobs remotely. I would like to do this without having to add a user to our company's GSuite account as this costs a few $ per month. Before the switch to Google Login I could just create a user manually in the Jenkins user database and take the API token from there but since switching to Google Login there is no option to add a user (which makes sense given than the users are managed by Google now). At the moment it seems like I have to choose from:
Use the old approach and forget about authenticating through google. This is not a great result as we want to minimize the number of user accounts we have to set up for new people joining the company to overhead of onboarding.
Use Google Login Plugin and create a new dedicated "Jenkins" user in GSuite for these scripting / requirements. This costs money.
Use an existing users API Token to avoid the cost of a new Google User in our GSuite account. This seems like bad practice which I'll regret at some point.
Is there a workaround which doesn't require a designated GSuite user or repurposing an existing Google users credentials just for this purpose?
I did a similar research a while ago and it seems like there is no way to do so right now.
However, I'm using SAML plugin with GSuite instead of Google Login Plugin, but from Jenkins security perspective I assume they work in the same way.
When you're using such plugin, Jenkins creates a securityRealm in its config. In my case it is:
<securityRealm class="org.jenkinsci.plugins.saml.SamlSecurityRealm" plugin="saml#1.0.7">
Therefore, to have SAML and Jenkins security matrix work simultaneously, you have to have several security realms.
Here is a ticket, which describes this issue, but it's still open
Regards!
I was also looking at how to trigger builds remotely when using the Google Login Plugin.
I ended up using the "Build Token Root Plugin" which solved this problem, without any need to create a dedicated user for this.
This plugin offers an alternate URI pattern which is not subject to the usual overall or job read permissions. Just issue an Http GET or POST to buildByToken/build?job=NAME&token=SECRET. This URI is accessible to anonymous users regardless of security setup, so you only need the right token.
https://wiki.jenkins.io/display/JENKINS/Build+Token+Root+Plugin

Best practice for verifying a GitLab user?

Given I have a existing project and I want to add an external GitLab user to the project.
The user can enter his/her GitLab username (and additional fields if needed) in a UI.
What is the best practice to verify that the user is valid and that the user is the real owner of the entered account over the GitLab API?
This should also support external login methods (GitHub, ...).

Resources