Marketing gitlab permissions

Hi all,

because of the way the gitlab SAML authentication works, there are some questions that we need to resolve on how to grant access to the Fedora Marketing GitLab subgroup (Fedora Marketing · GitLab)

Basically the background here is that if you enable SAML enforcing, only users that have authenticated with their Fedora Account can contribute to the repos. However the side effect that is undesirable is that the repos are then hidden unless you have logged in with your Fedora Account (i.e. Private unless logged in).

To work around this, the Fedora gitlab instance has disabled SAML enforcing – but this means that someone without a Fedora Account can be granted commit access. We can, however, then enforce SAML group links – which means that only someone in a Fedora Accounts group is given a certain role in gitlab.

You can go super granular, but will need a Fedora Accounts group for each gitlab role. Over on Fedora Websites and Apps, the plan is to map:

• the websites-apps Fedora Accounts group to the developer role in gitlab
• the websites-apps-admins Fedora Accounts group to the admin role in gitlab

Long story short, what groups in Fedora Marketing should we link to what roles in the Fedora Docs gitlab subgroup?

Thanks for working on this @ryanlerch.

Basically we will want the same 2 roles:

• admin:marketing-admins
• developers: marketing-users

Right now there is only one FAS group for marketing. I think the easiest solution will be to make that FAS group the marketing-users and we should need to create the marketing-admin group to be mapped as developers.

WDYT?

Sounds good!

I can facilitate getting the new marketing-admin group created (doing this for a few groups, so can get it done all at once )

who do you want as sponsors of the new Fedora Accounts group?

Also, Sorry for the churn here, but i was mistaken, there is no Admin role in gitlab, the main roles are:

Guest, Reporter, Developer, Maintainer, Owner.

We can keep the -admin naming for the Fedora Accounts group, and assign those members to the Maintainer roie. Changing the mapping between the group and role is easy, changing the Fedora Accounts group name is not – so want to make sure we have it right

The current marketing fas group should map to maintainer, the new marketing-admin fas group should map to owner. I should be the sponsor

We can do that, however, double check the permissions the maintainer role is given – it pretty much can do everything to a repo except delete it.

You’re right. Reading that and taking into account that we manage 2 repos (docs and planning) and none of them are “code” (docs are code, but not code), it looks like reporter fits better for planning, but not for docs, and since having 3 roles seems excesive, I think we should go with developer as the “user role”.

Ok!

This should be set up and ready to go now.

• All users that are members of the marketing group in Fedora Accounts will be granted access as a Developer on the Marketing GitLab group (and its repos)

• All users that are members of the marketing-admin group in Fedora Accounts will be granted access as a Owner on the Marketing GitLab group (and its repos)

Note that for this to work, the user will need to link their Fedora Account with GitLab. To do this,

1. first create or log into your GitLab Account
2. Go to this link: https://gitlab.com/groups/fedora/-/saml/sso and log in with your Fedora Account and follow the prompts to link it to you GitLab Account.

@x3mboy currently you are the only member and sponsor of the marketing-admin group, but you can add new members whenever you want

Thanks so much @ryanlerch. I will start adding the people later today. Great job!

Also, be sure that if your permissions aren’t showing up the first time, the user may need to re-login to their gitlab account with:

https://gitlab.com/groups/fedora/-/saml/sso

Once the perms are granted, the user can log in normally, it just only fetches them when logging in with SAML SSO.