Azure DevOps make project read only - permissions

We have some old ADO/VSTS projects that we want to archive and make read only. Each project has work items, builds, git repos, etc...
at the moment the only methods I have found are painful.
Remove all groups except read only group and add users in there. this is too painful and long, we have over 300 projects to make read only
Create a new group and then add in other groups (e.g. proj admins, contributors etc..) and then add this group to the top level area/git repo path and set all to DENY. *
I tried this with git repos and There is some issues with this as some
permissions are not inherited down to individual users who created the
git repo and they are still able to checkin.
Here you can see I created a READONLY group and set everything to DENY except Read permissions. (The members of this group are the default groups e.g. contributors, build admins, proj admins)
However, I had a repo created by a test user BEFORE i created the readonly group and it seems that user still has permissions to that repo
ok ok I understand that if the permissions are set at the lower level, then they won't be inherited down from the top level parent. I could create a script that checks the users of every git repo and sets their check-in permissions to deny but that is painful and i would prefer not to do that. Likewise, some projects have over 300 git repos.
FYI I want to make the whole project read only not just git repos.

Azure DevOps now have a feature called: "Disable Repository".
Disable access to to the repository (including builds, pull requests,
etc) but keep the repository discoverable with a warning.
It means your repo will not allow commits, even builds and pipelines cannot use it. Just go to your Devops "Project Settings". Scroll down to "Repositories" menu and select which Repo do you want to disable.

Yeah, you've found one of the nasty features of the Azure DevOps permission model. More specific ACLs trump less specific ACLs. Even for DENY rules.
When there is an explicit ALLOW rule on a more specific ACL, it will override the DENY on a less specific ACL.
Specificity for git is based on:
Server (TFS only)
Organization / Project Collection
Project
Default repo settings
Specific repo settings
Branch folder settings (only settable through API)
Specific branch settings
Similar hierarchies exist for other securables.
There is no easy way to strip these all, apart from scripting the action.
The Azure CLI has a devops extension which will allow you to script out what you want and can output JSON to make it easier to script.
You can use az devops security permission list to list all permissions defined for a identity (group or user) and az devops security permission reset or az devops security permission update to unset or override the given permission.
Other probably needed calls:
az devops security group list
az devops user list
az devops security group membership *

You can use the Azure DevOps disable repository option, which has the disadvantage that the repo is not showing up in the list of repos under the project anymore. This might not be desired if the code should still be readable for reference purposes.
The other method explained in one of the answers is to manually remove any write permissions using the repository settings UI. If you have a lot of access control lists on your repos or even need to do this on multiple repos, the manual approach can become time consuming. Therefore I wrote a script to automate this: https://github.com/ckadluba/RemoveAzureGitRepoWritePermissions.
It basically works like this.
.\Remove-AzureGitRepoWritePermissions.ps1 -OrgName "myorganisation" -ProjectName "MyProject" -RepoName "MyRepo"
It sets an explicit deny for the permissions: GenericContribute, ForcePush, CreateBranch, CreateTag, ManageNote, PolicyExempt, PullRequestContribute
and PullRequestBypassPolicy.

Related

Gitlab server: giving access to only certain ssh keys rather than any key that the user uploads

So, I am new to the GitLab server. Now, what I want to achieve is this:
Allow access to repositories only on certain ssh-keys. There are a limited no of machines and a limited no of users, so if a user adds an ssh-key outside these sets of keys, the repo should not clone there. Because my team size is small, I am okay if I only add those public keys to the account.
I am fine with the idea of ssh access but currently, as an admin, I lose the freedom to conveniently track or choose which all ssh-keys can access my repo. Can I disable users from adding ssh keys?
Is there any other way to ensure this? Would instead of having ssh enabled access HTTPS with whitelisting IP-enabled access work?
GitLab was, in the beginning (2011) based upon gitolite, but switched to its own mechanism in 2013.
Nowadays, it is best to declare a GitLab project private and add users to said project: that way you won't have to manage SSH or HTTPS access: any user who is not part of that project won't be able to see it/clone it (HTTPS or SSH).
In other words, repository access is no longer based on SSH keys (not for years), but is based on project visibility.
The OP adds:
even if a user is part of a project, he should only be able to clone the project on certain remote machines.
That is not a Git or GitLab feature, which means you need:
to restrict Git protocols on GitLab to SSH only
change the gitlab-shell SSH forced command script in order to allow commands only coming from some IPs
There is access to group by IP address restriction feature, since GitLab 12.0 (June 2019), but... only in GitLab Ultimate (meaning: "not free").

Set Permissions to Test Plans only

I'm currently searching for a way to grant specific users permissions to only use and manage the features listed ind the Test Plans tab in azure devops. So users in this group/team should not be able to see releases, builds, code and all the other stuff in the current project.
Is there a Way to achieve this?
Thanks
There is no default way to disable services of Repos, Pipeline, etc. You need to set the permission for each resource by referring to the following link:
https://learn.microsoft.com/en-us/azure/devops/organizations/security/permissions?view=azure-devops&tabs=preview-page
For example, make users not see the repo, you can deny the "Read" permission for the repo:

Create Gerrit project - with permission, unable to access it

Question regards Gerrit 2.14
Goal
I want to have projects visible only to Registered Users, and also I would wish that 'owner' of project can set it's visibility, share, hide etc without admin rights, or involving admin to set those rights for him/her per project. For example I want to have projects A, B, C, D, E with B, C owned by p1, and C shared between p1, p2. So user p1 would see B, C, and user p2 would see C.
What I've checked
I believe that there are 3 ways of achieving something described above:
user has admin rights - can set parent of project other than All-projects: I don't want that
admin can set per project ACL for user/group: I don't want that
user becomes Project Owner of projects s/he created
By default "Create Project" is not granted for Registered users and "READ for refs/*"
I have tried
Setting permissions in All-Projects.git that all project inherit
Create Group
Registered Users
Create Project
Registered Users
Reference: refs/*
Allow Administrators
Allow Project Owners
Deny Anonymous Users
/* IF I add ALLOW Registered Users here -> see bottom of question */
and all remaining permissions unchanged, I expected to be able, as registered user:
Be sure that anonymous (not registered/logged on) users cannot view projects
Create project using both GUI and SSH
Be assigned as Project Owner to that project - have full control over this single project
Result
Unfortunately, registered user can create project (if user does not select previously prepared parent All-public-projects - which grants multiple other permissions - default All-projects is assigned as parent) BUT user, who is supposed to be Project Owner cannot access this project.
Ideas what is wrong
I'm aware that Registered Users are members of Anonymous Users group as well, but documentation states
Inherited access rights can be overwritten unless they are defined as BLOCK rule. BLOCK rules are used to limit the possibilities of the project owners on the inheriting projects.
Changing the parent of a project is only allowed for Gerrit administrators. This means you need to contact the administrator of your Gerrit server if you want to reparent your project.
and also
[READ] This category has a special behavior, where the per-project ACL is evaluated before the global all projects ACL. If the per-project ACL has granted Read with 'DENY', and does not otherwise grant Read with 'ALLOW', then a Read in the all projects ACL is ignored. This behavior is useful to hide a handful of projects on an otherwise public server.
For an open source, public Gerrit installation it is common to grant Read to Anonymous Users in the All-Projects ACL, enabling casual browsing of any project’s changes, as well as fetching any project’s repository over SSH or HTTP. New projects can be temporarily hidden from public view by granting Read with 'DENY' to Anonymous Users and granting Read to the project owner’s group within the per-project ACL.
Now since I do not want to set permissions per project basis, am I correct to think that reason for this to fail is
For the All-Projects root project any Owner access right on 'refs/*' is ignored since this permission would allow users to edit the global capabilities, which is the same as being able to administrate the Gerrit server (e.g. the user could assign the Administrate Server capability to the own account).
Questions
If my reasoning is correct, how do I achieve my goal?
Also, granting READ refs/* to Registered User makes project to be accessible, but also all others too. How would I then be able to hide some projects from other Registered users? Or if that is not possible - how do I configure permissions in order to prevent other registered users to commit, and possibly even clone other projects?
Additional question.
How do I quickly see who is set as project's Project Owner?
I'm glad to see not beeing the only one with such a requirement. For me everything would work just fine if the user who creates a project via Gerrit's Web UI would be automatically the project owner (only if the user is not and Admin User). However, as you know the current Web UI does neither pass this information to the Gerrit backend nor does it allow to assign project owners when creating a new project. I see the following options:
Open a feature request for the Gerrit dev team hoping they will consider the idea
Use the create-project REST API and pass the project owner(s) for creating projects, i.e. using an own app
Use the create project CLI and pass the project owner(s) for creating projects
Implement an own Gerrit Plugin - see 2. Plugin Development which would make the current user creating a new project a project owner
For me only option 1 or 4 is viable because the other mean way too much overhead. I'm thinking about writing such a plugin, and I would make it opensource... About 2 months ago I was hoping there's aready something available I could use, but I couldn't find anything.
To your second question: I typically us the Web UI for this by going to the project's Access tab and then checking the who has the permission "Owner" for the branch refs/*.

Gitlab: Can I create a Branch visible to only certain developers?

Im using gitlab, and I am wondering, is there a simple way to restrict access to a branch to only certain developers? This has to do with time varying disclosure and the ability for certain developers to see some objects models, while other cannot? Ideally this would happen in one repository, without a proliferation of forks.
No, it is not possible to have a read protection to certain git branches. That would also defeat how git works.
What you could do is forking a repository, creating a branch here and only grant restricted permission to the entire repository. Later it would always be possible to merge changes from this forked repository to the original repository.
You can only change read access to the entire repository as well as write permission to branches.

Managing commit rights in svn by delegating to project managers

We have multiple projects in svn repo.And for each project there are many users.As number of users is large so its troublesome to manage their commit rights using "Auth file".
I have read somewhere that we can delegate user's rights to their managers by creating a text file.But i am not sure how to achieve this and perhaps hOOKS need to be configured for this .As i am new to SVN so need your expert advice.Please guide me how to achieve this and if you have hook already confgiured p,kindly provide.
How to setup access control in SVN?
I have seen this link and answer by VonC is great and perfect for me.But i dont know how to start .. can anybody help me out here as i am not pro in svn and unix .
Thanks in advance
Preface
Using single repository for multiple projects is Bad Idea (tm): one repo - one project
Forget immediately about old as mammoth's shit SVN 1.5 - use at least 1.6 on client and server (1.8 may be best choice)
Face
Simplified user-management for SVN-users can be reached using LDAP-based authentication instead of ordinary file (in case of "repository per project" <location> from answer will be location of each repo with SVNPath, in case of old structure <location> must be linked to every root of project) and having different groups for different repositories in Require ldap-group directive - read also Apache 2.2 docs in Apache Module mod_authnz_ldap part. From management POV, LDAP-auth and permissions means: each developer must be in LDAP-tree, included in one or more related to repositories groups
In case of additional requirement for Path-Based Authorization within repositories and using groups inside authz-file, you may find useful LDAP Groups to Subversion Authz Groups Bridge, which allow you to regenerate authz-groups from LDAP-data
As result, most (if not all) SVN-related ACLs can be managed in LDAP-side only