GitLab.com group IP restriction does not work for SSH requests
Problem to solve
https://docs.gitlab.com/ee/user/group/index.html#restrict-group-access-by-ip-address says IP restrictions apply to UI, API, and SSH
However, it also says:
To avoid accidental lock-out, admins and group owners are able to access the group regardless of the IP restriction.
Our testing shows that with IP restriction turned on:
- UI: A user with
Ownerpermissions can still access the top-level group along with any subgroup within, but cannot access projects.
- API: A user with
Ownerpermissions can still access the related API endpoints.
- SSH: A user with
Ownerpermissions cannot access any projects via SSH to perform Git operations.
- Pages: With Access Control enabled, IP addresses can be rejected and Pages can be inaccessible.
The root cause is that the source IP is not passed correctly gitlab-com/gl-infra/infrastructure#10954.
HTTP requests abide by the restriction (with the exception of owners not being able to access projects, this is by design), all
SSH requests fail and do not abide by the restriction.
Patch GitLab.com implementation of OpenSSH so that user IP address is passed all the way to the application gitlab-com/gl-infra&425 (closed)
Who can address the issue
Original question came from customer (internal): https://gitlab.zendesk.com/agent/tickets/177588
- Once this issue is fixed, update (and quite possibly revert) this doc change: !50801 (merged)