Commit 98ee5d63 authored by Jose Ivan Vargas's avatar Jose Ivan Vargas

Merge branch 'russell/improve-external-auth-ui-text' into 'master'

Improve UI text of external authentication

See merge request gitlab-org/gitlab!75822
parents 60dc5d2c 2fb0a9fa
...@@ -144,36 +144,39 @@ module ApplicationSettingsHelper ...@@ -144,36 +144,39 @@ module ApplicationSettingsHelper
end end
def external_authorization_description def external_authorization_description
_("If enabled, access to projects will be validated on an external service"\ s_("ExternalAuthorization|Access to projects is validated on an external service"\
" using their classification label.") " using their classification label.")
end end
def external_authorization_timeout_help_text def external_authorization_timeout_help_text
_("Time in seconds GitLab will wait for a response from the external "\ s_("ExternalAuthorization|Period GitLab waits for a response from the external "\
"service. When the service does not respond in time, access will be "\ "service. If there is no response, access is denied. Default: 0.5 seconds.")
"denied.")
end end
def external_authorization_url_help_text def external_authorization_url_help_text
_("When leaving the URL blank, classification labels can still be "\ s_("ExternalAuthorization|URL to which the projects make authorization requests. If the URL is blank, cross-project "\
"specified without disabling cross project features or performing "\ "features are available and can still specify classification "\
"external authorization checks.") "labels for projects.")
end end
def external_authorization_client_certificate_help_text def external_authorization_client_certificate_help_text
_("The X509 Certificate to use when mutual TLS is required to communicate "\ s_("ExternalAuthorization|Certificate used to authenticate with the external authorization service. "\
"with the external authorization service. If left blank, the server "\ "If blank, the server certificate is validated when accessing over HTTPS.")
"certificate is still validated when accessing over HTTPS.")
end end
def external_authorization_client_key_help_text def external_authorization_client_key_help_text
_("The private key to use when a client certificate is provided. This value "\ s_("ExternalAuthorization|Private key of client authentication certificate. "\
"is encrypted at rest.") "Encrypted when stored.")
end end
def external_authorization_client_pass_help_text def external_authorization_client_pass_help_text
_("The passphrase required to decrypt the private key. This is optional "\ s_("ExternalAuthorization|Passphrase required to decrypt the private key. "\
"and the value is encrypted at rest.") "Encrypted when stored.")
end
def external_authorization_client_url_help_text
s_("ExternalAuthorization|Classification label to use when requesting authorization if no specific "\
" label is defined on the project.")
end end
def sidekiq_job_limiter_mode_help_text def sidekiq_job_limiter_mode_help_text
......
%section.settings.as-external-auth.no-animate#js-external-auth-settings{ class: ('expanded' if expanded) } %section.settings.as-external-auth.no-animate#js-external-auth-settings{ class: ('expanded' if expanded) }
.settings-header .settings-header
%h4 %h4
= _('External authentication') = s_('ExternalAuthorization|External authorization')
%button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' } %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
= expanded ? 'Collapse' : 'Expand' = expanded ? 'Collapse' : 'Expand'
%p %p
= _('External Classification Policy Authorization') = s_('ExternalAuthorization|External classification policy authorization.')
= link_to _('Learn more.'), help_page_path('user/admin_area/settings/external_authorization'), target: '_blank', rel: 'noopener noreferrer'
.settings-content .settings-content
= form_for @application_setting, url: general_admin_application_settings_path(anchor: 'js-external-auth-settings'), html: { class: 'fieldset-form', id: 'external-auth-settings' } do |f| = form_for @application_setting, url: general_admin_application_settings_path(anchor: 'js-external-auth-settings'), html: { class: 'fieldset-form', id: 'external-auth-settings' } do |f|
...@@ -16,35 +17,37 @@ ...@@ -16,35 +17,37 @@
.form-check .form-check
= f.check_box :external_authorization_service_enabled, class: 'form-check-input' = f.check_box :external_authorization_service_enabled, class: 'form-check-input'
= f.label :external_authorization_service_enabled, class: 'form-check-label' do = f.label :external_authorization_service_enabled, class: 'form-check-label' do
= _('Enable classification control using an external service') = s_('ExternalAuthorization|Enable classification control using an external service')
%span.form-text.text-muted %span.form-text.text-muted
= external_authorization_description = external_authorization_description
= link_to sprite_icon('question-o'), help_page_path('user/admin_area/settings/external_authorization')
.form-group .form-group
= f.label :external_authorization_service_url, _('Service URL'), class: 'label-bold' = f.label :external_authorization_service_url, s_('ExternalAuthorization|Service URL'), class: 'label-bold'
= f.text_field :external_authorization_service_url, class: 'form-control gl-form-input' = f.text_field :external_authorization_service_url, class: 'form-control gl-form-input'
%span.form-text.text-muted %span.form-text.text-muted
= external_authorization_url_help_text = external_authorization_url_help_text
.form-group .form-group
= f.label :external_authorization_service_timeout, _('External authorization request timeout'), class: 'label-bold' = f.label :external_authorization_service_timeout, s_('ExternalAuthorization|External authorization request timeout (seconds)'), class: 'label-bold'
= f.number_field :external_authorization_service_timeout, class: 'form-control gl-form-input', min: 0.001, max: 10, step: 0.001 = f.number_field :external_authorization_service_timeout, class: 'form-control gl-form-input', min: 0.001, max: 10, step: 0.001
%span.form-text.text-muted %span.form-text.text-muted
= external_authorization_timeout_help_text = external_authorization_timeout_help_text
= f.label :external_auth_client_cert, _('Client authentication certificate'), class: 'label-bold' .form-group
= f.label :external_auth_client_cert, s_('ExternalAuthorization|Client authorization certificate'), class: 'label-bold'
= f.text_area :external_auth_client_cert, class: 'form-control gl-form-input' = f.text_area :external_auth_client_cert, class: 'form-control gl-form-input'
%span.form-text.text-muted %span.form-text.text-muted
= external_authorization_client_certificate_help_text = external_authorization_client_certificate_help_text
.form-group .form-group
= f.label :external_auth_client_key, _('Client authentication key'), class: 'label-bold' = f.label :external_auth_client_key, s_('ExternalAuthorization|Client authorization key'), class: 'label-bold'
= f.text_area :external_auth_client_key, class: 'form-control gl-form-input' = f.text_area :external_auth_client_key, class: 'form-control gl-form-input'
%span.form-text.text-muted %span.form-text.text-muted
= external_authorization_client_key_help_text = external_authorization_client_key_help_text
.form-group .form-group
= f.label :external_auth_client_key_pass, _('Client authentication key password'), class: 'label-bold' = f.label :external_auth_client_key_pass, s_('ExternalAuthorization|Client authorization key password (optional)'), class: 'label-bold'
= f.password_field :external_auth_client_key_pass, class: 'form-control gl-form-input' = f.password_field :external_auth_client_key_pass, class: 'form-control gl-form-input'
%span.form-text.text-muted %span.form-text.text-muted
= external_authorization_client_pass_help_text = external_authorization_client_pass_help_text
.form-group .form-group
= f.label :external_authorization_service_default_label, _('Default classification label'), class: 'label-bold' = f.label :external_authorization_service_default_label, s_('ExternalAuthorization|Default classification label'), class: 'label-bold'
= f.text_field :external_authorization_service_default_label, class: 'form-control gl-form-input' = f.text_field :external_authorization_service_default_label, class: 'form-control gl-form-input'
%span.form-text.text-muted
= external_authorization_client_url_help_text
= f.submit _('Save changes'), class: "gl-button btn btn-confirm" = f.submit _('Save changes'), class: "gl-button btn btn-confirm"
...@@ -29,39 +29,13 @@ functionality that render cross-project data. That includes: ...@@ -29,39 +29,13 @@ functionality that render cross-project data. That includes:
Labels, Milestones, Merge requests). Labels, Milestones, Merge requests).
- Global and Group search are disabled. - Global and Group search are disabled.
This is to prevent performing to many requests at once to the external This is to prevent performing too many requests at once to the external
authorization service. authorization service.
Whenever access is granted or denied this is logged in a log file called Whenever access is granted or denied this is logged in a log file called
`external-policy-access-control.log`. Read more about the logs GitLab keeps in `external-policy-access-control.log`. Read more about the logs GitLab keeps in
the [Omnibus GitLab documentation](https://docs.gitlab.com/omnibus/settings/logs.html). the [Omnibus GitLab documentation](https://docs.gitlab.com/omnibus/settings/logs.html).
## Configuration
The external authorization service can be enabled by an administrator:
1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > General**:
![Enable external authorization service](img/external_authorization_service_settings.png)
The available required properties are:
- **Service URL**: The URL to make authorization requests to. When leaving the
URL blank, cross project features remain available while still being able
to specify classification labels for projects.
- **External authorization request timeout**: The timeout after which an
authorization request is aborted. When a request times out, access is denied
to the user.
- **Client authentication certificate**: The certificate to use to authenticate
with the external authorization service.
- **Client authentication key**: Private key for the certificate when
authentication is required for the external authorization service, this is
encrypted when stored.
- **Client authentication key password**: Passphrase to use for the private key
when authenticating with the external service this is encrypted when stored.
- **Default classification label**: The classification label to use when
requesting authorization if no specific label is defined on the project
When using TLS Authentication with a self signed certificate, the CA certificate When using TLS Authentication with a self signed certificate, the CA certificate
needs to be trusted by the OpenSSL installation. When using GitLab installed needs to be trusted by the OpenSSL installation. When using GitLab installed
using Omnibus, learn to install a custom CA in the using Omnibus, learn to install a custom CA in the
...@@ -69,6 +43,16 @@ using Omnibus, learn to install a custom CA in the ...@@ -69,6 +43,16 @@ using Omnibus, learn to install a custom CA in the
Alternatively, learn where to install custom certificates by using Alternatively, learn where to install custom certificates by using
`openssl version -d`. `openssl version -d`.
## Configuration
The external authorization service can be enabled by an administrator:
1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > General**.
1. Expand **External authorization**.
1. Complete the fields.
1. Select **Save changes**.
## How it works ## How it works
When GitLab requests access, it sends a JSON POST request to the external When GitLab requests access, it sends a JSON POST request to the external
......
...@@ -7386,15 +7386,6 @@ msgstr "" ...@@ -7386,15 +7386,6 @@ msgstr ""
msgid "Click to reveal" msgid "Click to reveal"
msgstr "" msgstr ""
msgid "Client authentication certificate"
msgstr ""
msgid "Client authentication key"
msgstr ""
msgid "Client authentication key password"
msgstr ""
msgid "Client request timeout" msgid "Client request timeout"
msgstr "" msgstr ""
...@@ -11335,9 +11326,6 @@ msgstr "" ...@@ -11335,9 +11326,6 @@ msgstr ""
msgid "Default branch protection" msgid "Default branch protection"
msgstr "" msgstr ""
msgid "Default classification label"
msgstr ""
msgid "Default delayed project deletion" msgid "Default delayed project deletion"
msgstr "" msgstr ""
...@@ -13207,9 +13195,6 @@ msgstr "" ...@@ -13207,9 +13195,6 @@ msgstr ""
msgid "Enable automatic repository housekeeping" msgid "Enable automatic repository housekeeping"
msgstr "" msgstr ""
msgid "Enable classification control using an external service"
msgstr ""
msgid "Enable container expiration and retention policies for projects created earlier than GitLab 12.7." msgid "Enable container expiration and retention policies for projects created earlier than GitLab 12.7."
msgstr "" msgstr ""
...@@ -14492,9 +14477,6 @@ msgstr "" ...@@ -14492,9 +14477,6 @@ msgstr ""
msgid "Exported requirements" msgid "Exported requirements"
msgstr "" msgstr ""
msgid "External Classification Policy Authorization"
msgstr ""
msgid "External ID" msgid "External ID"
msgstr "" msgstr ""
...@@ -14504,15 +14486,9 @@ msgstr "" ...@@ -14504,15 +14486,9 @@ msgstr ""
msgid "External User:" msgid "External User:"
msgstr "" msgstr ""
msgid "External authentication"
msgstr ""
msgid "External authorization denied access to this project" msgid "External authorization denied access to this project"
msgstr "" msgstr ""
msgid "External authorization request timeout"
msgstr ""
msgid "External storage URL" msgid "External storage URL"
msgstr "" msgstr ""
...@@ -14528,6 +14504,54 @@ msgstr "" ...@@ -14528,6 +14504,54 @@ msgstr ""
msgid "ExternalAuthorizationService|When no classification label is set the default label `%{default_label}` will be used." msgid "ExternalAuthorizationService|When no classification label is set the default label `%{default_label}` will be used."
msgstr "" msgstr ""
msgid "ExternalAuthorization|Access to projects is validated on an external service using their classification label."
msgstr ""
msgid "ExternalAuthorization|Certificate used to authenticate with the external authorization service. If blank, the server certificate is validated when accessing over HTTPS."
msgstr ""
msgid "ExternalAuthorization|Classification label to use when requesting authorization if no specific label is defined on the project."
msgstr ""
msgid "ExternalAuthorization|Client authorization certificate"
msgstr ""
msgid "ExternalAuthorization|Client authorization key"
msgstr ""
msgid "ExternalAuthorization|Client authorization key password (optional)"
msgstr ""
msgid "ExternalAuthorization|Default classification label"
msgstr ""
msgid "ExternalAuthorization|Enable classification control using an external service"
msgstr ""
msgid "ExternalAuthorization|External authorization"
msgstr ""
msgid "ExternalAuthorization|External authorization request timeout (seconds)"
msgstr ""
msgid "ExternalAuthorization|External classification policy authorization."
msgstr ""
msgid "ExternalAuthorization|Passphrase required to decrypt the private key. Encrypted when stored."
msgstr ""
msgid "ExternalAuthorization|Period GitLab waits for a response from the external service. If there is no response, access is denied. Default: 0.5 seconds."
msgstr ""
msgid "ExternalAuthorization|Private key of client authentication certificate. Encrypted when stored."
msgstr ""
msgid "ExternalAuthorization|Service URL"
msgstr ""
msgid "ExternalAuthorization|URL to which the projects make authorization requests. If the URL is blank, cross-project features are available and can still specify classification labels for projects."
msgstr ""
msgid "ExternalIssueIntegration|Not all data may be displayed here. To view more details or make changes to this issue, go to %{linkStart}%{trackerName}%{linkEnd}." msgid "ExternalIssueIntegration|Not all data may be displayed here. To view more details or make changes to this issue, go to %{linkStart}%{trackerName}%{linkEnd}."
msgstr "" msgstr ""
...@@ -17829,9 +17853,6 @@ msgstr "" ...@@ -17829,9 +17853,6 @@ msgstr ""
msgid "If enabled, GitLab will handle Object Storage replication using Geo. %{linkStart}Learn more%{linkEnd}" msgid "If enabled, GitLab will handle Object Storage replication using Geo. %{linkStart}Learn more%{linkEnd}"
msgstr "" msgstr ""
msgid "If enabled, access to projects will be validated on an external service using their classification label."
msgstr ""
msgid "If enabled, only protected branches will be mirrored." msgid "If enabled, only protected branches will be mirrored."
msgstr "" msgstr ""
...@@ -32383,9 +32404,6 @@ msgstr "" ...@@ -32383,9 +32404,6 @@ msgstr ""
msgid "Service Desk allows people to create issues in your GitLab instance without their own user account. It provides a unique email address for end users to create issues in a project. Replies can be sent either through the GitLab interface or by email. End users only see threads through email." msgid "Service Desk allows people to create issues in your GitLab instance without their own user account. It provides a unique email address for end users to create issues in a project. Replies can be sent either through the GitLab interface or by email. End users only see threads through email."
msgstr "" msgstr ""
msgid "Service URL"
msgstr ""
msgid "Service account generated successfully" msgid "Service account generated successfully"
msgstr "" msgstr ""
...@@ -35274,9 +35292,6 @@ msgstr "" ...@@ -35274,9 +35292,6 @@ msgstr ""
msgid "The URLs for connecting to Elasticsearch. For clustering, add the URLs separated by commas." msgid "The URLs for connecting to Elasticsearch. For clustering, add the URLs separated by commas."
msgstr "" msgstr ""
msgid "The X509 Certificate to use when mutual TLS is required to communicate with the external authorization service. If left blank, the server certificate is still validated when accessing over HTTPS."
msgstr ""
msgid "The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential." msgid "The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential."
msgstr "" msgstr ""
...@@ -35552,9 +35567,6 @@ msgstr "" ...@@ -35552,9 +35567,6 @@ msgstr ""
msgid "The parent epic is confidential and can only contain confidential epics and issues" msgid "The parent epic is confidential and can only contain confidential epics and issues"
msgstr "" msgstr ""
msgid "The passphrase required to decrypt the private key. This is optional and the value is encrypted at rest."
msgstr ""
msgid "The password for the Jenkins server." msgid "The password for the Jenkins server."
msgstr "" msgstr ""
...@@ -35570,9 +35582,6 @@ msgstr "" ...@@ -35570,9 +35582,6 @@ msgstr ""
msgid "The pipelines schedule runs pipelines in the future, repeatedly, for specific branches or tags. Those scheduled pipelines will inherit limited project access based on their associated user." msgid "The pipelines schedule runs pipelines in the future, repeatedly, for specific branches or tags. Those scheduled pipelines will inherit limited project access based on their associated user."
msgstr "" msgstr ""
msgid "The private key to use when a client certificate is provided. This value is encrypted at rest."
msgstr ""
msgid "The project can be accessed by any logged in user except external users." msgid "The project can be accessed by any logged in user except external users."
msgstr "" msgstr ""
...@@ -36791,9 +36800,6 @@ msgstr "" ...@@ -36791,9 +36800,6 @@ msgstr ""
msgid "Time in seconds" msgid "Time in seconds"
msgstr "" msgstr ""
msgid "Time in seconds GitLab will wait for a response from the external service. When the service does not respond in time, access will be denied."
msgstr ""
msgid "Time of import: %{importTime}" msgid "Time of import: %{importTime}"
msgstr "" msgstr ""
...@@ -40034,9 +40040,6 @@ msgstr "" ...@@ -40034,9 +40040,6 @@ msgstr ""
msgid "When inactive, an external authentication provider must be used." msgid "When inactive, an external authentication provider must be used."
msgstr "" msgstr ""
msgid "When leaving the URL blank, classification labels can still be specified without disabling cross project features or performing external authorization checks."
msgstr ""
msgid "When merge requests and commits in the default branch close, any issues they reference also close." msgid "When merge requests and commits in the default branch close, any issues they reference also close."
msgstr "" msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment