Commit a019c9c7 authored by Achilleas Pipinellis's avatar Achilleas Pipinellis Committed by Evan Read

Add user docs for Pages access control

parent 547952b4
...@@ -244,8 +244,9 @@ This setting is enabled by default. ...@@ -244,8 +244,9 @@ This setting is enabled by default.
### Access control ### Access control
Access control was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
in GitLab 11.5. It can be configured per-project, and allows access to a Pages
GitLab Pages access control can be configured per-project, and allows access to a Pages
site to be controlled based on a user's membership to that project. site to be controlled based on a user's membership to that project.
Access control works by registering the Pages daemon as an OAuth application Access control works by registering the Pages daemon as an OAuth application
...@@ -259,15 +260,16 @@ Each request to view a resource in a private site is authenticated by Pages ...@@ -259,15 +260,16 @@ Each request to view a resource in a private site is authenticated by Pages
using that token. For each request it receives, it makes a request to the GitLab using that token. For each request it receives, it makes a request to the GitLab
API to check that the user is authorized to read that site. API to check that the user is authorized to read that site.
Pages access control is currently disabled by default. To enable it, you must: Pages access control is disabled by default. To enable it:
1. Enable it in `/etc/gitlab/gitlab.rb` 1. Enable it in `/etc/gitlab/gitlab.rb`:
```ruby ```ruby
gitlab_pages['access_control'] = true gitlab_pages['access_control'] = true
``` ```
1. [Reconfigure GitLab][reconfigure] 1. [Reconfigure GitLab][reconfigure].
1. Users can now configure it in their [projects' settings](../../user/project/pages/introduction.md#gitlab-pages-access-control-core-only).
## Activate verbose logging for daemon ## Activate verbose logging for daemon
......
...@@ -393,8 +393,9 @@ server_name ~^.*\.pages\.example\.io$; ...@@ -393,8 +393,9 @@ server_name ~^.*\.pages\.example\.io$;
## Access control ## Access control
Access control was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) > [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
in GitLab 11.5. It can be configured per-project, and allows access to a Pages
GitLab Pages access control can be configured per-project, and allows access to a Pages
site to be controlled based on a user's membership to that project. site to be controlled based on a user's membership to that project.
Access control works by registering the Pages daemon as an OAuth application Access control works by registering the Pages daemon as an OAuth application
...@@ -408,15 +409,17 @@ Each request to view a resource in a private site is authenticated by Pages ...@@ -408,15 +409,17 @@ Each request to view a resource in a private site is authenticated by Pages
using that token. For each request it receives, it makes a request to the GitLab using that token. For each request it receives, it makes a request to the GitLab
API to check that the user is authorized to read that site. API to check that the user is authorized to read that site.
Pages access control is currently disabled by default. To enable it, you must: Pages access control is disabled by default. To enable it:
1. Modify your `config/gitlab.yml` file: 1. Modify your `config/gitlab.yml` file:
```yaml ```yaml
pages: pages:
access_control: true access_control: true
``` ```
1. [Restart GitLab][restart]
1. Create a new [system OAuth application](../../integration/oauth_provider.md#adding-an-application-through-the-profile) 1. [Restart GitLab][restart].
1. Create a new [system OAuth application](../../integration/oauth_provider.md#adding-an-application-through-the-profile).
This should be called `GitLab Pages` and have a `Redirect URL` of This should be called `GitLab Pages` and have a `Redirect URL` of
`https://projects.example.io/auth`. It does not need to be a "trusted" `https://projects.example.io/auth`. It does not need to be a "trusted"
application, but it does need the "api" scope. application, but it does need the "api" scope.
...@@ -429,6 +432,8 @@ Pages access control is currently disabled by default. To enable it, you must: ...@@ -429,6 +432,8 @@ Pages access control is currently disabled by default. To enable it, you must:
-auth-server <URL of the GitLab instance> -auth-server <URL of the GitLab instance>
``` ```
1. Users can now configure it in their [projects' settings](../../user/project/pages/introduction.md#gitlab-pages-access-control-core-only).
## Change storage path ## Change storage path
Follow the steps below to change the default path where GitLab Pages' contents Follow the steps below to change the default path where GitLab Pages' contents
......
...@@ -95,7 +95,7 @@ The following table depicts the various user permission levels in a project. ...@@ -95,7 +95,7 @@ The following table depicts the various user permission levels in a project.
| Manage GitLab Pages | | | | ✓ | ✓ | | Manage GitLab Pages | | | | ✓ | ✓ |
| Manage GitLab Pages domains and certificates | | | | ✓ | ✓ | | Manage GitLab Pages domains and certificates | | | | ✓ | ✓ |
| Remove GitLab Pages | | | | | ✓ | | Remove GitLab Pages | | | | | ✓ |
| View GitLab Pages protected by [access control](../administration/pages/index.md#access-control) | ✓ | ✓ | ✓ | ✓ | ✓ | | View GitLab Pages protected by [access control](project/pages/introduction.md#gitlab-pages-access-control-core-only) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Manage clusters | | | | ✓ | ✓ | | Manage clusters | | | | ✓ | ✓ |
| Manage license policy **[ULTIMATE]** | | | | ✓ | ✓ | | Manage license policy **[ULTIMATE]** | | | | ✓ | ✓ |
| Edit comments (posted by any user) | | | | ✓ | ✓ | | Edit comments (posted by any user) | | | | ✓ | ✓ |
......
...@@ -441,6 +441,46 @@ The rest of the guide still applies. ...@@ -441,6 +441,46 @@ The rest of the guide still applies.
See also: [GitLab Pages from A to Z: Part 1 - Static sites and GitLab Pages domains](getting_started_part_one.md#gitlab-pages-domain). See also: [GitLab Pages from A to Z: Part 1 - Static sites and GitLab Pages domains](getting_started_part_one.md#gitlab-pages-domain).
## GitLab Pages access control **[CORE ONLY]**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) in GitLab 11.5.
NOTE: **Note:**
GitLab Pages access control is not activated on GitLab.com.
You can enable Pages access control on your project, so that only
[members of your project](../../permissions.md#project-members-permissions)
(at least Guest) can access your website:
1. Navigate to your project's **Settings > General > Permissions**.
1. Toggle the **Pages** button to enable the access control.
NOTE: **Note:**
If you don't see the toggle button, that means that it's not enabled.
Ask your administrator to [enable it](../../../administration/pages/index.md#access-control).
1. The Pages access control dropdown allows you to set who can view pages hosted
with GitLab Pages, depending on your project's visibility:
- If your project is private:
- **Only project members**: Only project members will be able to browse the website.
- **Everyone**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
- If your project is internal:
- **Only project members**: Only project members will be able to browse the website.
- **Everyone with access**: Everyone logged into GitLab will be able to browse the website, no matter their project membership.
- **Everyone**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
- If your project is public:
- **Only project members**: Only project members will be able to browse the website.
- **Everyone with access**: Everyone, both logged into and logged out of GitLab, will be able to browse the website, no matter their project membership.
1. Click **Save changes**.
---
The next time someone tries to access your website and the access control is
enabled, they will be presented with a page to sign into GitLab and verify they
can access the website.
## Limitations ## Limitations
When using Pages under the general domain of a GitLab instance (`*.example.io`), When using Pages under the general domain of a GitLab instance (`*.example.io`),
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment