Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Solutions Architecture / 9 Aug 2022
GitLab / Solutions Architecture / 9 Aug 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Using GitLab Pages to Give Guest Users Access to Code (part 1 of 2)

Description

Part two: https://youtu.be/f13DcvUMrzM

This is a very simple example on how to use GitLab Pages to store code in a place that allows Guest Users to access that code (through Releases) without having access to the code itself, while not making "code" available to unauthenticated users nor the entire GitLab user base.

A

Hi all this is Tim poffenberger and I am a part of the solutions. Architecture organization here at get lab and I, had a customer ask about finding ways to to allow guest users to be able to view code in a way that still adheres to gitlab's permissioning model, there's two primary use cases that I typically see a premium or a free tier use case and then an ultimate use case.

A

The ultimate use case is really interesting to me, because guest users are free in Ultimate, so you can assign users as long as they don't Elevate beyond the guest user role across all of their projects. You do not pay for those users, uh one of the and uh for for premium and free tier.

A

Sometimes they might want to give code to customers or allow them to look at potential issues, but anything confidential they're not allowed to see what a guest user can and cannot do is outlined in our permissions table and oftentimes you'll see this a few notes. Next to that guest role, and these are oftentimes specific to our gitlab, ultimate tier and um and specifically on our SAS product.

A

There is a open issue right now, so at some point in time this may be resolved allowing guest users to view the repository content and private projects. This will most likely be solved by the ability to have customizable roles, but I I do want to note that, if you're interested in the leveraging this for guest users, there is no intention at this time to allow guest users to remain guest users in that ultimate tier without having them and allow them to be free.

A

So once this would be set up within the user interface, then you would be expected to be paying for those because they have a reporter or above permission. So let's talk about how this works.

A

um So uh it's a very simple project, we're using gitlab pages and we're collecting, artifacts or collecting uh releases downloading the code and then making that available via zip file. uh What this does not do is it doesn't give you a beautiful user interface.

A

um It doesn't uh it's not built intentionally for artifacts to be included, it doesn't scope, specific paths um or files or folders within a given release on it on a branch or get tag.

A

It's all the files uh for a specific tag and specifically for a given release, and then um it doesn't support more than one Project's releases at this time and then it um it doesn't. Let users view the code. It allows them to download the code via zip file. Importantly, this is not supported by gitlab. This is just something that you can use uh in conjunction with gitlab pages, so we're going to walk through how to I took this project.

A

I cloned it we're going to show you what it looks like to have that read: API project access and then what you need to do to get started here so uh before I. Even do that I just want to show you what it looks like. So this is the end result where you can actually see that we were required to log in validating that we were at least a guest user, and then you can also see all of the the releases.

A

There's only one release here- and you can also see here within our deployments releases- that there is one release here. If I go ahead and create a new release, I'm going to go ahead and do the 2.0 and I'm going to create that as a git tag and I'm going to call this release, 2.0 I won't associate any Milestones I'll just set the release date, and then you could essentially provide release assets.

A

This is our latest release that fixes a bug and I'm going to create this release and I'm also going to go ahead and run a pipeline, as this pipeline is set up to only run on the the default Branch or on yeah on your your default branch and you'll see two jobs being created. This get releases and this Page's job uh behind the scenes. What uh one one thing that we're doing is we are using that access token, that project access token, which could also be a group access token.

A

You can see that it's set up here has a read, API scope, and it only has a role of reporter. This is being stored in CI variables and scoped. So if I open up variables, you can see a private token and it is scoped to just the pages environment and that Pages environment is defined within the gitlab EML file. There are two jobs here. There's this get releases.

A

This is the thing that goes and downloads all of the previous releases, and you can see in here we're going to leverage this private token and the release downloader file. Will then it's a python script that then goes and downloads the the code and makes it available. This also generates an HTML file, which is then used for your gitlab pages page.

A

The first time you ever run this you'll always need to this needs is, uh is self-reflecting, uh so if you've never run this job before it will fail, because this need statement, lines 17 through 21 are expecting this job to have run before in your given Pipeline on your default branch, it uses project variables, so once this is set up, you shouldn't have to change anything on this job. Again and again, this Pages page is really just preparing to to move things and make them available.

A

So, uh let's validate that, this pipeline has succeeded, it has exceeded. We see this Pages deploy and now I can go over. uh One last thing that I did want to mention is I, am utilizing the environment name pages and the URL Pages URL. So that way we can lock down the private token variable.

A

Lastly, I can see that in deployments environments there is a Pages environment and I can go ahead and open this up, and it also takes me to that same URL, and now we can see that there are two releases uh release 2.0 released 1.0 again. This is very simple and upon clicking on this link, it will go ahead and generate a version.

A

2.0 download, zip file if I'm a guest user, so this user here is I've switched over to my T poffenberger customer Persona, and uh so I only have guest user access, which means that I can see code uh and the reason I can see code is because this is a public project.

A

So let me go ahead and just show you what this might look like if this was a private project, I'm going to go ahead and make this private I'm gonna make this public again after this after this demonstration, and we go ahead and click on guest user project one more time and now all of a sudden, the code has disappeared.

A

So I'm not a I'm, no longer able to see the code I'm no longer able to see the I can see the releases but I'm not actually able to download the code in this page, which is really what I would have loved to be able to do so. What you can do, then, is you can go here and you can click see it live and it will then take us and log in and now again I have access to download this code.

A

If I was a unauthenticated user, I would not even be able to get to this page and if I go ahead and make this project public again.

A

And I'm going to verify that pages is only project members.

A

And I can see this page, but I am not able to view the gitlab pages page. So that's it uh thanks for watching. Hopefully this will help some customers that are looking to adopt uh premium or gitlab ultimate, uh but also make their code accessible to guest users, a viable option for them. Now, thanks.