Commit 103267f7 authored by Evan Read's avatar Evan Read

Merge branch 'docs/pages-access-control' into 'master'

Add user docs for Pages access control

Closes #54143

See merge request gitlab-org/gitlab-ce!23145
parents 547952b4 a019c9c7
......@@ -244,8 +244,9 @@ This setting is enabled by default.
### Access control
Access control was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422)
in GitLab 11.5. It can be configured per-project, and allows access to a Pages
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
GitLab Pages access control can be configured per-project, and allows access to a Pages
site to be controlled based on a user's membership to that project.
Access control works by registering the Pages daemon as an OAuth application
......@@ -259,15 +260,16 @@ Each request to view a resource in a private site is authenticated by Pages
using that token. For each request it receives, it makes a request to the GitLab
API to check that the user is authorized to read that site.
Pages access control is currently disabled by default. To enable it, you must:
Pages access control is disabled by default. To enable it:
1. Enable it in `/etc/gitlab/gitlab.rb`
1. Enable it in `/etc/gitlab/gitlab.rb`:
```ruby
gitlab_pages['access_control'] = true
```
1. [Reconfigure GitLab][reconfigure]
1. [Reconfigure GitLab][reconfigure].
1. Users can now configure it in their [projects' settings](../../user/project/pages/introduction.md#gitlab-pages-access-control-core-only).
## Activate verbose logging for daemon
......
......@@ -393,8 +393,9 @@ server_name ~^.*\.pages\.example\.io$;
## Access control
Access control was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422)
in GitLab 11.5. It can be configured per-project, and allows access to a Pages
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
GitLab Pages access control can be configured per-project, and allows access to a Pages
site to be controlled based on a user's membership to that project.
Access control works by registering the Pages daemon as an OAuth application
......@@ -408,15 +409,17 @@ Each request to view a resource in a private site is authenticated by Pages
using that token. For each request it receives, it makes a request to the GitLab
API to check that the user is authorized to read that site.
Pages access control is currently disabled by default. To enable it, you must:
Pages access control is disabled by default. To enable it:
1. Modify your `config/gitlab.yml` file:
```yaml
pages:
access_control: true
```
1. [Restart GitLab][restart]
1. Create a new [system OAuth application](../../integration/oauth_provider.md#adding-an-application-through-the-profile)
1. [Restart GitLab][restart].
1. Create a new [system OAuth application](../../integration/oauth_provider.md#adding-an-application-through-the-profile).
This should be called `GitLab Pages` and have a `Redirect URL` of
`https://projects.example.io/auth`. It does not need to be a "trusted"
application, but it does need the "api" scope.
......@@ -429,6 +432,8 @@ Pages access control is currently disabled by default. To enable it, you must:
-auth-server <URL of the GitLab instance>
```
1. Users can now configure it in their [projects' settings](../../user/project/pages/introduction.md#gitlab-pages-access-control-core-only).
## Change storage path
Follow the steps below to change the default path where GitLab Pages' contents
......
......@@ -95,7 +95,7 @@ The following table depicts the various user permission levels in a project.
| Manage GitLab Pages | | | | ✓ | ✓ |
| Manage GitLab Pages domains and certificates | | | | ✓ | ✓ |
| Remove GitLab Pages | | | | | ✓ |
| View GitLab Pages protected by [access control](../administration/pages/index.md#access-control) | ✓ | ✓ | ✓ | ✓ | ✓ |
| View GitLab Pages protected by [access control](project/pages/introduction.md#gitlab-pages-access-control-core-only) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Manage clusters | | | | ✓ | ✓ |
| Manage license policy **[ULTIMATE]** | | | | ✓ | ✓ |
| Edit comments (posted by any user) | | | | ✓ | ✓ |
......
......@@ -441,6 +441,46 @@ The rest of the guide still applies.
See also: [GitLab Pages from A to Z: Part 1 - Static sites and GitLab Pages domains](getting_started_part_one.md#gitlab-pages-domain).
## GitLab Pages access control **[CORE ONLY]**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
NOTE: **Note:**
GitLab Pages access control is not activated on GitLab.com.
You can enable Pages access control on your project, so that only
[members of your project](../../permissions.md#project-members-permissions)
(at least Guest) can access your website:
1. Navigate to your project's **Settings > General > Permissions**.
1. Toggle the **Pages** button to enable the access control.
NOTE: **Note:**
If you don't see the toggle button, that means that it's not enabled.
Ask your administrator to [enable it](../../../administration/pages/index.md#access-control).
1. The Pages access control dropdown allows you to set who can view pages hosted
with GitLab Pages, depending on your project's visibility:
- If your project is private:
- **Only project members**: Only project members will be able to browse the website.
- **Everyone**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
- If your project is internal:
- **Only project members**: Only project members will be able to browse the website.
- **Everyone with access**: Everyone logged into GitLab will be able to browse the website, no matter their project membership.
- **Everyone**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
- If your project is public:
- **Only project members**: Only project members will be able to browse the website.
- **Everyone with access**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
1. Click **Save changes**.
---
The next time someone tries to access your website and the access control is
enabled, they will be presented with a page to sign into GitLab and verify they
can access the website.
## Limitations
When using Pages under the general domain of a GitLab instance (`*.example.io`),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment