Page MenuHomePhabricator
Create Task
Maniphest T284962

Prevent creation of private projects by default on WMF GitLab
Closed, ResolvedPublic
Actions

Description

I did some digging before asking in #gitlab on libera.chat:

16:48 <brennen> howdy.  does anybody know if it's possible (in gitlab CE specifically) to disable private projects for individual users?
16:49 <brennen> that is, i'd like to let people create projects, but only public ones, for the majority of users of our instance.
17:14 <certifiable> brennen: There isn't deep granularity on that.  You can restrict possible visibility levels (https://docs.gitlab.com/ee/user/admin_area/settings/visibility_and_access_controls.html#restricted-visibility-levels) and prevent "Private".  But then admins would be the only ones able to make projects Private.                                     
17:15 <certifiable> There's no way to grant that right to a selected non-admin group of users.

Per the linked docs, this seems right, and I've applied that setting. Will need to confirm that a user can request an admin make a project private and access it the usual way. Once that's done, we can probably safely merge 699819.

To be clear, this assumes that we can set the policy to:

  • Users may create publicly visible projects under their own accounts.
  • Any team or user with a use case for a private project will need to file a request, which admins will evaluate on a case-by-case basis.

cc: @thcipriani, @greg for review on that decision.

Details

SubjectRepoBranchLines +/-
CAS: stop marking users as externaloperations/gitlab-ansiblemaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

brennen created this task.Jun 14 2021, 11:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 14 2021, 11:47 PM
brennen moved this task from Backlog to In Progress on the GitLab (Initialization) board.Jun 14 2021, 11:47 PM
gerritbot added a comment.Jun 14 2021, 11:48 PM

Change 699819 had a related patch set uploaded (by Brennen Bearnes; author: Brennen Bearnes):

[operations/gitlab-ansible@master] CAS: stop marking users as external

https://gerrit.wikimedia.org/r/699819

gerritbot added a project: Patch-For-Review.Jun 14 2021, 11:48 PM
brennen updated the task description. (Show Details)Jun 14 2021, 11:51 PM
brennen added subscribers: thcipriani, greg.
thcipriani added a comment.Jun 15 2021, 12:56 AM

To be clear, this assumes that we can set the policy to:

  • Users may create publicly visible projects under their own accounts.
  • Any team or user with a use case for a private project will need to file a request, which admins will evaluate on a case-by-case basis.

cc: @thcipriani, @greg for review on that decision.

This is an improvement on the current status quo where users file a request for all project creation, so I'm +1. What about group creation and project creation under a group namespace?

Peachey88 updated the task description. (Show Details)Jun 15 2021, 1:34 AM
brennen added a comment.Jun 15 2021, 3:49 AM

This is an improvement on the current status quo where users file a request for all project creation, so I'm +1. What about group creation and project creation under a group namespace?

Individual users have a boolean for "can create groups". My assumption has been that there'll be a request process for new top-level groups. Within a group, subgroup creation can be limited to Owners or Maintainers, while project creation can be limited Maintainers + Developers, just Maintainers, or restricted entirely.

(For reference, the user role hierarchy seems to be, from least empowered to most: Guest, Reporter, Developer, Maintainer, Owner.)

Peachey88 subscribed.Jun 15 2021, 3:53 AM
thcipriani awarded a token.Jun 15 2021, 3:26 PM
gerritbot added a comment.Jun 22 2021, 8:43 PM

Change 699819 merged by Brennen Bearnes:

[operations/gitlab-ansible@master] CAS: stop marking users as external

https://gerrit.wikimedia.org/r/699819

brennen added a comment.Jun 22 2021, 8:44 PM

Will need to confirm that a user can request an admin make a project private and access it the usual way.

Confirmed this works; deploying "stop marking users as external" patch.

brennen closed this task as Resolved.Jun 22 2021, 8:50 PM
brennen claimed this task.
brennen moved this task from In Progress to Done on the GitLab (Initialization) board.
brennen moved this task from INBOX to Doing on the Release-Engineering-Team board.
brennen edited projects, added Release-Engineering-Team (Doing); removed Release-Engineering-Team.
Maintenance_bot removed a project: Patch-For-Review.Jun 22 2021, 9:10 PM
brennen mentioned this in T305082: Request for Private repos to be enabled.Mar 30 2022, 10:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL