Authentication and Authorization

GitLab uses a variety of methods for authentication and authorization, including:

• Database authentication: This is the default method, where users are authenticated against a database.
• OAuth authentication: This allows users to log in using their accounts from other services, such as Google, GitHub, and Twitter.
• LDAP authentication: This allows users to authenticate against an LDAP server.
• Two-factor authentication (2FA): This adds an extra layer of security by requiring users to enter a code from their phone or a security key in addition to their password.

Database Authentication

This is the default authentication method for GitLab, and it is used when users register for an account or log in using their email address and password. GitLab uses Devise for its authentication system, which handles user registration, login, password recovery, and other authentication-related tasks.

Code Examples

# app/models/user.rb
          class User < ActiveRecord::Base
            # ... other attributes
            devise :database_authenticatable, :registerable,
                   :recoverable, :rememberable, :validatable
          
            # ... other methods
          end
          

OAuth Authentication

OAuth authentication allows users to log in to GitLab using their accounts from other services, such as Google, GitHub, and Twitter. This can be useful for users who already have accounts with these services and don’t want to create a new account for GitLab.

GitLab supports OAuth authentication for a number of providers, and you can configure which providers are enabled in the GitLab administrator interface.

Code Examples

# config/initializers/devise.rb
          config.omniauth :google_oauth2,
            :client_id => ENV['GOOGLE_OAUTH2_CLIENT_ID'],
            :client_secret => ENV['GOOGLE_OAUTH2_CLIENT_SECRET'],
            :scope => 'email,profile'
          

LDAP Authentication

LDAP authentication allows users to authenticate against an LDAP server. This can be useful for organizations that use LDAP to manage their user accounts.

GitLab can be configured to use LDAP authentication for both user login and group membership.

Code Examples

# config/initializers/devise.rb
          config.ldap_authenticatable :ldap_config => {
            :host => "ldap.example.com",
            :port => 389,
            :base => "dc=example,dc=com",
            :uid => "uid",
            :password => "secret",
            :encryption => :ssl
          }
          

Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security by requiring users to enter a code from their phone or a security key in addition to their password. This makes it much harder for attackers to gain access to a user’s account, even if they know their password.

GitLab supports 2FA using various methods, including:

• Time-based One-Time Password (TOTP): This method uses a mobile app to generate a six-digit code that changes every 30 seconds.
• Security Keys: These are small, physical devices that can be used to generate a code for 2FA.

Code Examples

# app/models/user.rb
          class User < ActiveRecord::Base
            # ... other attributes
            devise :two_factor_authenticatable
          
            # ... other methods
          end
          

Authorization

Once a user is authenticated, GitLab uses a role-based access control (RBAC) system to determine what they are allowed to do. This means that users are assigned different roles, and each role has a set of permissions that determine what the user can access and what actions they can perform.

The following are some of the most common roles in GitLab:

• Guest: Users with this role can only view public projects and groups.
• Reporter: Users with this role can view and comment on projects and groups.
• Developer: Users with this role can view, edit, and push code to projects.
• Maintainer: Users with this role can manage projects, including adding and removing members.
• Owner: Users with this role have full control over projects and groups.

Code Examples

# app/models/project.rb
          class Project < ActiveRecord::Base
            # ... other attributes
            has_many :users, through: :project_members
            has_many :project_members, dependent: :destroy
          
            # ... other methods
          end
          

Conclusion

GitLab’s authentication and authorization system is designed to be flexible and secure, and it allows for a variety of authentication methods, including database authentication, OAuth authentication, LDAP authentication, and two-factor authentication. It also uses an RBAC system to determine what users are allowed to do.

This information is based on GitLab’s source code.