Access control for pages
We have a number of projects that produce proper documentation (pdfs and the like) for consumption by non-programmers. When done right, this all starts with a GitLab repository, and tools such as AsciiDoctor and jekyll to create a great documentation site. (See https://www.youtube.com/watch?v=O2wToEdPmSc for an example of doing this).
The problem, of course, is distribution, which would be nicely solved by GitLab pages. However, since (or rather, when) the documentation should not be readable by everybody, we need some sort of access control. The source project already has access control, and allows us to control who gets to clone the repository. Those who can clone already have access to the documentation source, and it is reasonable that they also have access to the GitLab pages site.
Hence, this issue is a request to enable access control on GitLab pages, where project accessibility level and project members already specify who has access to the project. The user interface for this solution could be a simple project setting ("use access control on GitLab pages"), with future enhancements, if needed.
If GitLab pages were to be ported to CE (lots of people want that, ref https://gitlab.com/gitlab-org/gitlab-ce/issues/14605), this is an obvious features to remain EE-only, providing added value for the commercial version. (Copying @sytses for this argument).
- Authentication must be handled by GitLab. You use the login-mechanism configured for GitLab, whether it be local accounts, an integrated LDAP-server, or anything else. This of course excludes any mechanism that has it's own password mechanism, or any other private form of secrets.
- Authorization must be covered by the GitLab access model. When you grant access to a project, you grant access to the Pages. When you revoke access from the project, you also revoke access to the Page
- Have a setting at the project level to restrict the use of GitLab Pages to project members only
- When activated, users who want to access Pages will be presented a page where they would have to Sign in with GitLab.
- Signing in is made with OAuth