Skip to content
Snippets Groups Projects
Commit 35874b12 authored by Ashraf Khamis's avatar Ashraf Khamis
Browse files

Merge branch 'lciutacu-restructure-docs-restrictgroupaccess' into 'master'

Restructure topic "Restrict group access by IP address"

See merge request !108096



Merged-by: default avatarAshraf Khamis <akhamis@gitlab.com>
Approved-by: default avatarAshraf Khamis <akhamis@gitlab.com>
Co-authored-by: default avatarLorena Ciutacu <lciutacu@gitlab.com>
parents 96b0b5c3 358d21ec
No related branches found
No related tags found
1 merge request!108096Restructure topic "Restrict group access by IP address"
Pipeline #738299989 passed
......@@ -200,7 +200,7 @@ The following actions on groups generate group audit events:
[Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353452) in GitLab 14.9.
- Failed attempt to create a group deploy token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353452)
in GitLab 14.9.
- [IP restrictions](../user/group/access_and_permissions.md#restrict-access-to-groups-by-ip-address) changed.
- [IP restrictions](../user/group/access_and_permissions.md#restrict-group-access-by-ip-address) changed.
[Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/358986) in GitLab 15.0.
- Changes to push rules. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227629) in GitLab 15.0.
- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/356152) in GitLab 15.1, changes to the following merge
......
......@@ -48,7 +48,7 @@ tier. Users can continue to access the features in a paid tier without sharing u
### Features available in 14.4 and later
- [Repository size limit](../settings/account_and_limit_settings.md#repository-size-limit).
- [Group access restriction by IP address](../../group/access_and_permissions.md#restrict-access-to-groups-by-ip-address).
- [Group access restriction by IP address](../../group/access_and_permissions.md#restrict-group-access-by-ip-address).
NOTE:
Registration is not yet required for participation, but may be added in a future milestone.
......
......@@ -280,7 +280,7 @@ work in every repository. They can only be re-enabled by an administrator user o
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87579) in GitLab 15.1 [with a flag](../../../administration/feature_flags.md) named `group_ip_restrictions_allow_global`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) in GitLab 15.4. [Feature flag `group_ip_restrictions_allow_global`](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) removed.
Administrators can set IP address ranges to be combined with [group-level IP restrictions](../../group/access_and_permissions.md#restrict-access-to-groups-by-ip-address).
Administrators can set IP address ranges to be combined with [group-level IP restrictions](../../group/access_and_permissions.md#restrict-group-access-by-ip-address).
Use globally-allowed IP addresses to allow aspects of the GitLab installation to work even when group-level IP address
restrictions are set.
......
......@@ -56,7 +56,7 @@ To change the permitted Git access protocols for a group:
1. Choose the permitted protocols from **Enabled Git access protocols**.
1. Select **Save changes**.
## Restrict access to groups by IP address **(PREMIUM)**
## Restrict group access by IP address **(PREMIUM)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1985) in GitLab 12.0.
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/215410) from GitLab Ultimate to GitLab Premium in 13.1.
......@@ -66,13 +66,29 @@ address. This group-level setting applies to:
- The GitLab UI, including subgroups, projects, and issues.
- [In GitLab 12.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/12874), the API.
- In self-managed installations of GitLab 15.1 and later, you can also configure
[globally-allowed IP address ranges](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges)
at the group level.
Administrators can combine restricted access by IP address with
[globally-allowed IP addresses](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges).
To restrict group access by IP address:
1. On the top bar, select **Main menu > Groups** and find your group.
1. On the left sidebar, select **Settings > General**.
1. Expand the **Permissions and group features** section.
1. In the **Restrict access by IP address** text box, enter a list of IPv4 or IPv6
address ranges in CIDR notation. This list:
- Has no limit on the number of IP address ranges.
- Has a size limit of 1 GB.
- Applies to both SSH or HTTP authorized IP address ranges. You cannot split
this list by type of authorization.
1. Select **Save changes**.
### Security implications
You should consider some security implications before configuring IP address restrictions.
Keep in mind that restricting group access by IP address has the following implications:
- Administrators and group owners can access group settings from any IP address, regardless of IP restriction. However:
- Group owners can access the subgroups, but not the projects belonging to the group or subgroups, when accessing from a disallowed IP address.
......@@ -84,30 +100,11 @@ You should consider some security implications before configuring IP address res
- When you register a runner, it is not bound by the IP restrictions. When the runner requests a new job or an update to
a job's state, it is also not bound by the IP restrictions. But when the running CI/CD job sends Git requests from a
restricted IP address, the IP restriction prevents code from being cloned.
- Users may still see some events from the IP restricted groups and projects on their dashboard. Activity may include
- Users might still see some events from the IP-restricted groups and projects on their dashboard. Activity might include
push, merge, issue, or comment events.
- IP access restrictions for Git operations via SSH are supported only on GitLab SaaS.
IP access restrictions applied to self-managed instances block SSH completely.
### Restrict group access by IP address
To restrict group access by IP address:
1. On the top bar, select **Main menu > Groups** and find your group.
1. On the left sidebar, select **Settings > General**.
1. Expand the **Permissions and group features** section.
1. In the **Restrict access by IP address** field, enter a list of IPv4 or IPv6
address ranges in CIDR notation. This list:
- Has no limit on the number of IP address ranges.
- Has a size limit of 1 GB.
- Applies to both SSH or HTTP authorized IP address ranges. You cannot split
this list by type of authorization.
1. Select **Save changes**.
In self-managed installations of GitLab 15.1 and later, you can also configure
[globally-allowed IP address ranges](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges)
at the group level.
## Restrict group access by domain **(PREMIUM)**
> - Support for specifying multiple email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/33143) in GitLab 13.1.
......@@ -304,4 +301,4 @@ If a user sees a 404 when they would normally expect access, and the problem is
- `json.message`: `'Attempting to access IP restricted group'`
- `json.allowed`: `false`
In viewing the log entries, compare the `remote.ip` with the list of [allowed IP addresses](#restrict-access-to-groups-by-ip-address) for the group.
In viewing the log entries, compare `remote.ip` with the list of [allowed IP addresses](#restrict-group-access-by-ip-address) for the group.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment