gitlab-org / gitlab-ce

GitLab User Authentication and Authorization

Overview

GitLab provides a comprehensive authentication and authorization system to secure user access and manage permissions within the platform. This system leverages various authentication methods and role-based access controls (RBAC) to ensure secure and controlled access to resources.

Authentication Methods

GitLab supports multiple authentication methods:

Role-Based Access Controls (RBAC)

GitLab implements RBAC to define and manage user permissions based on their assigned roles. These roles determine the actions a user can perform within the platform:

  • Guest: Limited access to view public projects and limited functionality within them.
  • Reporter: Ability to view and discuss issues within projects.
  • Developer: Access to code repositories, creating merge requests, and pushing changes.
  • Maintainer: Full control over projects, including managing members, adding new features, and merging code.
  • Owner: The highest level of access, with full control over the project and all its settings.

Project-Level Roles:

  • Master: Holds full control over the project and can manage settings, members, and permissions.
  • Developer: Can push changes to the code, create merge requests, and access all project resources.
  • Reporter: Can view project content, report issues, and participate in discussions.
  • Guest: Limited access to the project, primarily for viewing and commenting on public content.

Group-Level Roles:

  • Owner: Has full control over the group and all projects within it.
  • Maintainer: Can manage members, projects, and settings within the group.
  • Developer: Can create and push changes to code within group projects.
  • Reporter: Can view and discuss issues within group projects.
  • Guest: Limited access to the group and its projects, primarily for viewing content.

Access Control Lists (ACLs)

GitLab uses ACLs to manage access to specific resources within projects. These ACLs allow for granular control over who can access certain files, directories, or branches within a project. [Source: app/models/project.rb#L37-L39]

User Permissions

Users inherit permissions from the groups and projects they belong to. The highest level of permissions granted across all memberships determines the user’s overall access.

Example:

A user may be a “Developer” in one project but a “Maintainer” in another project. Their overall access within the second project will be governed by the “Maintainer” role.

Managing Permissions

Administrators can manage user roles and permissions using the GitLab interface or through the API. This includes:

  • Adding and removing users from projects and groups.
  • Assigning roles to users based on their responsibilities.
  • Setting up custom roles with specific permissions. [Source: https://docs.gitlab.com/ee/api/users.html]

Conclusion

GitLab’s authentication and authorization system provides a comprehensive approach to securing user access and managing permissions across the platform. By leveraging various authentication methods, RBAC, and ACLs, GitLab enables secure and controlled access to resources, ensuring the integrity and confidentiality of user data.