External Policy Classification Control
Description
In highly controlled environments, it may be necessary for access policy to be controlled by an external service that permits access based on project classification and user access.
Proposal
- Configuration
- GitLab’s Admin Area will include a section in Settings for “External Classification Policy Authorisation”
- The setting may be enabled or disabled through a checkbox form field
- When the setting is enabled, further configuration is displayed in the Admin Area
- External Authorisation Service URL
- Creating & Editing a Project
- If "External Classification Policy Authorisation" is enabled, a new section is added below "Project Description" called "Classification Policy"
- Display text input area titled "Classification Label" in this section
- After creating or editing the project, call the External Authorisation Service URL passing:
- user_identifier (required)
- project_classification_label (required)
- user_ldap_dn (optional)
- A 200 status from the external service should allow succesful project creation or editing
- A failed response should display an error with the JSON "reason" response displayed if available.
- If the service times out, display "External Policy Server did not respond".
- The timout value should be configurable and default to 500ms
- Accessing a project
- When the “External Classification Policy Authorisation” setting is enabled, call the External Authorisation Service URL when accessing a project passing:
- user_identifier (required)
- project_classification_label (required)
- user_ldap_dn (optional)
- When the “External Classification Policy Authorisation” setting is enabled, call the External Authorisation Service URL when accessing a project passing:
- Viewing a project
- In the top-right corner of all project pages, display the classification label of the project
- Disabling cross-project pages
- If “External Authorisation” is enabled, GitLab will further block pages and functionality that render cross-project data. That includes:
- most pages under Dashboard (Activity, Milestones, Snippets, Assigned Merge Requests, Assigned Issues, Todos)
- under a specific group (Activity, Contribution Analytics, Issues, Issue Boards, Labels, Milestones, Merge Requests).
- Global and Group Search should be disabled
- If “External Authorisation” is enabled, GitLab will further block pages and functionality that render cross-project data. That includes:
- Caching response
- Responses from the external URL should be cached for 6hrs by default and should be possible to change in the settings.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Edited by 🤖 GitLab Bot 🤖