Page MenuHomePhabricator
Create Task
Maniphest T339843

Add GitLab to offboarding workflow
Open, MediumPublic
Actions

Description

GitLab offers access to certain repositories and groups. Some groups can give additional privileges. When people leave teams/roles, we have to make sure to review this groups and remove access, if needed.

We should create some documentation what has to be done in GitLab to review a users privileges and groups. Documentation should make sense here https://wikitech.wikimedia.org/wiki/SRE_Offboarding.

If possible, a cookbook or automatic sync (with ldap?) should be preferred over manually configuring GitLab.

Example of "Groups and projects" page in GitLab admin menu: https://gitlab.wikimedia.org/admin/users/jelto/projects (admin access required P16962)

Related Objects

Event Timeline

Jelto created this task.Jun 19 2023, 9:43 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 19 2023, 9:43 AM
gerritbot added a comment.Jun 19 2023, 2:51 PM

Change 931286 had a related patch set uploaded (by Jelto; author: Jelto):

[operations/alerts@master] sre: add gitlab ci alerts

https://gerrit.wikimedia.org/r/931286

gerritbot added a project: Patch-For-Review.Jun 19 2023, 2:51 PM
Jelto triaged this task as Medium priority.Jun 19 2023, 2:52 PM

^ sorry wrong Bug: in change.

LSobanski moved this task from Incoming to Backlog on the collaboration-services board.Jun 20 2023, 4:48 PM
MoritzMuehlenhoff added a project: CAS-SSO.Jun 27 2023, 9:29 AM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptJun 27 2023, 9:29 AM
LSobanski subscribed.Oct 9 2023, 3:59 PM

LDAP sync is now implemented but some manual permissions remain in place so this is still a valid request.

brennen moved this task from INBOX to Radar on the Release-Engineering-Team board.Feb 13 2024, 9:57 PM
brennen edited projects, added Release-Engineering-Team (Radar); removed Release-Engineering-Team.
Pppery removed a project: Patch-For-Review.May 21 2024, 6:04 PM
Dzahn subscribed.Jul 8 2025, 10:22 PM

Since infrastructure-security owns the offboarding workflow (and has the offboarding script for this) we should probably ask them to include it.

MoritzMuehlenhoff added a comment.Jul 9 2025, 6:57 AM
In T339843#10986537, @Dzahn wrote:

Since infrastructure-security owns the offboarding workflow (and has the offboarding script for this) we should probably ask them to include it.

We run the offboarding script and wrote most of it, but that doesn't mean we'll implement all the features for things needed across the fleet. If there is anything specific to clean up in Gitlab when a user leaves, best to make a patch against modules/openldap/files/offboard-user.py

Dzahn added a comment.Jul 9 2025, 4:07 PM

I am afraid the specific thing to GitLab is that the can of "private repos" has been opened.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits