How do I make a gerrit repository secret - gerrit

New to gerrit and administration part of access control. We have a couple of gerrit repos and groups. One repo is secret and is visible only to members of a certain group. Cannot wrap my head around exactly what settings or access settings that makes this possible.
It is not the project options state setting “hidden” that I’m looking for. Since the secret repo state is “active” but not showing up on the list and not accessible by other groups. Do I configure the repo I want to make secret in the project.config file or in the access inheritance that is inherited from “All-Projects”? What do I need to configure then? Like: refs/* READ “Allow = Secret Group”? Would this make the repo secret, not showing up in the repo list and only accessible by “Secret Group”? Tried READ DENY to other groups but still showing up. v.2.16.8

You're right:
refs/* READ ALLOW => grant project list permission
refs/* READ DENY => deny project list permission
But...
A project is considered visible if any ref is visible for that user, so check if there's an explicit READ ALLOW on refs/meta/dashboard or any other ref.
See here more details about this.

Related

Jenkins GitHub access token - Enable Checks but not Write code

I'm trying to set up Jenkins Multi-branch pipelines to add status checks to my GitHub private org repos. Blue Ocean requires the bot-user to have write (maybe more) privileges, listed as so:
I would like to pull code, write status checks but not push code. Is there any combination/workaround that will enable this?
P.s. I'm not entirely confident in what each scope enables and what permission level of collaborator (read/write/admin) they need even though I've read the hyperlinked docs.
A personal access token grants a user API access at the same level of their permissions within GitHub, never greater. For example if the user has read access to a repo and the token is marked as "Full control" then they will still only have read access to that repo.
Writing a Status Check requires the user to have Write, Maintain or Admin permission to your repos as described in this page:
https://help.github.com/en/articles/repository-permission-levels-for-an-organization
Write, as the name suggests, grants push permission to your repo so you will need to think about how to proceed.
I assume you're using GitHub.com (rather than GitHub Enterprise) so would suggest the following:
Grant the bot-user write access to your repo
Create a team of users who require push access
Enable the branch restriction "Restrict who can push to this branch"
Add the newly created team you to the restriction
Set the "Branch name pattern" to *
https://help.github.com/en/articles/enabling-branch-restrictions
This will apply the restriction to all branches within your repo and prevent the user from pushing, but does not prevent the writing of status checks.
If you were using GitHub Enterprise I would consider a pre-receive hook to prevent the bot-user from being able to push code into your repos.
Mick

Team Services permissions - how to prevent dashboard access but allow GIT/Code access

is it possible to allow access to Team Services GIT repo but not allow
We have a Project X which we want to allow a user to access teh GIT repo but not see workitems etc
i have created a Team within Project X which is currently just inheriting from "Contributors" - i would like to lock this Team down so that it only has permission to the GIT repo and nothing else
is this possible?
Cheers
You could restrict access to resources that you manage in VSTS by setting the permission state to Deny through a security group/team.
You could deny the builds /Release and so on... For a comprehensive list of default groups and permissions, see Permission reference for Team Foundation Server.
For restricting users to see work items, you could deny the View work items in this node permission under an Area path:
View work items in this node
If you set the View work items in this node to Deny, the user will not
be able to see any work items in this area node. A Deny will
override any implicit allow, even for accounts that are members of
administrative groups such as Team Foundation Administrators.
More details please refer this link.

In TFS Online, How do I share a code branch with our customer

We have an enterprise customer that we have delivered a system for. It is part of the agreement for us to supply them with the source code of the latest release. We are using TFVC on TFS online, and we thought it would be easiest to give them access to our Main branch. But I have difficulties with only allowing them to access the code and nothing else. The user I am testing with, can see too much: I.e. things like dashboard, current team members etc.
Is it possible for me to only expose code from the Main branch and nothing else to an external user?
Giving access to TFS Main Branch out of Organization (AD) is not advisable considering security.. Instead consider giving source code into zip format there are lot of large file sending (FTP sites) are available..
Still for your request of restricting access to user have a look over this
https://www.visualstudio.com/en-us/docs/setup-admin/restrict-access-tfs
you can consider replicating your part of source code into separate stream and give reader read only access to that stream.
Hope this helps... :)
Refer to these steps to set the permission:
Add user to your VSTS (Basic)
Remove this user from all group if you added
Go to admin page of a team project Version Control (Setting > Version Control)
Select a folder/branch
Click Add > Add User to add that user
Select the user that you added
Set Read permission to Allow
Go to Security page (click Security)
Click Create group to create a new group
Set View project-level information to Allow and deny other permissions for this group
Click Members of that new group
Click Add to add that user to this group
After that, this user can access the code (Just the folder/branch the user has the read permission) on web access (Code > Files).

Jenkins multi-level folder project-based security - give access only to a specific subfolder

I use jenkins project-based matrix security.
I have this folder structure (jenkins folders):
folder1/subfolder1A/jobA1
folder1/subfolder1A/jobA2
folder1/subfolder1B/jobB
folder2/subfolder2C/jobC
I can't seem to find a way to give access to a particular user only to subfolder1A or to jobA2 etc.
I tried almost every combination of permissions, the only one that works requires me to add the job readpermission to the user for the root folder1. The permission is inherited and they can now see everything in subfolder1A and subfolder1B etc.
If i don't do that, they see nothing. But If I do that, they have access to all subfolders of folder1 and all their jobs (with read permissions).
Do you know any configuration that would allow a user to access only subfolderA or jobA1 ?
I use the latest jenkins 2.x (2.13 at the time of writing, I'll update to 2.14 possibly today)
I know its too late to answer your question however this might be helpful for others.
You can give access up to one level deep to sub folders using Role Based Access Control plugin. In your case, assume if you want to grant an access to subfolder1A and restrict all other sub-folders then you can create Project Role and use following pattern:
folder1(/subfolder1A.*)?
Suppose, you want to provide access to both subfolder1A and subfolder1B and restrict other sub-folders, then use following pattern:
folder1(/subfolder1A.*|/subfolder1B.*)?
This will allow you to control nested folders up to one level.
Hope this will be useful.

Jenkins: Use personal credentials for project

I'm hosting a project on my Jenkins server. That project has a GitHub repo and I have it set up so it automatically builds new commits. In order for that to work, I need to input credentials for a github account that has full access to the repo.
The problem is, that if I want him to add his login info to the credentials list, I'd have to give him acces to all credentials on the server (I don't want that).
I tried using the credentials under "{username}" > "Credentials", but those didn't show up in the project setup (even with 100% access to everything on the server).
Is there a way for the user to store his credentials and use them for the project without giving him full access to all credentials on the server?
Add the user's credentials under Global security and then allow project based Matrix Authorization Strategy per project as shown:
I found the answer in this mailing list entry:
In short: You need to
install and activate the Authorize Projects Plugin,
enable "run as specific user" strategy in global security settings,
enable this for the project in question.
This allows you to use the credentials for this specific user.
Enabling ssh-agent is the final step to make this work conveniently.

Resources