diff options
Diffstat (limited to 'doc/user')
| -rw-r--r-- | doc/user/admin_area/settings/usage_statistics.md | 2 | ||||
| -rw-r--r-- | doc/user/group/img/restrict-by-email.gif | bin | 149735 -> 0 bytes | |||
| -rw-r--r-- | doc/user/group/img/restrict-by-ip.gif | bin | 147080 -> 0 bytes | |||
| -rw-r--r-- | doc/user/group/index.md | 45 |
4 files changed, 22 insertions, 25 deletions
diff --git a/doc/user/admin_area/settings/usage_statistics.md b/doc/user/admin_area/settings/usage_statistics.md index ce949999fb8..c74906c2762 100644 --- a/doc/user/admin_area/settings/usage_statistics.md +++ b/doc/user/admin_area/settings/usage_statistics.md @@ -48,7 +48,7 @@ tier. Users can continue to access the features in a paid tier without sharing u ### Features available in 14.4 and later - [Repository size limit](../settings/account_and_limit_settings.md#repository-size-limit). -- [Restrict group access by IP address](../../group/index.md#restrict-group-access-by-ip-address). +- [Group access restriction by IP address](../../group/index.md#group-access-restriction-by-ip-address). NOTE: Registration is not yet required for participation, but may be added in a future milestone. diff --git a/doc/user/group/img/restrict-by-email.gif b/doc/user/group/img/restrict-by-email.gif Binary files differdeleted file mode 100644 index d1ebeb07a0a..00000000000 --- a/doc/user/group/img/restrict-by-email.gif +++ /dev/null diff --git a/doc/user/group/img/restrict-by-ip.gif b/doc/user/group/img/restrict-by-ip.gif Binary files differdeleted file mode 100644 index 6292a58e748..00000000000 --- a/doc/user/group/img/restrict-by-ip.gif +++ /dev/null diff --git a/doc/user/group/index.md b/doc/user/group/index.md index 4133b75ad9c..46bb3ad647c 100644 --- a/doc/user/group/index.md +++ b/doc/user/group/index.md @@ -599,7 +599,7 @@ You can export a list of members in a group or subgroup as a CSV. 1. Select **Export as CSV**. 1. After the CSV file has been generated, it is emailed as an attachment to the user that requested it. -## Restrict group access by IP address **(PREMIUM)** +## Group access restriction by IP address **(PREMIUM)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1985) in GitLab 12.0. > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/215410) from GitLab Ultimate to GitLab Premium in 13.1. @@ -611,25 +611,26 @@ applies to: - The GitLab UI, including subgroups, projects, and issues. - [In GitLab 12.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/12874), the API. -You should consider these security implications before configuring IP address restrictions: - -- **SSH requests, including `git` operations will fail from all IP addresses**: While you can restrict HTTP traffic on GitLab.com with IP address restrictions, - they cause SSH requests, including Git operations over SSH, to fail. For more information, - read [issue 271673](https://gitlab.com/gitlab-org/gitlab/-/issues/271673). -- **Administrators and group owners can access group settings from any IP address**: Users with these permission levels can always - access the group settings, regardless of IP restriction, but they cannot access projects - belonging to the group when accessing from a disallowed IP address. - - **Some GitLab API endpoints will remain accessible from any IP**: Users coming from denied IP addresses can still see group and project - names and hierarchies. Only the [group](../../api/groups.md) (including all [group resources](../../api/api_resources.md#group-resources)) - APIs and [project](../../api/api_resources.md#project-resources) (including all [project resources](../../api/api_resources.md#project-resources)) - APIs are protected by IP address restrictions. -- **Activities performed by GitLab Runners are not bound by IP restrictions**: - When you register a runner, it is not bound by the IP restrictions. When the runner - requests a new job or an update to a job's state, it is also not bound by - the IP restrictions. But when the running CI/CD job sends Git requests from a +### Security implications + +You should consider some security implications before configuring IP address restrictions. + +- Restricting HTTP traffic on GitLab.com with IP address restrictions causes SSH requests (including Git operations over + SSH) to fail. For more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/-/issues/271673). +- Administrators and group owners can access group settings from any IP address, regardless of IP restriction. However: + - Groups owners cannot access projects belonging to the group when accessing from a disallowed IP address. + - Administrators can access projects belonging to the group when accessing from a disallowed IP address. + Access to projects includes cloning code from them. + - Users can still see group and project names and hierarchies. Only the following are restricted: + - [Groups](../../api/groups.md), including all [group resources](../../api/api_resources.md#group-resources). + - [Project](../../api/projects.md), including all [project resources](../../api/api_resources.md#project-resources). +- When you register a runner, it is not bound by the IP restrictions. When the runner requests a new job or an update to + a job's state, it is also not bound by the IP restrictions. But when the running CI/CD job sends Git requests from a restricted IP address, the IP restriction prevents code from being cloned. -- **User dashboard activity**: Users may still see some events from the IP restricted groups and projects - on their dashboard. Activity may include push, merge, issue, or comment events. +- Users may still see some events from the IP restricted groups and projects on their dashboard. Activity may include + push, merge, issue, or comment events. + +### Restrict group access by IP address To restrict group access by IP address: @@ -638,8 +639,6 @@ To restrict group access by IP address: 1. In the **Allow access to the following IP addresses** field, enter IPv4 or IPv6 address ranges in CIDR notation. 1. Select **Save changes**. -  - In self-managed installations of GitLab 15.1 and later, you can also configure [globally-allowed IP address ranges](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges) at the group level. @@ -659,8 +658,6 @@ To restrict group access by domain: 1. In the **Restrict membership by email** field, enter the domain names. 1. Select **Save changes**. - - Any time you attempt to add a new user, the user's [primary email](../profile/index.md#change-your-primary-email) is compared against this list. Only users with a [primary email](../profile/index.md#change-your-primary-email) that matches any of the configured email domain restrictions can be added to the group. @@ -861,7 +858,7 @@ If a user sees a 404 when they would normally expect access, and the problem is - `json.allowed`: `false` In viewing the log entries, compare the `remote.ip` with the list of -[allowed IPs](#restrict-group-access-by-ip-address) for the group. +[allowed IPs](#group-access-restriction-by-ip-address) for the group. ### Validation errors on namespaces and groups |
