Investigate options for encrypting the LDAP password stored for self-managed GitLab instances
Summary
There are a number of passwords that are stored unencrypted in GitLab configuration files. For security reasons, customers have requested that these passwords be encrypted. Some customers have specifically requested that the LDAP password be handled more securely and there have been cases of organizations having to shut down their GitLab instance because the plain text LDAP password does not meet their internal security requirements. The LDAP password is the password used for Omnibus GitLab installations to enable integration with an LDAP server for authenticating user access to GitLab.
Proposal
As an MVP, research what it would take to more securely manage the LDAP password that is currently stored in plain text in gitlab.rb
and gitlab.yml
. Encrypting the LDAP password would satisfy the minimum requirement for https://gitlab.lightning.force.com/lightning/r/Account/00161000003QEzIAAW/view and could be a good POC for how to handle other passwords stored in GitLab configuration files.
Requirements
This is a research issue. The output from this work should be:
-
A recommendation on whether a) it makes sense to implement a solution for the LDAP password as an MVP OR b) an architectural change is required that means that all GitLab passwords would need to be redesigned at the same time, rather than isolating the LDAP password for MVP -
An updated list of proposed solutions with the pros and cons of each solution. The list should be included in the description of this issue. After reviewing the proposed solutions with stakeholders, we will decide on a path forward and create issues for next steps. (Original list from research done a year ago is here: #2183 (comment 60703979)) -
Proposed solutions should include the optimal solution regardless of effort, and also lower effort solutions that could satisfy basic customer needs more quickly. -
The issues resulting from this research should be added to the epic &2548
Acceptance criteria for proposed solutions
- The LDAP password stored in
gitlab.yml
is encrypted or removed from the file. - If the solution for avoiding storage of a plain text password in
gitlab.yml
does not eliminate the need for storing a password ingitlab.rb
, also propose a solution for encrypting the password stored ingitlab.rb
. - The solution does not require a user to install and use a third-party password management tool
- Proposed solutions include consideration for future work of encrypting all passwords stored in GitLab configuration files so that we have consistent treatment of all passwords, if possible.
Stretch goals for proposed solutions
- Support using an encrypted secret for the LDAP password for GitLab Helm chart installs.
- Support managing GitLab passwords using a BYO password management solution such as Vault. Ideally we wouldn't make it a requirement to use a third-party secrets store, but we could support that option.
Open questions
- Question from #2183 (comment 272156445): Should we use Vault to store passwords? At least one customer has advised that Vault would not be an acceptable solution for them because they have their own secrets management solution and don't want to introduce another third-party solution
- Can we use rails encrypted keybag to store secrets?