-[Default labels](../user/admin_area/labels.md): Create labels that will be automatically added to every new project.
-[Default labels](../user/admin_area/labels.md): Create labels that are automatically added to every new project.
-[Restrict the use of public or internal projects](../public_access/public_access.md#restricting-the-use-of-public-or-internal-projects): Restrict the use of visibility levels for users when they create a project or a snippet.
-[Restrict the use of public or internal projects](../public_access/public_access.md#restricting-the-use-of-public-or-internal-projects): Restrict the use of visibility levels for users when they create a project or a snippet.
-[Custom project templates](../user/admin_area/custom_project_templates.md): Configure a set of projects to be used as custom templates when creating a new project. **(PREMIUM ONLY)**
-[Custom project templates](../user/admin_area/custom_project_templates.md): Configure a set of projects to be used as custom templates when creating a new project. **(PREMIUM ONLY)**
for details on managing SSL certificates and configuring NGINX.
for details on managing SSL certificates and configuring NGINX.
...
@@ -75,13 +75,13 @@ for details on managing SSL certificates and configuring NGINX.
...
@@ -75,13 +75,13 @@ for details on managing SSL certificates and configuring NGINX.
to pass through the `Connection` and `Upgrade` hop-by-hop headers. See the
to pass through the `Connection` and `Upgrade` hop-by-hop headers. See the
[web terminal](integration/terminal.md) integration guide for
[web terminal](integration/terminal.md) integration guide for
more details.
more details.
- (*2*): When using HTTPS protocol for port 443, you will need to add an SSL
- (*2*): When using HTTPS protocol for port 443, you must add an SSL
certificate to the load balancers. If you wish to terminate SSL at the
certificate to the load balancers. If you wish to terminate SSL at the
GitLab application server instead, use TCP protocol.
GitLab application server instead, use TCP protocol.
### GitLab Pages Ports
### GitLab Pages Ports
If you're using GitLab Pages with custom domain support you will need some
If you're using GitLab Pages with custom domain support you need some
additional port configurations.
additional port configurations.
GitLab Pages requires a separate virtual IP address. Configure DNS to point the
GitLab Pages requires a separate virtual IP address. Configure DNS to point the
`pages_external_url` from `/etc/gitlab/gitlab.rb` at the new virtual IP address. See the
`pages_external_url` from `/etc/gitlab/gitlab.rb` at the new virtual IP address. See the
...
@@ -103,7 +103,7 @@ GitLab Pages requires a separate virtual IP address. Configure DNS to point the
...
@@ -103,7 +103,7 @@ GitLab Pages requires a separate virtual IP address. Configure DNS to point the
Some organizations have policies against opening SSH port 22. In this case,
Some organizations have policies against opening SSH port 22. In this case,
it may be helpful to configure an alternate SSH hostname that allows users
it may be helpful to configure an alternate SSH hostname that allows users
to use SSH on port 443. An alternate SSH hostname will require a new virtual IP address
to use SSH on port 443. An alternate SSH hostname requires a new virtual IP address
compared to the other GitLab HTTP configuration above.
compared to the other GitLab HTTP configuration above.
Configure DNS for an alternate SSH hostname such as `altssh.gitlab.example.com`.
Configure DNS for an alternate SSH hostname such as `altssh.gitlab.example.com`.
...
@@ -114,7 +114,7 @@ Configure DNS for an alternate SSH hostname such as `altssh.gitlab.example.com`.
...
@@ -114,7 +114,7 @@ Configure DNS for an alternate SSH hostname such as `altssh.gitlab.example.com`.
## Readiness check
## Readiness check
It is strongly recommend that multi-node deployments configure load balancers to use the [readiness check](../user/admin_area/monitoring/health_check.md#readiness) to ensure a node is ready to accept traffic, before routing traffic to it. This is especially important when utilizing Puma, as there is a brief period during a restart where Puma will not accept requests.
It is strongly recommend that multi-node deployments configure load balancers to use the [readiness check](../user/admin_area/monitoring/health_check.md#readiness) to ensure a node is ready to accept traffic, before routing traffic to it. This is especially important when utilizing Puma, as there is a brief period during a restart where Puma doesn't accept requests.
@@ -17,26 +17,26 @@ authorization with your own defined service.
...
@@ -17,26 +17,26 @@ authorization with your own defined service.
## Overview
## Overview
Once the external service is configured and enabled, when a project is accessed,
After the external service is configured and enabled, when a project is
a request is made to the external service with the user information and project
accessed, a request is made to the external service with the user information
classification label assigned to the project. When the service replies with a
and project classification label assigned to the project. When the service
known response, the result is cached for 6 hours.
replies with a known response, the result is cached for six hours.
If the external authorization is enabled, GitLab will further block pages and
If the external authorization is enabled, GitLab further blocks pages and
functionality that render cross-project data. That includes:
functionality that render cross-project data. That includes:
- Most pages under Dashboard (Activity, Milestones, Snippets, Assigned merge
- Most pages under Dashboard (Activity, Milestones, Snippets, Assigned merge
requests, Assigned issues, To-Do List).
requests, Assigned issues, To-Do List).
- Under a specific group (Activity, Contribution analytics, Issues, Issue boards,
- Under a specific group (Activity, Contribution analytics, Issues, Issue boards,
Labels, Milestones, Merge requests).
Labels, Milestones, Merge requests).
- Global and Group search will be disabled.
- Global and Group search are disabled.
This is to prevent performing to many requests at once to the external
This is to prevent performing to many requests at once to the external
authorization service.
authorization service.
Whenever access is granted or denied this is logged in a log file called
Whenever access is granted or denied this is logged in a log file called
`external-policy-access-control.log`.
`external-policy-access-control.log`. Read more about the logs GitLab keeps in
Read more about logs GitLab keeps in the [omnibus documentation](https://docs.gitlab.com/omnibus/settings/logs.html).
the [Omnibus GitLab documentation](https://docs.gitlab.com/omnibus/settings/logs.html).
## Configuration
## Configuration
...
@@ -48,7 +48,7 @@ The external authorization service can be enabled by an admin on the GitLab's
...
@@ -48,7 +48,7 @@ The external authorization service can be enabled by an admin on the GitLab's
The available required properties are:
The available required properties are:
-**Service URL**: The URL to make authorization requests to. When leaving the
-**Service URL**: The URL to make authorization requests to. When leaving the
URL blank, cross project features will remain available while still being able
URL blank, cross project features remain available while still being able
to specify classification labels for projects.
to specify classification labels for projects.
-**External authorization request timeout**: The timeout after which an
-**External authorization request timeout**: The timeout after which an
authorization request is aborted. When a request times out, access is denied
authorization request is aborted. When a request times out, access is denied
...
@@ -58,19 +58,21 @@ The available required properties are:
...
@@ -58,19 +58,21 @@ The available required properties are:
-**Client authentication key**: Private key for the certificate when
-**Client authentication key**: Private key for the certificate when
authentication is required for the external authorization service, this is
authentication is required for the external authorization service, this is
encrypted when stored.
encrypted when stored.
-**Client authentication key password**: Passphrase to use for the private key when authenticating with the external service this is encrypted when stored.
-**Client authentication key password**: Passphrase to use for the private key
when authenticating with the external service this is encrypted when stored.
-**Default classification label**: The classification label to use when
-**Default classification label**: The classification label to use when
requesting authorization if no specific label is defined on the project
requesting authorization if no specific label is defined on the project
When using TLS Authentication with a self signed certificate, the CA certificate
When using TLS Authentication with a self signed certificate, the CA certificate
needs to be trusted by the OpenSSL installation. When using GitLab installed using
needs to be trusted by the OpenSSL installation. When using GitLab installed
Omnibus, learn to install a custom CA in the
using Omnibus, learn to install a custom CA in the
[omnibus documentation](https://docs.gitlab.com/omnibus/settings/ssl.html). Alternatively learn where to install
Alternatively, learn where to install custom certificates by using
`openssl version -d`.
## How it works
## How it works
When GitLab requests access, it will send a JSON POST request to the external
When GitLab requests access, it sends a JSON POST request to the external
service with this body:
service with this body:
```json
```json
...
@@ -85,14 +87,17 @@ service with this body:
...
@@ -85,14 +87,17 @@ service with this body:
}
}
```
```
The `user_ldap_dn` is optional and is only sent when the user is logged in
The `user_ldap_dn` is optional and is only sent when the user is signed in
through LDAP.
through LDAP.
`identities` will contain the details of all the identities associated with the user. This will be an empty array if there are no identities associated with the user.
`identities` contains the details of all the identities associated with the
user. This is an empty array if there are no identities associated with the
user.
When the external authorization service responds with a status code 200, the
When the external authorization service responds with a status code 200, the
user is granted access. When the external service responds with a status code
user is granted access. When the external service responds with a status code
401 or 403, the user is denied access. In any case, the request is cached for 6 hours.
401 or 403, the user is denied access. In any case, the request is cached for
six hours.
When denying access, a `reason` can be optionally specified in the JSON body:
When denying access, a `reason` can be optionally specified in the JSON body:
...
@@ -102,20 +107,20 @@ When denying access, a `reason` can be optionally specified in the JSON body:
...
@@ -102,20 +107,20 @@ When denying access, a `reason` can be optionally specified in the JSON body:
}
}
```
```
Any other status code than 200, 401 or 403 will also deny access to the user, but the
Any other status code than 200, 401 or 403 also deny access to the user, but the
response will not be cached.
response isn't cached.
If the service times out (after 500ms), a message "External Policy Server did
If the service times out (after 500ms), a message "External Policy Server did
not respond" will be displayed.
not respond" is displayed.
## Classification labels
## Classification labels
You can use your own classification label in the project's
You can use your own classification label in the project's
**Settings > General > General project settings** page in the "Classification
**Settings > General > General project settings** page in the "Classification
label" box. When no classification label is specified on a project, the default
label" box. When no classification label is specified on a project, the default
label defined in the [global settings](#configuration)will be used.
label defined in the [global settings](#configuration)is used.
The label will be shown on all project pages in the upper right corner.
The label is shown on all project pages in the upper right corner.
![classification label on project page](img/classification_label_on_project_page.png)
![classification label on project page](img/classification_label_on_project_page.png)
@@ -63,7 +63,7 @@ Access the default page for admin area settings by navigating to **Admin Area >
...
@@ -63,7 +63,7 @@ Access the default page for admin area settings by navigating to **Admin Area >
| Option | Description |
| Option | Description |
| ------ | ----------- |
| ------ | ----------- |
| [Continuous Integration and Deployment](continuous_integration.md) | Auto DevOps, runners and job artifacts. |
| [Continuous Integration and Deployment](continuous_integration.md) | Auto DevOps, runners and job artifacts. |
| [Required pipeline configuration](continuous_integration.md#required-pipeline-configuration)**(PREMIUM ONLY)** | Set an instance-wide auto included [pipeline configuration](../../../ci/yaml/README.md). This pipeline configuration will be run after the project's own configuration. |
| [Required pipeline configuration](continuous_integration.md#required-pipeline-configuration)**(PREMIUM ONLY)** | Set an instance-wide auto included [pipeline configuration](../../../ci/yaml/README.md). This pipeline configuration is run after the project's own configuration. |
| [Package Registry](continuous_integration.md#package-registry-configuration) | Settings related to the use and experience of using GitLab's Package Registry. Note there are [risks involved](../../packages/container_registry/index.md#use-with-external-container-registries) in enabling some of these settings. |
| [Package Registry](continuous_integration.md#package-registry-configuration) | Settings related to the use and experience of using GitLab's Package Registry. Note there are [risks involved](../../packages/container_registry/index.md#use-with-external-container-registries) in enabling some of these settings. |
## Reporting
## Reporting
...
@@ -98,7 +98,7 @@ Access the default page for admin area settings by navigating to **Admin Area >
...
@@ -98,7 +98,7 @@ Access the default page for admin area settings by navigating to **Admin Area >
| Option | Description |
| Option | Description |
| ------ | ----------- |
| ------ | ----------- |
| Geo | Geo allows you to replicate your GitLab instance to other geographical locations. Redirects to **Admin Area > Geo > Settings**, and will no longer be available at **Admin Area > Settings > Geo** in [GitLab 13.0](https://gitlab.com/gitlab-org/gitlab/-/issues/36896). |
| Geo | Geo allows you to replicate your GitLab instance to other geographical locations. Redirects to **Admin Area > Geo > Settings** are no longer available at **Admin Area > Settings > Geo** in [GitLab 13.0](https://gitlab.com/gitlab-org/gitlab/-/issues/36896). |