gitlab-org--gitlab-foss/doc/raketasks/user_management.md

# User management

## Add user as a developer to all projects

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:import:user_to_projects[username@domain.tld]

# installation from source
bundle exec rake gitlab:import:user_to_projects[username@domain.tld] RAILS_ENV=production
```

## Add all users to all projects

Notes:

- admin users are added as maintainers

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:import:all_users_to_all_projects

# installation from source
bundle exec rake gitlab:import:all_users_to_all_projects RAILS_ENV=production
```

## Add user as a developer to all groups

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:import:user_to_groups[username@domain.tld]

# installation from source
bundle exec rake gitlab:import:user_to_groups[username@domain.tld] RAILS_ENV=production
```

## Add all users to all groups

Notes:

- admin users are added as owners so they can add additional users to the group

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:import:all_users_to_all_groups

# installation from source
bundle exec rake gitlab:import:all_users_to_all_groups RAILS_ENV=production
```

## Maintain tight control over the number of active users on your GitLab installation

- Enable this setting to keep new users blocked until they have been cleared by the admin (default: false).

```
block_auto_created_users: false
```

## Disable Two-factor Authentication (2FA) for all users

This task will disable 2FA for all users that have it enabled. This can be
useful if GitLab's `config/secrets.yml` file has been lost and users are unable
to login, for example.

```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:two_factor:disable_for_all_users

# installation from source
bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
```

## Rotate Two-factor Authentication (2FA) encryption key

GitLab stores the secret data enabling 2FA to work in an encrypted database
column. The encryption key for this data is known as `otp_key_base`, and is
stored in `config/secrets.yml`.

If that file is leaked, but the individual 2FA secrets have not, it's possible
to re-encrypt those secrets with a new encryption key. This allows you to change
the leaked key without forcing all users to change their 2FA details.

First, look up the old key. This is in the `config/secrets.yml` file, but
**make sure you're working with the production section**. The line you're
interested in will look like this:

```yaml
production:
  otp_key_base: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
```

Next, generate a new secret:

```shell
# omnibus-gitlab
sudo gitlab-rake secret

# installation from source
bundle exec rake secret RAILS_ENV=production
```

Now you need to stop the GitLab server, back up the existing secrets file and
update the database:

```shell
# omnibus-gitlab
sudo gitlab-ctl stop
sudo cp config/secrets.yml config/secrets.yml.bak
sudo gitlab-rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key>

# installation from source
sudo /etc/init.d/gitlab stop
cp config/secrets.yml config/secrets.yml.bak
bundle exec rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key> RAILS_ENV=production
```

The `<old key>` value can be read from `config/secrets.yml`; `<new key>` was
generated earlier. The **encrypted** values for the user 2FA secrets will be
written to the specified `filename` - you can use this to rollback in case of
error.

Finally, change `config/secrets.yml` to set `otp_key_base` to `<new key>` and
restart. Again, make sure you're operating in the **production** section.

```shell
# omnibus-gitlab
sudo gitlab-ctl start

# installation from source
sudo /etc/init.d/gitlab start
```

If there are any problems (perhaps using the wrong value for `old_key`), you can
restore your backup of `config/secrets.yml` and rollback the changes:

```shell
# omnibus-gitlab
sudo gitlab-ctl stop
sudo gitlab-rake gitlab:two_factor:rotate_key:rollback filename=backup.csv
sudo cp config/secrets.yml.bak config/secrets.yml
sudo gitlab-ctl start

# installation from source
sudo /etc/init.d/gitlab start
bundle exec rake gitlab:two_factor:rotate_key:rollback filename=backup.csv RAILS_ENV=production
cp config/secrets.yml.bak config/secrets.yml
sudo /etc/init.d/gitlab start

```
Add titles to doc pages. 2014-05-27 12:12:15 +00:00			`# User management`

Update docs to markdown style guide. 2014-04-24 22:48:22 +00:00			`## Add user as a developer to all projects`
add help page for gitlab specific rake tasks 2012-12-02 12:56:04 +00:00
Add latest changes from gitlab-org/gitlab@master 2020-01-30 15:09:15 +00:00			```shell
Spell out rake tasks for omnibus-gitlab 2014-06-23 08:38:22 +00:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:import:user_to_projects[username@domain.tld]`

Drop comments on cookbook installing from source now that it uses Omnibus. 2015-01-28 06:50:31 +00:00			`# installation from source`
move env to end of lines 2014-08-18 21:07:32 +00:00			`bundle exec rake gitlab:import:user_to_projects[username@domain.tld] RAILS_ENV=production`
add help page for gitlab specific rake tasks 2012-12-02 12:56:04 +00:00			```

Update docs to markdown style guide. 2014-04-24 22:48:22 +00:00			`## Add all users to all projects`
add help page for gitlab specific rake tasks 2012-12-02 12:56:04 +00:00
			`Notes:`

Resolve "Rename the `Master` role to `Maintainer`" Backend 2018-07-11 14:36:08 +00:00			`- admin users are added as maintainers`
add help page for gitlab specific rake tasks 2012-12-02 12:56:04 +00:00
Add latest changes from gitlab-org/gitlab@master 2020-01-30 15:09:15 +00:00			```shell
Spell out rake tasks for omnibus-gitlab 2014-06-23 08:38:22 +00:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:import:all_users_to_all_projects`

Drop comments on cookbook installing from source now that it uses Omnibus. 2015-01-28 06:50:31 +00:00			`# installation from source`
move env to end of lines 2014-08-18 21:07:32 +00:00			`bundle exec rake gitlab:import:all_users_to_all_projects RAILS_ENV=production`
add help page for gitlab specific rake tasks 2012-12-02 12:56:04 +00:00			```
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 22:12:29 +00:00
Update docs to markdown style guide. 2014-04-24 22:48:22 +00:00			`## Add user as a developer to all groups`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 22:12:29 +00:00
Add latest changes from gitlab-org/gitlab@master 2020-01-30 15:09:15 +00:00			```shell
Spell out rake tasks for omnibus-gitlab 2014-06-23 08:38:22 +00:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:import:user_to_groups[username@domain.tld]`

Drop comments on cookbook installing from source now that it uses Omnibus. 2015-01-28 06:50:31 +00:00			`# installation from source`
move env to end of lines 2014-08-18 21:07:32 +00:00			`bundle exec rake gitlab:import:user_to_groups[username@domain.tld] RAILS_ENV=production`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 22:12:29 +00:00			```

Update docs to markdown style guide. 2014-04-24 22:48:22 +00:00			`## Add all users to all groups`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 22:12:29 +00:00
			`Notes:`

Update docs to markdown style guide. 2014-04-24 22:48:22 +00:00			`- admin users are added as owners so they can add additional users to the group`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 22:12:29 +00:00
Add latest changes from gitlab-org/gitlab@master 2020-01-30 15:09:15 +00:00			```shell
Spell out rake tasks for omnibus-gitlab 2014-06-23 08:38:22 +00:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:import:all_users_to_all_groups`

Drop comments on cookbook installing from source now that it uses Omnibus. 2015-01-28 06:50:31 +00:00			`# installation from source`
move env to end of lines 2014-08-18 21:07:32 +00:00			`bundle exec rake gitlab:import:all_users_to_all_groups RAILS_ENV=production`
add rake gitlab:import: all_users_to_all_groups and user_to_groups I opted for admins to be added as "owners" instead of "masters" because project masters can managers members, but only group owners can manage members. 2013-11-02 22:12:29 +00:00			```
Added " How to maintain tight control over the number of active users on your GitLab installation" to documentation 2015-04-24 02:19:21 +00:00
			`## Maintain tight control over the number of active users on your GitLab installation`

update doc by removing unnecessary parts 2015-05-04 09:13:07 +00:00			`- Enable this setting to keep new users blocked until they have been cleared by the admin (default: false).`
Added " How to maintain tight control over the number of active users on your GitLab installation" to documentation 2015-04-24 02:19:21 +00:00
			```
update doc by removing unnecessary parts 2015-05-04 09:13:07 +00:00			`block_auto_created_users: false`
			```
Add docs for gitlab:two_factor:disable_for_all_users task 2015-10-07 19:46:54 +00:00
			`## Disable Two-factor Authentication (2FA) for all users`

			`This task will disable 2FA for all users that have it enabled. This can be`
Store OTP secret key in secrets.yml .secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't. 2016-07-15 12:19:29 +00:00			useful if GitLab's `config/secrets.yml` file has been lost and users are unable
			`to login, for example.`
Add docs for gitlab:two_factor:disable_for_all_users task 2015-10-07 19:46:54 +00:00
Add latest changes from gitlab-org/gitlab@master 2020-01-30 15:09:15 +00:00			```shell
Add docs for gitlab:two_factor:disable_for_all_users task 2015-10-07 19:46:54 +00:00			`# omnibus-gitlab`
			`sudo gitlab-rake gitlab:two_factor:disable_for_all_users`

			`# installation from source`
			`bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production`
			```
Add a new gitlab:users:clear_all_authentication_tokens task Signed-off-by: Rémy Coutable <remy@rymai.me> 2016-10-07 16:35:36 +00:00
Add a Rake task to aid in rotating otp_key_base 2017-06-02 16:28:54 +00:00			`## Rotate Two-factor Authentication (2FA) encryption key`

			`GitLab stores the secret data enabling 2FA to work in an encrypted database`
			column. The encryption key for this data is known as `otp_key_base`, and is
			stored in `config/secrets.yml`.

			`If that file is leaked, but the individual 2FA secrets have not, it's possible`
			`to re-encrypt those secrets with a new encryption key. This allows you to change`
			`the leaked key without forcing all users to change their 2FA details.`

			First, look up the old key. This is in the `config/secrets.yml` file, but
			`make sure you're working with the production section. The line you're`
			`interested in will look like this:`

			```yaml
			`production:`
			`otp_key_base: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff`
			```

			`Next, generate a new secret:`

Add latest changes from gitlab-org/gitlab@master 2020-03-03 03:08:31 +00:00			```shell
Add a Rake task to aid in rotating otp_key_base 2017-06-02 16:28:54 +00:00			`# omnibus-gitlab`
			`sudo gitlab-rake secret`

			`# installation from source`
			`bundle exec rake secret RAILS_ENV=production`
			```

			`Now you need to stop the GitLab server, back up the existing secrets file and`
			`update the database:`

Add latest changes from gitlab-org/gitlab@master 2020-03-03 03:08:31 +00:00			```shell
Add a Rake task to aid in rotating otp_key_base 2017-06-02 16:28:54 +00:00			`# omnibus-gitlab`
			`sudo gitlab-ctl stop`
			`sudo cp config/secrets.yml config/secrets.yml.bak`
			`sudo gitlab-rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key>`

			`# installation from source`
			`sudo /etc/init.d/gitlab stop`
			`cp config/secrets.yml config/secrets.yml.bak`
			`bundle exec rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=<old key> new_key=<new key> RAILS_ENV=production`
			```

			The `<old key>` value can be read from `config/secrets.yml`; `<new key>` was
			`generated earlier. The encrypted values for the user 2FA secrets will be`
			written to the specified `filename` - you can use this to rollback in case of
			`error.`

			Finally, change `config/secrets.yml` to set `otp_key_base` to `<new key>` and
			`restart. Again, make sure you're operating in the production section.`

Add latest changes from gitlab-org/gitlab@master 2020-03-03 03:08:31 +00:00			```shell
Add a Rake task to aid in rotating otp_key_base 2017-06-02 16:28:54 +00:00			`# omnibus-gitlab`
			`sudo gitlab-ctl start`

			`# installation from source`
			`sudo /etc/init.d/gitlab start`
			```

			If there are any problems (perhaps using the wrong value for `old_key`), you can
			restore your backup of `config/secrets.yml` and rollback the changes:

Add latest changes from gitlab-org/gitlab@master 2020-03-03 03:08:31 +00:00			```shell
Add a Rake task to aid in rotating otp_key_base 2017-06-02 16:28:54 +00:00			`# omnibus-gitlab`
			`sudo gitlab-ctl stop`
			`sudo gitlab-rake gitlab:two_factor:rotate_key:rollback filename=backup.csv`
			`sudo cp config/secrets.yml.bak config/secrets.yml`
			`sudo gitlab-ctl start`

			`# installation from source`
			`sudo /etc/init.d/gitlab start`
			`bundle exec rake gitlab:two_factor:rotate_key:rollback filename=backup.csv RAILS_ENV=production`
			`cp config/secrets.yml.bak config/secrets.yml`
			`sudo /etc/init.d/gitlab start`

			```