Does somebody know how I can import all members of one group into another in GitLab, rather than doing it manually one by one?
The only native feature which comes close is in lib/tasks/gitlab/bulk_add_permission.rake, which is mentioned in "User management"
# omnibus-gitlab
sudo gitlab-rake gitlab:import:all_users_to_all_groups
# installation from source
bundle exec rake gitlab:import:all_users_to_all_groups RAILS_ENV=production
You could take that as a model to develop our own task.
I am not aware of such a feature. But you can script it with the API. We use it here to add all users to one single group (all users to all groups is not feasible for our case).
Helpful documentation: http://doc.gitlab.com/ce/api/README.html, http://doc.gitlab.com/ce/api/users.html and http://doc.gitlab.com/ce/api/groups.html
There is also a respond to another question that might be helpful and lists also various modules for various programming languages: Is there a way to add users automatically into gitlab?
I was looking for a solution to Assign all Gitlab users to one particular group.
Here's the solution:
Create this file:
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/finder_import.rake
With this content:
namespace :gitlab do namespace :finder do
desc "GitLab | Add all users to group Colaboradores (admin users are added as owners)"
task importall: :environment do |t, args|
user_ids = User.where(admin: false).pluck(:id)
admin_ids = User.where(admin: true).pluck(:id)
groups = Group.where(name: "Colaboradores")
puts "Importing #{user_ids.size} users into #{groups.size} groups"
puts "Importing #{admin_ids.size} admins into #{groups.size} groups"
groups.each do |group|
puts "Importing into #{group.name}"
group.add_users(user_ids, GroupMember::DEVELOPER)
group.add_users(admin_ids, GroupMember::OWNER)
end
end
end end
Run this command:
gitlab-rake gitlab:finder:importall
Related
Original question:
I want to limit the number of users from a particular domain that can register into my Gitlab instance. I noticed that I could set a "user cap", but it wasn't specific to a domain.
For example:
I want to limit the number of users registered from these domains. 20 users from testdomain1.com and 30 users from testdomain2.com are allowed to sign up. So, if there are already 20 users registered sucessfully from testdomain1.com, new user from testdomain1.com will not be allowed to sign up.
What should I do for it?
2021.11.18 Edited:
I added a validate to the User model:
# gitlab/app/models/user.rb
class User < ApplicationRecord
# ...
validate :email_domain, :ensure_user_email_count
# ...
def email_domain
email_domain = /\#.*?$/.match(email)[0]
email_domain
end
def ensure_user_email_count
# select count(*) from users where email like '%#test.com';
if User.where("email LIKE ?", "%#{email_domain}" ).count >= 30
errors.add(email_domain, _('already has 30 registered email.'))
end
end
end
This validate can set "user cap = 30" for each domain but it's still not able to set a "User cap" for a particular domain.
Since the related issue post did not get any response yet. I'm tring to implement it by myself. And it seems like that I need to extend the UI of the Admin Settings page and add some related tables to database to set different "user cap" for different email domain.
The GitLab user cap seems to be per GitLab instance.
So if both your domains are reference the same GitLab instance, you would have only one user cap possible.
But if each of your domain redirects to one autonomous GitLab instance (per domain), then you should be able to set user cap per domain.
The OP Ann Lin has created the issue 345557 to follow that feature request.
TRhe OP reports:
A particular table is needed to store the caps.
But I don’t have enough time now to modify the UI so I found a simple way to do this:
The Allowed domains for sign-ups which called domain_allowlist in database is a text:
gitlabhq_production=# \d application_settings
...
domain_allowlist | text | | |
...
gitlabhq_production=# select domain_allowlist from >application_settings;
domain_allowlist
-------------------
--- +
- testdomain1.com+
- testdomain2.com+
(1 row)
I can modify the testdomain1.com to testdomain1.com#30 to store the user cap and use Regex to get the number 30.
I will modify the UI and add the database table later. And I’ll create a pull request on Gitlab when I’m done.
I'm starting with BDD (cucumber + capybara + selenium chromedriver) and TDD (rspec) with factory_bot and I'm getting an error on cucumber features - step_definitions.
uninitialized constant User (NameError)
With TDD, everything is ok, the factory bot is working fine. The problem is with the cucumber.
factories.rb
FactoryBot.define do
factory :user_role do
name {"Admin"}
query_name {"admin"}
end
factory :user do
id {1}
first_name {"Mary"}
last_name {"Jane"}
email {"mary_jane#gmail.com"}
password {"123"}
user_role_id {1}
created_at {'1/04/2020'}
end
end
support/env.rb
require 'capybara'
require 'capybara/cucumber'
require 'selenium-webdriver'
require 'factory_bot_rails'
Capybara.register_driver :selenium do |app|
Capybara::Selenium::Driver.new(app, browser: :chrome)
end
Capybara.configure do |config|
config.default_driver = :selenium
end
Capybara.javascript_driver = :chrome
World(FactoryBot::Syntax::Methods)
And the problem is happening here
support/hooks.rb
Before '#admin_login' do
#user = create(:user)
end
step_definitions/admin_login.rb
Given("a registered user with the email {string} with password {string} exists") do |email, password|
#user
end
I don't know why, but I can't access the user using cucumber and factory_bot.
Anybody could help me please?
I think I need to configure something on the cucumber.
What do you think guys?
First of all Luke is correct about this being a setup issue. The error is telling you that the User model cannot be found which probably means Rails is not yet loaded. I can't remember the exact details of how cucumber-rails works but one of the things it does is to make sure that each scenario becomes an extension of a Rails integration test. This ensures that all of the Rails auto-loading has taken place and that these things are available.
Secondly I'd suggest you start simpler and use a step to create your registered user rather than using a tag. Using tags for setup is a Cucumber anti-pattern.
Finally, and more controversially I'd suggest that you don't use factory-bot when cuking. FactoryBot uses a separate configuration to create model objects directly in the datastore. This bypasses any application logic around the creation of these objects, which means the objects created by FactoryBot are going to end up being different from the objects created by your application. In real life object creation involves things like auditing, sending emails, conditional logic etc. etc. To use FactoryBot you either have to duplicate that additional creation logic and behavior or ignore it (both choices are undesirable).
You can create objects for cuking much more effectively (and quicker) by using the following pattern.
Each create method in the Rails controller delegates its work to a service object e.g.
UserController
def create
#user = CreateUserService.new(params).call
end
end
Then have your cukes use a helper module to create things for you. This module will provide tools for your steps to create users, using the above service
module UserStepHelper
def create_user(params)
CreateUserService.new(default_params.merge(params))
end
def default_params
{
...
}
end
end
World UserStepHelper
Given 'there is a registered user' do
#registered_user = create_user
end
and then use that step in the background of your feature e.g.
Background:
Given there is a registered user
And I am an admin
Scenario: Admin can see registered users
When I login and view users
Then I should see a user
Notice the absence of tagging here. Its not desirable or necessary here.
You can see an extension of this approach in a sample application I did for a CukeUp talk in 2013 here https://github.com/diabolo/cuke_up/commits/master. If you follow this commit by commit starting from first commit at the bottom you will get quite a good guide to setting up a rails project with cucumber in just the first 4 or 4 commits. If you follow it through to the end (22 commits) you'll get a basic powerful framework for creating and using model objects when cuking. I realize the project is ancient and that obviously you will have to use modern versions of everything, but the principles still apply, and I use this approach in all my work and having been doing so for at least 10 years.
So if you're using rails, it's probably advised to use cucumber-rails over cucumber. This is probably an issue where your User models have not been auto-loaded in.
Cucumber auto-loads all ruby files underneath features, with env.rb first, it's almost certainly an issue with load order / load location
I'm attempting to run an LDAP filter to return all users within a group. Pretty simple, and there are hundreds of Stack Overflow questions which already provide example queries. However the one I'm using is basic, and returns nothing when run in Powershell.
What I've Tried
Get-ADUser -LDAPFilter "(&(objectclass=user)(objectcategory=person)(memberOf=CN=MyGroup,OU=Users,DC=MyDomain,DC=com))"
I've also tried "CN=Users" instead of "OU=Users
Where "MyGroup" is located in the OU:
"MyDomain" (Forest) > "Users" (OU) > "MyGroup" (CN)
Any ideas what I'm doing wrong, and why none of the 100-200 members of the "MyGroup" are being returned?
Cross-post: https://serverfault.com/q/978336/536173
TL;DR of the most upvoted answer:
Use (memberOf:1.2.840.113556.1.4.1941:=<GROUP_DN>) to query for group memberships recursively.
i have setup a parametrized job for self-service deployments in Jenkins.
Users can select a version of the application and the environment to deploy to.
The available environments displayed to the user is currently just a static list of strings (choice parameter).
Now i want to restrict deployments to some environments based on the LDAP-groups of the current user.
The user-page in jenkins displays something like:
Jenkins Benutzer Id: maku
Groups:
adm_proj_a
nexus_admin
ROLE_ADM_PROJ_XY
ROLE_BH_KK
How do i get these groups within a groovy-script?
I tried to use dynamic choice parameter (scriptler) and get the LDAP-groups using a groovy-script but did not find my way through the Jenkins-API.
Any hints welcome
User.getAuthorities() requires the caller to have the ADMINISTER permission. (http://javadoc.jenkins-ci.org/hudson/model/User.html#getAuthorities())
An alternative is to query the SecurityRealm directly.
import hudson.model.*
import jenkins.model.*
def userid = User.current().id
def auths = Jenkins.instance.securityRealm.loadUserByUsername(userid)
.authorities.collect{a -> a.authority}
if("adm_proj_a" in auths){
...
I found a solution. Just in case anybody is interested:
Within scriptler i created a script groovy-script similar to this:
import hudson.model.*
def allowed_environments = ["dev","test","test-integration"]
if ("adm_proj_a" in User.current().getAuthorities() )
{
allowed_environments.add("production")
}
return allowed_environments
This script is used by dynamic choice parameter (scriptler) within my Jenkins-Job.
Now only users within the group adm_proj_a can see production as a choice.
Like ffghfgh wrote getAuthorities method requires administrator permission.Use the following:
def auth = hudson.model.User.current().impersonate().getAuthorities().collect {it.getAuthority()}
if ("adm_proj_a" in auth){
// do something
}
Jenkins may ask admin account to approve script in "scriptApproval" section
GitLab offers the project access levels:
"Guest"
"Reporter"
"Developer"
"Master"
for "team members" co-operating with a specific project.
"Master" and "Guest" are self-explanatory, but the others aren't quite clear to me, in their extents as well as in their granularity.
What is the difference between these levels?
2013: The project_security_spec.rb test each profile capabilities, which are listed in ability.rb:
(2017 GitLab 10.x: this would be more likely in app/policies/project_policy.rb)
See also, as noted in jdhao's answer: "Project members permissions"
Those rules are quite explicit:
def public_project_rules
[
:download_code,
:fork_project,
:read_project,
:read_wiki,
:read_issue,
:read_milestone,
:read_project_snippet,
:read_team_member,
:read_merge_request,
:read_note,
:write_issue,
:write_note
]
end
def project_guest_rules
[
:read_project,
:read_wiki,
:read_issue,
:read_milestone,
:read_project_snippet,
:read_team_member,
:read_merge_request,
:read_note,
:write_project,
:write_issue,
:write_note
]
end
def project_report_rules
project_guest_rules + [
:download_code,
:fork_project,
:write_project_snippet
]
end
def project_dev_rules
project_report_rules + [
:write_merge_request,
:write_wiki,
:push_code
]
end
That means:
a reporter is a guest who can also:
download code,
fork a project,
write project snippet
a developer is a reporter who can also:
write merge request,
write wiki pages,
push code
Note: with GitLab 15.0 (May 2022):
Users with the Reporter role can manage iterations and milestones
We’ve changed the permissions necessary to create, edit, and delete milestones and iterations from the Developer to Reporter role.
This change better reflects the typical day-to-day Reporter responsibilities of managing and tracking planning timeboxes.
See Documentation and Issue.
These days, the access levels are well documented here: http://doc.gitlab.com/ce/permissions/permissions.html
This page from the gitlab official site shows the permissions for different levels of participants in the project.