debian-mirror-gitlab/doc/user/admin_area/settings/sign_in_restrictions.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

185 lines
7.5 KiB
Markdown
Raw Normal View History

2019-12-26 22:10:19 +05:30
---
2021-01-29 00:20:46 +05:30
stage: none
group: unassigned
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2019-12-26 22:10:19 +05:30
---
2021-03-11 19:13:27 +05:30
# Sign-in restrictions **(FREE SELF)**
2019-12-26 22:10:19 +05:30
2020-07-28 23:09:34 +05:30
You can use **Sign-in restrictions** to customize authentication restrictions for web interfaces as well as Git over HTTP(S).
## Settings
To access sign-in restriction settings:
2022-10-11 01:57:18 +05:30
1. On the top bar, select **Main menu > Admin**.
2021-11-11 11:23:49 +05:30
1. On the left sidebar, select **Settings > General**.
2020-07-28 23:09:34 +05:30
1. Expand the **Sign-in restrictions** section.
2019-12-26 22:10:19 +05:30
## Password authentication enabled
You can restrict the password authentication for web interface and Git over HTTP(S):
2022-03-02 08:16:31 +05:30
- **Web interface**: When this feature is disabled, the **Standard** sign-in tab
is removed and an [external authentication provider](../../../administration/auth/index.md)
must be used.
- **Git over HTTP(S)**: When this feature is disabled, a [Personal Access Token](../../profile/personal_access_tokens.md)
or LDAP password must be used to authenticate.
2019-12-26 22:10:19 +05:30
2022-10-11 01:57:18 +05:30
In the event of an external authentication provider outage, use the [GitLab Rails console](../../../administration/operations/rails_console.md) to [re-enable the standard web sign-in form](#re-enable-standard-web-sign-in-form-in-rails-console). This configuration can also be changed over the [Application settings REST API](../../../api/settings.md#change-application-settings) while authenticating with an administrator account's personal access token.
2021-11-18 22:05:49 +05:30
2021-04-29 21:17:54 +05:30
## Admin Mode
2021-11-11 11:23:49 +05:30
> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2158) in GitLab 13.10.
2021-04-29 21:17:54 +05:30
2023-01-13 00:05:48 +05:30
If you are an administrator, you might want to work in GitLab without the access that
comes from being an administrator. While you could create a separate user account that
doesn't have administrator access, a more secure solution is to use *Admin Mode*.
2021-04-29 21:17:54 +05:30
2023-01-13 00:05:48 +05:30
With Admin Mode, your account does not have administrative access by default.
You can continue to access groups and projects you are a member of, but to access
administrative functionality, you must authenticate.
2021-04-29 21:17:54 +05:30
2023-01-13 00:05:48 +05:30
When Admin Mode is enabled, it applies to all administrators on the instance.
2021-04-29 21:17:54 +05:30
2023-01-13 00:05:48 +05:30
When Admin Mode is enabled for an instance, administrators:
2021-04-29 21:17:54 +05:30
2023-01-13 00:05:48 +05:30
- Are allowed to access group and projects for which they are members.
- Cannot access the **Admin Area**.
2021-04-29 21:17:54 +05:30
2023-01-13 00:05:48 +05:30
### Enable Admin Mode for your instance
Administrators can enable Admin Mode though the API, the Rails console, or the UI.
#### Use the API to enable Admin Mode
Make the following request to your instance endpoint:
```shell
curl --request PUT --header "PRIVATE-TOKEN:$ADMIN_TOKEN" "<gitlab.example.com>/api/v4/application/settings?admin_mode=true"
```
Replace `<gitlab.example.com>` with your instance URL.
For more information, see the [list of settings that can be accessed through API calls](../../../api/settings.md).
#### Use the Rails console to enable Admin Mode
Open the [Rails console](../../../administration/operations/rails_console.md) and run the following:
```ruby
::Gitlab::CurrentSettings.update_attributes!(admin_mode: true)
```
#### Use the UI to enable Admin Mode
To enable Admin Mode through the UI:
1. On the top bar, select **Main menu > Admin**.
1. On the left sidebar, select **Settings > General**.
1. Expand **Sign-in restrictions**.
1. In the **Admin Mode** section, select the **Require additional authentication for administrative tasks** checkbox.
### Turn on Admin Mode for your session
To turn on Admin Mode for your current session and access potentially dangerous resources:
1. On the top bar, select **Enable Admin Mode**.
1. Try to access any part of the UI with `/admin` in the URL (which requires administrator access).
When Admin Mode status is disabled or turned off, administrators cannot access resources unless
they've been explicitly granted access. For example, administrators get a `404` error
if they try to open a private group or project, unless they are members of that group or project.
2FA should be enabled for administrators. 2FA, OmniAuth providers, and LDAP
authentication are supported by Admin Mode. Admin Mode status is stored in the current user session and remains active until either:
- It is explicitly disabled.
- It is disabled automatically after a timeout.
2021-04-29 21:17:54 +05:30
### Limitations of Admin Mode
The following access methods are **not** protected by Admin Mode:
- Git client access (SSH using public keys or HTTPS using Personal Access Tokens).
- API access using a Personal Access Token.
In other words, administrators who are otherwise limited by Admin Mode can still use
Git clients, and access RESTful API endpoints as administrators, without additional
authentication steps.
We may address these limitations in the future. For more information see the following epic:
2022-07-16 23:28:13 +05:30
[Admin Mode for GitLab Administrators](https://gitlab.com/groups/gitlab-org/-/epics/2158).
2021-04-29 21:17:54 +05:30
### Troubleshooting Admin Mode
If necessary, you can disable **Admin Mode** as an administrator by using one of these two methods:
- **API**:
```shell
curl --request PUT --header "PRIVATE-TOKEN:$ADMIN_TOKEN" "<gitlab-url>/api/v4/application/settings?admin_mode=false"
```
- [**Rails console**](../../../administration/operations/rails_console.md#starting-a-rails-console-session):
```ruby
2021-09-04 01:27:46 +05:30
::Gitlab::CurrentSettings.update!(admin_mode: false)
2021-04-29 21:17:54 +05:30
```
2021-09-04 01:27:46 +05:30
2019-12-26 22:10:19 +05:30
## Two-factor authentication
2021-04-29 21:17:54 +05:30
When this feature is enabled, all users must use the [two-factor authentication](../../profile/account/two_factor_authentication.md).
2019-12-26 22:10:19 +05:30
2021-03-11 19:13:27 +05:30
After the two-factor authentication is configured as mandatory, users are allowed
2019-12-26 22:10:19 +05:30
to skip forced configuration of two-factor authentication for the configurable grace
period in hours.
![Two-factor grace period](img/two_factor_grace_period.png)
2020-07-28 23:09:34 +05:30
## Email notification for unknown sign-ins
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/218457) in GitLab 13.2.
When enabled, GitLab notifies users of sign-ins from unknown IP addresses or devices. For more information,
see [Email notification for unknown sign-ins](../../profile/unknown_sign_in_notification.md).
![Email notification for unknown sign-ins](img/email_notification_for_unknown_sign_ins_v13_2.png)
2019-12-26 22:10:19 +05:30
## Sign-in information
2021-02-22 17:27:13 +05:30
All users that are not logged in are redirected to the page represented by the configured
**Home page URL** if value is not empty.
2019-12-26 22:10:19 +05:30
2021-11-18 22:05:49 +05:30
All users are redirected to the page represented by the configured **After sign-out path**
2019-12-26 22:10:19 +05:30
after sign out if value is not empty.
2021-02-22 17:27:13 +05:30
In the **Sign-in restrictions** section, scroll to the **Sign-in text** field. You can add a
2021-01-29 00:20:46 +05:30
custom message for your users in Markdown format.
For example, if you include the following information in the noted text box:
```markdown
# Custom sign-in text
2021-09-04 01:27:46 +05:30
To access this text box:
2022-10-11 01:57:18 +05:30
1. On the top bar, select **Main menu > Admin**.
2021-11-11 11:23:49 +05:30
1. On the left sidebar, select **Settings > General**, and expand the **Sign-in restrictions** section.
2021-01-29 00:20:46 +05:30
```
2021-02-22 17:27:13 +05:30
Your users see the **Custom sign-in text** when they navigate to the sign-in screen for your
2021-09-04 01:27:46 +05:30
GitLab instance.
2019-12-26 22:10:19 +05:30
2022-10-11 01:57:18 +05:30
## Troubleshooting
2019-12-26 22:10:19 +05:30
2022-10-11 01:57:18 +05:30
### Re-enable standard web sign-in form in rails console
2019-12-26 22:10:19 +05:30
2022-10-11 01:57:18 +05:30
Re-enable the standard username and password-based sign-in form if it was disabled as a [Sign-in restriction](#password-authentication-enabled).
You can use this method through the [rails console](../../../administration/operations/rails_console.md#starting-a-rails-console-session) when a configured external authentication provider (through SSO or an LDAP configuration) is facing an outage and direct sign-in access to GitLab is required.
```ruby
Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true)
```