2020-04-28 20:09:38 -04:00
|
|
|
# User management **(CORE ONLY)**
|
2014-05-27 08:12:15 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
GitLab provides Rake tasks for user management.
|
|
|
|
|
2014-04-24 18:48:22 -04:00
|
|
|
## Add user as a developer to all projects
|
2012-12-02 07:56:04 -05:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
To add a user as a developer to all projects, run:
|
|
|
|
|
2020-01-30 10:09:15 -05:00
|
|
|
```shell
|
2014-06-23 04:38:22 -04:00
|
|
|
# omnibus-gitlab
|
|
|
|
sudo gitlab-rake gitlab:import:user_to_projects[username@domain.tld]
|
|
|
|
|
2015-01-28 01:50:31 -05:00
|
|
|
# installation from source
|
2014-08-18 17:07:32 -04:00
|
|
|
bundle exec rake gitlab:import:user_to_projects[username@domain.tld] RAILS_ENV=production
|
2012-12-02 07:56:04 -05:00
|
|
|
```
|
|
|
|
|
2014-04-24 18:48:22 -04:00
|
|
|
## Add all users to all projects
|
2012-12-02 07:56:04 -05:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
To add all users to all projects, run:
|
2012-12-02 07:56:04 -05:00
|
|
|
|
2020-01-30 10:09:15 -05:00
|
|
|
```shell
|
2014-06-23 04:38:22 -04:00
|
|
|
# omnibus-gitlab
|
|
|
|
sudo gitlab-rake gitlab:import:all_users_to_all_projects
|
|
|
|
|
2015-01-28 01:50:31 -05:00
|
|
|
# installation from source
|
2014-08-18 17:07:32 -04:00
|
|
|
bundle exec rake gitlab:import:all_users_to_all_projects RAILS_ENV=production
|
2012-12-02 07:56:04 -05:00
|
|
|
```
|
2013-11-02 18:12:29 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
NOTE: **Note:**
|
|
|
|
Admin users are added as maintainers.
|
|
|
|
|
2014-04-24 18:48:22 -04:00
|
|
|
## Add user as a developer to all groups
|
2013-11-02 18:12:29 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
To add a user as a developer to all groups, run:
|
|
|
|
|
2020-01-30 10:09:15 -05:00
|
|
|
```shell
|
2014-06-23 04:38:22 -04:00
|
|
|
# omnibus-gitlab
|
|
|
|
sudo gitlab-rake gitlab:import:user_to_groups[username@domain.tld]
|
|
|
|
|
2015-01-28 01:50:31 -05:00
|
|
|
# installation from source
|
2014-08-18 17:07:32 -04:00
|
|
|
bundle exec rake gitlab:import:user_to_groups[username@domain.tld] RAILS_ENV=production
|
2013-11-02 18:12:29 -04:00
|
|
|
```
|
|
|
|
|
2014-04-24 18:48:22 -04:00
|
|
|
## Add all users to all groups
|
2013-11-02 18:12:29 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
To add all users to all groups, run:
|
2013-11-02 18:12:29 -04:00
|
|
|
|
2020-01-30 10:09:15 -05:00
|
|
|
```shell
|
2014-06-23 04:38:22 -04:00
|
|
|
# omnibus-gitlab
|
|
|
|
sudo gitlab-rake gitlab:import:all_users_to_all_groups
|
|
|
|
|
2015-01-28 01:50:31 -05:00
|
|
|
# installation from source
|
2014-08-18 17:07:32 -04:00
|
|
|
bundle exec rake gitlab:import:all_users_to_all_groups RAILS_ENV=production
|
2013-11-02 18:12:29 -04:00
|
|
|
```
|
2015-04-23 22:19:21 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
NOTE: **Note:**
|
|
|
|
Admin users are added as owners so they can add additional users to the group.
|
|
|
|
|
|
|
|
## Control the number of active users
|
2015-04-23 22:19:21 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
Enable this setting to keep new users blocked until they have been cleared by the administrator.
|
|
|
|
Defaults to `false`:
|
2015-04-23 22:19:21 -04:00
|
|
|
|
2020-03-25 02:07:58 -04:00
|
|
|
```plaintext
|
2015-05-04 05:13:07 -04:00
|
|
|
block_auto_created_users: false
|
|
|
|
```
|
2015-10-07 15:46:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
## Disable two-factor authentication for all users
|
2015-10-07 15:46:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
This task disables two-factor authentication (2FA) for all users that have it enabled. This can be
|
2016-07-15 08:19:29 -04:00
|
|
|
useful if GitLab's `config/secrets.yml` file has been lost and users are unable
|
2020-04-28 02:09:49 -04:00
|
|
|
to log in, for example.
|
|
|
|
|
|
|
|
To disable two-factor authentication for all users, run:
|
2015-10-07 15:46:54 -04:00
|
|
|
|
2020-01-30 10:09:15 -05:00
|
|
|
```shell
|
2015-10-07 15:46:54 -04:00
|
|
|
# omnibus-gitlab
|
|
|
|
sudo gitlab-rake gitlab:two_factor:disable_for_all_users
|
|
|
|
|
|
|
|
# installation from source
|
|
|
|
bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
|
|
|
|
```
|
2016-10-07 12:35:36 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
## Rotate two-factor authentication encryption key
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
GitLab stores the secret data required for two-factor authentication (2FA) in an encrypted
|
|
|
|
database column. The encryption key for this data is known as `otp_key_base`, and is
|
2017-06-02 12:28:54 -04:00
|
|
|
stored in `config/secrets.yml`.
|
|
|
|
|
|
|
|
If that file is leaked, but the individual 2FA secrets have not, it's possible
|
|
|
|
to re-encrypt those secrets with a new encryption key. This allows you to change
|
|
|
|
the leaked key without forcing all users to change their 2FA details.
|
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
To rotate the two-factor authentication encryption key:
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
1. Look up the old key. This is in the `config/secrets.yml` file, but **make sure you're working
|
|
|
|
with the production section**. The line you're interested in will look like this:
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
```yaml
|
|
|
|
production:
|
|
|
|
otp_key_base: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
|
|
|
|
```
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
1. Generate a new secret:
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
```shell
|
|
|
|
# omnibus-gitlab
|
|
|
|
sudo gitlab-rake secret
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
# installation from source
|
|
|
|
bundle exec rake secret RAILS_ENV=production
|
|
|
|
```
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
1. Stop the GitLab server, back up the existing secrets file, and update the database:
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
```shell
|
|
|
|
# omnibus-gitlab
|
|
|
|
sudo gitlab-ctl stop
|
|
|
|
sudo cp config/secrets.yml config/secrets.yml.bak
|
|
|
|
sudo gitlab-rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key>
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
# installation from source
|
|
|
|
sudo /etc/init.d/gitlab stop
|
|
|
|
cp config/secrets.yml config/secrets.yml.bak
|
|
|
|
bundle exec rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key> RAILS_ENV=production
|
|
|
|
```
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
The `<old key>` value can be read from `config/secrets.yml` (`<new key>` was
|
|
|
|
generated earlier). The **encrypted** values for the user 2FA secrets will be
|
|
|
|
written to the specified `filename`. You can use this to rollback in case of
|
|
|
|
error.
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
1. Change `config/secrets.yml` to set `otp_key_base` to `<new key>` and restart. Again, make sure
|
|
|
|
you're operating in the **production** section.
|
2017-06-02 12:28:54 -04:00
|
|
|
|
2020-04-28 02:09:49 -04:00
|
|
|
```shell
|
|
|
|
# omnibus-gitlab
|
|
|
|
sudo gitlab-ctl start
|
|
|
|
|
|
|
|
# installation from source
|
|
|
|
sudo /etc/init.d/gitlab start
|
|
|
|
```
|
2017-06-02 12:28:54 -04:00
|
|
|
|
|
|
|
If there are any problems (perhaps using the wrong value for `old_key`), you can
|
|
|
|
restore your backup of `config/secrets.yml` and rollback the changes:
|
|
|
|
|
2020-03-02 22:08:31 -05:00
|
|
|
```shell
|
2017-06-02 12:28:54 -04:00
|
|
|
# omnibus-gitlab
|
|
|
|
sudo gitlab-ctl stop
|
|
|
|
sudo gitlab-rake gitlab:two_factor:rotate_key:rollback filename=backup.csv
|
|
|
|
sudo cp config/secrets.yml.bak config/secrets.yml
|
|
|
|
sudo gitlab-ctl start
|
|
|
|
|
|
|
|
# installation from source
|
|
|
|
sudo /etc/init.d/gitlab start
|
|
|
|
bundle exec rake gitlab:two_factor:rotate_key:rollback filename=backup.csv RAILS_ENV=production
|
|
|
|
cp config/secrets.yml.bak config/secrets.yml
|
|
|
|
sudo /etc/init.d/gitlab start
|
|
|
|
|
|
|
|
```
|