diff options
author | Nick Thomas <nick@gitlab.com> | 2018-10-05 14:17:19 +0100 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2018-10-23 16:12:50 +0100 |
commit | 5b78aaf1cf97631ed76ed984da9d274789b8408a (patch) | |
tree | 927682134e34153ce7bccc60940c54dd53a7ce69 /doc/administration/pages/index.md | |
parent | a84469a34596d0f3588f7ae16646489441241bc6 (diff) | |
download | gitlab-ce-5b78aaf1cf97631ed76ed984da9d274789b8408a.tar.gz |
Add administrator documentation for Pages access control
Diffstat (limited to 'doc/administration/pages/index.md')
-rw-r--r-- | doc/administration/pages/index.md | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md index 2952a98626a..d8345f2d6bd 100644 --- a/doc/administration/pages/index.md +++ b/doc/administration/pages/index.md @@ -242,6 +242,33 @@ verification requirement. Navigate to `Admin area ➔ Settings` and uncheck **Require users to prove ownership of custom domains** in the Pages section. This setting is enabled by default. +### Access control + +Access control was [introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/33422) +in GitLab 11.5. It can be configured per-project, and allows access to a Pages +site to be controlled based on a user's membership to that project. + +Access control works by registering the Pages daemon as an OAuth application +with GitLab. Whenever a request to access a private Pages site is made by an +unauthenticated user, the Pages daemon redirects the user to GitLab. If +authentication is successful, the user is redirected back to Pages with a token, +which is persisted in a cookie. The cookies are signed with a secret key, so +tampering can be detected. + +Each request to view a resource in a private site is authenticated by Pages +using that token. For each request it receives, it makes a request to the GitLab +API to check that the user is authorized to read that site. + +Pages access control is currently disabled by default. To enable it, you must: + +1. Enable it in `/etc/gitlab/gitlab.rb` + + ```ruby + gitlab_pages['access_control'] = true + ``` + +1. [Reconfigure GitLab][reconfigure] + ## Activate verbose logging for daemon Verbose logging was [introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests/2533) in |