2020-10-30 17:08:52 -04:00
---
2022-05-29 20:08:35 -04:00
stage: Systems
2021-01-19 13:11:04 -05:00
group: Distribution
2022-09-21 17:13:33 -04:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2020-10-30 17:08:52 -04:00
---
2021-01-28 01:08:59 -05:00
# User management **(FREE SELF)**
2014-05-27 08:12:15 -04:00
2020-04-28 02:09:49 -04:00
GitLab provides Rake tasks for user management.
2014-04-24 18:48:22 -04:00
## Add user as a developer to all projects
2012-12-02 07:56:04 -05:00
2020-04-28 02:09:49 -04:00
To add a user as a developer to all projects, run:
2020-01-30 10:09:15 -05:00
```shell
2014-06-23 04:38:22 -04:00
# omnibus-gitlab
sudo gitlab-rake gitlab:import:user_to_projects[username@domain.tld]
2015-01-28 01:50:31 -05:00
# installation from source
2014-08-18 17:07:32 -04:00
bundle exec rake gitlab:import:user_to_projects[username@domain.tld] RAILS_ENV=production
2012-12-02 07:56:04 -05:00
```
2014-04-24 18:48:22 -04:00
## Add all users to all projects
2012-12-02 07:56:04 -05:00
2020-04-28 02:09:49 -04:00
To add all users to all projects, run:
2012-12-02 07:56:04 -05:00
2020-01-30 10:09:15 -05:00
```shell
2014-06-23 04:38:22 -04:00
# omnibus-gitlab
sudo gitlab-rake gitlab:import:all_users_to_all_projects
2015-01-28 01:50:31 -05:00
# installation from source
2014-08-18 17:07:32 -04:00
bundle exec rake gitlab:import:all_users_to_all_projects RAILS_ENV=production
2012-12-02 07:56:04 -05:00
```
2013-11-02 18:12:29 -04:00
2021-09-22 08:12:04 -04:00
Administrators are added as maintainers.
2020-04-28 02:09:49 -04:00
2014-04-24 18:48:22 -04:00
## Add user as a developer to all groups
2013-11-02 18:12:29 -04:00
2020-04-28 02:09:49 -04:00
To add a user as a developer to all groups, run:
2020-01-30 10:09:15 -05:00
```shell
2014-06-23 04:38:22 -04:00
# omnibus-gitlab
sudo gitlab-rake gitlab:import:user_to_groups[username@domain.tld]
2015-01-28 01:50:31 -05:00
# installation from source
2014-08-18 17:07:32 -04:00
bundle exec rake gitlab:import:user_to_groups[username@domain.tld] RAILS_ENV=production
2013-11-02 18:12:29 -04:00
```
2014-04-24 18:48:22 -04:00
## Add all users to all groups
2013-11-02 18:12:29 -04:00
2020-04-28 02:09:49 -04:00
To add all users to all groups, run:
2013-11-02 18:12:29 -04:00
2020-01-30 10:09:15 -05:00
```shell
2014-06-23 04:38:22 -04:00
# omnibus-gitlab
sudo gitlab-rake gitlab:import:all_users_to_all_groups
2015-01-28 01:50:31 -05:00
# installation from source
2014-08-18 17:07:32 -04:00
bundle exec rake gitlab:import:all_users_to_all_groups RAILS_ENV=production
2013-11-02 18:12:29 -04:00
```
2015-04-23 22:19:21 -04:00
2020-11-23 13:09:14 -05:00
Administrators are added as owners so they can add additional users to the group.
2020-04-28 02:09:49 -04:00
2020-11-26 19:09:42 -05:00
## Update all users in a given group to `project_limit:0` and `can_create_group: false`
To update all users in given group to `project_limit: 0` and `can_create_group: false` , run:
```shell
# omnibus-gitlab
sudo gitlab-rake gitlab:user_management:disable_project_and_group_creation\[:group_id\]
# installation from source
bundle exec rake gitlab:user_management:disable_project_and_group_creation\[:group_id\] RAILS_ENV=production
```
It updates all users in the given group, its subgroups and projects in this group namespace, with the noted limits.
2020-11-23 13:09:14 -05:00
## Control the number of billable users
2015-04-23 22:19:21 -04:00
2020-04-28 02:09:49 -04:00
Enable this setting to keep new users blocked until they have been cleared by the administrator.
Defaults to `false` :
2015-04-23 22:19:21 -04:00
2020-03-25 02:07:58 -04:00
```plaintext
2015-05-04 05:13:07 -04:00
block_auto_created_users: false
```
2015-10-07 15:46:54 -04:00
2020-04-28 02:09:49 -04:00
## Disable two-factor authentication for all users
2015-10-07 15:46:54 -04:00
2020-04-28 02:09:49 -04:00
This task disables two-factor authentication (2FA) for all users that have it enabled. This can be
2020-12-16 19:09:53 -05:00
useful if the GitLab `config/secrets.yml` file has been lost and users are unable
2020-04-28 02:09:49 -04:00
to log in, for example.
To disable two-factor authentication for all users, run:
2015-10-07 15:46:54 -04:00
2020-01-30 10:09:15 -05:00
```shell
2015-10-07 15:46:54 -04:00
# omnibus-gitlab
sudo gitlab-rake gitlab:two_factor:disable_for_all_users
# installation from source
bundle exec rake gitlab:two_factor:disable_for_all_users RAILS_ENV=production
```
2016-10-07 12:35:36 -04:00
2020-04-28 02:09:49 -04:00
## Rotate two-factor authentication encryption key
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
GitLab stores the secret data required for two-factor authentication (2FA) in an encrypted
database column. The encryption key for this data is known as `otp_key_base` , and is
2017-06-02 12:28:54 -04:00
stored in `config/secrets.yml` .
If that file is leaked, but the individual 2FA secrets have not, it's possible
to re-encrypt those secrets with a new encryption key. This allows you to change
the leaked key without forcing all users to change their 2FA details.
2020-04-28 02:09:49 -04:00
To rotate the two-factor authentication encryption key:
2017-06-02 12:28:54 -04:00
2022-06-29 17:09:23 -04:00
1. Look up the old key in the `config/secrets.yml` file, but **make sure you're working
2020-11-19 22:09:15 -05:00
with the production section**. The line you're interested in looks like this:
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
```yaml
production:
2020-11-19 22:09:15 -05:00
otp_key_base: fffffffffffffffffffffffffffffffffffffffffffffff
2020-04-28 02:09:49 -04:00
```
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
1. Generate a new secret:
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
```shell
# omnibus-gitlab
sudo gitlab-rake secret
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
# installation from source
bundle exec rake secret RAILS_ENV=production
```
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
1. Stop the GitLab server, back up the existing secrets file, and update the database:
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
```shell
# omnibus-gitlab
sudo gitlab-ctl stop
sudo cp config/secrets.yml config/secrets.yml.bak
sudo gitlab-rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=< old key > new_key=< new key >
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
# installation from source
sudo /etc/init.d/gitlab stop
cp config/secrets.yml config/secrets.yml.bak
bundle exec rake gitlab:two_factor:rotate_key:apply filename=backup.csv old_key=< old key > new_key=< new key > RAILS_ENV=production
```
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
The `<old key>` value can be read from `config/secrets.yml` (`< new key > ` was
2020-11-19 22:09:15 -05:00
generated earlier). The **encrypted** values for the user 2FA secrets are
2020-04-28 02:09:49 -04:00
written to the specified `filename` . You can use this to rollback in case of
error.
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
1. Change `config/secrets.yml` to set `otp_key_base` to `<new key>` and restart. Again, make sure
you're operating in the **production** section.
2017-06-02 12:28:54 -04:00
2020-04-28 02:09:49 -04:00
```shell
# omnibus-gitlab
sudo gitlab-ctl start
# installation from source
sudo /etc/init.d/gitlab start
```
2017-06-02 12:28:54 -04:00
If there are any problems (perhaps using the wrong value for `old_key` ), you can
restore your backup of `config/secrets.yml` and rollback the changes:
2020-03-02 22:08:31 -05:00
```shell
2017-06-02 12:28:54 -04:00
# omnibus-gitlab
sudo gitlab-ctl stop
sudo gitlab-rake gitlab:two_factor:rotate_key:rollback filename=backup.csv
sudo cp config/secrets.yml.bak config/secrets.yml
sudo gitlab-ctl start
# installation from source
sudo /etc/init.d/gitlab start
bundle exec rake gitlab:two_factor:rotate_key:rollback filename=backup.csv RAILS_ENV=production
cp config/secrets.yml.bak config/secrets.yml
sudo /etc/init.d/gitlab start
```
2021-12-13 13:15:18 -05:00
## Related topics
- [Reset a user's password ](../security/reset_user_password.md#use-a-rake-task ).