Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
f42c61d7
Commit
f42c61d7
authored
Mar 19, 2018
by
Achilleas Pipinellis
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Refactor the external authorization settings
parent
84590b25
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
45 additions
and
43 deletions
+45
-43
doc/user/admin_area/settings/external_authorization.md
doc/user/admin_area/settings/external_authorization.md
+45
-43
doc/user/admin_area/settings/img/classification_label_project_setting.png
...rea/settings/img/classification_label_project_setting.png
+0
-0
No files found.
doc/user/admin_area/settings/external_authorization.md
View file @
f42c61d7
# External authorization
service
# External authorization
control
> [Introduced][ee-3709] GitLab Enterprise Edition 10.6.
>
[
Introduced
](
https://gitlab.com/gitlab-org/gitlab-ee/issues/4216
)
in
[
GitLab Premium
](
https://about.gitlab.com/pricing
)
10.6.
In highly controlled environments, it may be necessary for access policy to be
In highly controlled environments, it may be necessary for access policy to be
controlled by an external service that permits access based on project
controlled by an external service that permits access based on project
classification and user access. GitLab provides a way to check project
classification and user access. GitLab provides a way to check project
authorization with
an external
service.
authorization with
your own defined
service.
When a project is accessed, a request is made to the external service with the
## Overview
user information and project classification label assigned to the project. When
the service replies with a known response, the result is cached for 6 hours.
Enabling this feature disables all cross project features in GitLab: This is to
Once the external service is configured and enabled, when a project is accessed,
prevent performing to many requests at once to the external authorization
a request is made to the external service with the user information and project
service.
classification label assigned to the project. When the service replies with a
known response, the result is cached for 6 hours.
## Enabling external authorization service
If the external authorization is enabled, GitLab will further block pages and
functionality that render cross-project data. That includes:
The external authorization service can be enabled by an admin on the settings
-
most pages under Dashboard (Activity, Milestones, Snippets, Assigned merge
page:
requests, Assigned issues, Todos)
-
under a specific group (Activity, Contribution analytics, Issues, Issue boards,
Labels, Milestones, Merge requests)
-
Global and Group search will be disabled
![
Enable external authorization service
](
img/external_authorization_service_settings.png
)
This is to prevent performing to many requests at once to the external
authorization service.
## Configuration
The available properties are:
The external authorization service can be enabled by an admin on the GitLab's
admin area under the settings page:
![
Enable external authorization service
](
img/external_authorization_service_settings.png
)
-
Service URL: The URL to make authorization requests to
The available required properties are:
-
Default classification label: The classification label to use when requesting
authorization if no specific label is defined on the project.
## The external authorization service
-
**Service URL**
: The URL to make authorization requests to
-
**Default classification label**
: The classification label to use when
requesting authorization if no specific label is defined on the project
##
# The request
##
How it works
When GitLab requests access, it will send a JSON POST request with this body:
When GitLab requests access, it will send a JSON POST request to the external
service with this body:
```
json
```
json
{
{
...
@@ -42,22 +54,14 @@ When GitLab requests access, it will send a JSON POST request with this body:
...
@@ -42,22 +54,14 @@ When GitLab requests access, it will send a JSON POST request with this body:
}
}
```
```
The
`user_ldap_dn`
is optional
, it
is only sent when the user is logged in
The
`user_ldap_dn`
is optional
and
is only sent when the user is logged in
through LDAP.
through LDAP.
### The response
#### Access allowed
When the external authorization service responds with a status code 200, the
When the external authorization service responds with a status code 200, the
user is granted access and the result is cached for 6 hours.
user is granted access. When the external service responds with a status code
401, the user is denied access. In any case, the request is cached for 6 hours.
#### Denying access
When the external service responds with a status code 401, the user is denied
When denying access, a
`reason`
can be optionally specified in the JSON body:
access and the request is cached for 6 hours.
Optionally a reason can be specified in the JSON body:
```
json
```
json
{
{
...
@@ -68,18 +72,16 @@ Optionally a reason can be specified in the JSON body:
...
@@ -68,18 +72,16 @@ Optionally a reason can be specified in the JSON body:
Any other status code than 401 or 200 will also deny access to the user, but the
Any other status code than 401 or 200 will also deny access to the user, but the
response will not be cached.
response will not be cached.
## Classification labels
If the service times out (after 500ms), a message "External Policy Server did
not respond" will be displayed.
The classification label used for a project will be shown on all project pages:
![
classification label on project page
](
img/classification_label_on_project_page.png
)
## Classification labels
When the external authorization service is enabled, a classification label can
be specified for a project on the project settings page
![
classification label project setting
](
img/classification_label_project_setting.png
)
You can use your own classification label in the project's
**Settings > General > General project settings**
page in the "Classification
label" box. When no classification label is specified on a project, the default
label defined in the
[
global settings
](
#configuration
)
will be used.
When no classification label is specified on a project, the default label
The label will be shown on all project pages in the upper right corner.
defined in the global settings is used.
[
ee-3709
]:
https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/3709
![
classification label on project page
](
img/classification_label_on_project_page.png
)
doc/user/admin_area/settings/img/classification_label_project_setting.png
deleted
100755 → 0
View file @
84590b25
29 KB
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment