diff options
Diffstat (limited to 'doc/user/project/deploy_keys/index.md')
-rw-r--r-- | doc/user/project/deploy_keys/index.md | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/doc/user/project/deploy_keys/index.md b/doc/user/project/deploy_keys/index.md index f424ec529b2..58f7d3198b2 100644 --- a/doc/user/project/deploy_keys/index.md +++ b/doc/user/project/deploy_keys/index.md @@ -1,7 +1,7 @@ --- stage: Release group: Release -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Deploy keys **(FREE)** @@ -156,3 +156,38 @@ There are a few scenarios where a deploy key will fail to push to a All deploy keys are associated to an account. Since the permissions for an account can change, this might lead to scenarios where a deploy key that was working is suddenly unable to push to a protected branch. We recommend you create a service account, and associate a deploy key to the service account, for projects using deploy keys. + +#### Identify deploy keys associated with non-member and blocked users + +If you need to find the keys that belong to a non-member or blocked user, +you can use [the Rails console](../../../administration/operations/rails_console.md#starting-a-rails-console-session) to identify unusable deploy keys using a script similar to the following: + +```ruby +ghost_user_id = User.ghost.id + +DeployKeysProject.with_write_access.find_each do |deploy_key_mapping| + project = deploy_key_mapping.project + deploy_key = deploy_key_mapping.deploy_key + user = deploy_key.user + + access_checker = Gitlab::DeployKeyAccess.new(deploy_key, container: project) + + # can_push_for_ref? tests if deploy_key can push to default branch, which is likely to be protected + can_push = access_checker.can_do_action?(:push_code) + can_push_to_default = access_checker.can_push_for_ref?(project.repository.root_ref) + + next if access_checker.allowed? && can_push && can_push_to_default + + if user.nil? || user.id == ghost_user_id + username = 'none' + state = '-' + else + username = user.username + user_state = user.state + end + + puts "Deploy key: #{deploy_key.id}, Project: #{project.full_path}, Can push?: " + (can_push ? 'YES' : 'NO') + + ", Can push to default branch #{project.repository.root_ref}?: " + (can_push_to_default ? 'YES' : 'NO') + + ", User: #{username}, User state: #{user_state}" +end +``` |