第4章 GitLab权限实战
1. 实验说明
用户-项目组-项目的关系
权限管理模型
- 项目由项目组来创建,而不是由用户创建
- 用户通过加入到不同的组,来实现对项目的访问或者提交
- 项目可以设置为只有项目组可以查看,所有登录用户可以查看和谁都可以看三种
建议的操作流程
操作流程
- 第一步:创建组 Group
- 第二步:基于组创建项目 Project
- 第三步:创建用户,分配组,分配权限
实验需求分析
实验要求
1. 创建 2 个组
- dev(开发组)
- ops(运维组)
2. 创建 2 个项目
- ansible(属于 ops 组)
- game(属于 dev 组)
3. 创建 3 个用户
- cto(技术总监)
- oldya_ops(运维人员)
- oldya_dev(开发人员)
4. 分配权限
- cto:对所有组都有权限,拥有合并分支的权限
- oldya_ops:对 ops 组有所有权限,可以推拉代码;对 dev 组只有拉取代码的权限
- oldya_dev:对 dev 组有所有权限,可以推拉代码
图表版
2. 创建组
2.1 创建 dev 组
2.2 创建 ops 组
2.3 检查
3. 创建项目
3.1 创建 game 项目(属于 dev 组)
3.2 创建 ansible 项目(属于 ops 组)
4. 创建用户
4.1 创建 cto 用户
修改密码
4.2 创建 oldya_dev 用户
修改密码
4.3 创建 oldya_ops 用户
修改密码
4.4 检查
5. 授权
5.1 dev 组添加用户
添加 cto 账户
添加 oldya_dev 用户
添加 oldya_ops 用户
检查
5.2 ops 组添加用户
6. dev 用户拉取上传测试
6.1 dev 用户登录并修改密码
6.2 添加 SSH 公钥
SSH 密钥说明
要想 dev 用户能免密克隆上传项目,需要将开发者电脑的 SSH 公钥上传到项目的仓库中。我们在 m-61 机器上创建两个普通用户来模拟开发和运维人员。
[root@m-61 ~]# useradd dev
[root@m-61 ~]# useradd ops
切换到 dev 用户并生成 SSH 密钥对:
[dev@m-61 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/dev/.ssh/id_rsa):
Created directory '/home/dev/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/dev/.ssh/id_rsa.
Your public key has been saved in /home/dev/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:0/dFTV6uMwOkXZyv/XICFxRWEckdjLBigW6rXkgI/cM dev@m-61
The key's randomart image is:
+---[RSA 2048]----+
| .. .o.BBX|
| . . .+.++B+|
| . . . o..o. .=|
| . + o... ..o.|
| . E. S . . =+.|
| . o. . ...o=.|
| ... o. .|
| .. o o|
| .. + |
+----[SHA256]-----+
[dev@m-61 ~]$
复制公钥:
[dev@m-61 ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAuEIKkorb5uBuUpGuwRMGDLG9sEnLCnMHQkeKzXqCNfmBgboPulxnA9t3SAZunetT86F7lSg2YuzFO5BzTnw/C5D85+jBhmEJFpwv0tK3AhDQVm8U9AL54pWyjT2Hzfvrj5Vr+gMa6hdIApmCfraOvnwlucTzf/v5ry872NStPiuT7H26nikM816L9lEG2LyoU8ctX2JP/o3Py0ES2mA+qd6xODyyMmb+WVtuKrjEx21hMsX5E/O3wXwKV9kWccHcbwIjCwEkfrFiUPHX3M+BQYb7pZKf0SWyr1YZDLSmERYSVEDrc8drflymfuso2AqLpkfRtjEjRIRP4nyyzgqN dev@m-61
将公钥信息添加到项目里
6.3 克隆项目
Git 克隆命令
[dev@m-61 ~/game]$ git config --global user.email "dev@qq.com"
[dev@m-61 ~/game]$ git config --global user.name "dev"
[dev@m-61 ~]$ git clone git@10.0.0.200:dev/game.git
Cloning into 'game'...
The authenticity of host '10.0.0.200 (10.0.0.200)' can't be established.
ECDSA key fingerprint is SHA256:4bnum+vhLl+fHDM+WUxdjAs9Jf48mKwMHvpxkKT+FEY.
ECDSA key fingerprint is MD5:8b:cc:8c:66:84:af:09:b7:5c:67:40:17:69:50:3a:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.200' (ECDSA) to the list of known hosts.
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
6.4 创建新分支并修改代码提交
[root@web-7 ~]# cd game/
#创建新分支
[dev@m-61 ~]$ cd game/
[dev@m-61 ~/game]$ git checkout -b dev
Switched to a new branch 'dev'
#创建首页文件
[dev@m-61 ~/game]$ echo v1 > index.html
#提交修改的文件到暂存区
[dev@m-61 ~/game]$ git add .
#提交暂存区记录到本地仓库
[dev@m-61 ~/game]$ git commit -m "add v1"
[dev 4baad00] add v1
1 file changed, 1 insertion(+)
create mode 100644 index.html
#推送到远程仓库的分支
[dev@m-61 ~/game]$ git push origin dev
Counting objects: 4, done.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 263 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote:
remote: To create a merge request for dev, visit:
remote: http://10.0.0.200/dev/game/-/merge_requests/new?merge_request%5Bsource_branch%5D=dev
remote:
To git@10.0.0.200:dev/game.git
* [new branch] dev -> dev
6.5 GitLab 创建合并请求
6.6 cto 用户合并分支
使用 cto 用户登录,然后将分支合并到 master 主干
6.7 检查合并结果
7. ops 用户拉取上传测试
7.1 oldya_ops 用户创建 SSH 密钥对
#切换用户
[root@m-61 ~]# su - ops
#创建密钥对
[ops@m-61 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ops/.ssh/id_rsa):
Created directory '/home/ops/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ops/.ssh/id_rsa.
Your public key has been saved in /home/ops/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:UjH19Fr9xEhxIQoG9JhAPwRvXNIYOfwEm8QxkvOec7E ops@m-61
The key's randomart image is:
+---[RSA 2048]----+
| .=*@@=. ..ooo|
| oO*@=.o.o.= |
| o@=. .. + +|
| .o.o o ..|
| o S o . .|
| = E |
| o |
| |
| |
+----[SHA256]-----+
#查看公钥
[ops@m-61 ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEWJpC3ke3ZXEmGwc693DvnLDlqnZI/fBIuuZHATjzkwvZ0r652CmvgZegndWII30DW7lsdbn+2+zBeSGBE+M9nQFLUCPb3eIPYXjtny+2OIuc68mXd4wjp7wYNBFzhG+1yHg1TZkqelr1e1cIODgzHu/MhI67D4elEwP9W6F+JBDjE+C2WnMo+dC+Wb9e0jPQL+T/0IPx+PTtOCV2ACRQhmUE4gcp7yqmdrITcKMMjoidnfcCyUop3FEb+cVUL+kdRYEiFXT48Xtfpk+TobqJ/+gdnR+eynKhN/+8eEqdDdeofKXCGcFjtbZgbeqgrDY9gScsoWGzt+Zb5Pdasc/j ops@m-61
7.2 添加公钥信息
7.3 克隆项目
克隆代码
[ops@m-61 ~]$ git clone git@10.0.0.200:ops/ansible.git
Cloning into 'ansible'...
The authenticity of host '10.0.0.200 (10.0.0.200)' can't be established.
ECDSA key fingerprint is SHA256:4bnum+vhLl+fHDM+WUxdjAs9Jf48mKwMHvpxkKT+FEY.
ECDSA key fingerprint is MD5:8b:cc:8c:66:84:af:09:b7:5c:67:40:17:69:50:3a:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.200' (ECDSA) to the list of known hosts.
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
7.4 创建新分支并修改代码提交
[ops@m-61 ~/ansible]$ git config --global user.email "ops@qq.com"
[ops@m-61 ~/ansible]$ git config --global user.name "ops"
[ops@m-61 ~]$ cd ansible/
[ops@m-61 ~/ansible]$ git checkout -b ops
Switched to a new branch 'ops'
[ops@m-61 ~/ansible]$ echo "v1" > init.yaml
[ops@m-61 ~/ansible]$ git add .
[ops@m-61 ~/ansible]$ git commit -m "add v1"
[ops 360d9c2] add v1
1 file changed, 1 insertion(+)
create mode 100644 init.yaml
[ops@m-61 ~/ansible]$ git push origin ops
Counting objects: 4, done.
Compressing objects: 100% (2/2), done.
Writing objects: 100% (3/3), 264 bytes | 0 bytes/s, done.
Total 3 (delta 0), reused 0 (delta 0)
remote:
remote: To create a merge request for ops, visit:
remote: http://10.0.0.200/ops/ansible/-/merge_requests/new?merge_request%5Bsource_branch%5D=ops
remote:
To git@10.0.0.200:ops/ansible.git
* [new branch] ops -> ops
7.5 登录 GitLab 创建合并请求
7.6 cto 用户合并分支
7.7 检查
7.8 oldya_ops 测试能否修改上传 game 代码
#ops用户可以正常克隆代码
[ops@m-61 ~]$ git clone git@10.0.0.200:dev/game.git
Cloning into 'game'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 7 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (7/7), done.
#进入项目目录
[ops@m-61 ~]$ cd game/
#切换新分支
[ops@m-61 ~/game]$ git checkout -b dev
Switched to a new branch 'dev'
#创建新文件
[ops@m-61 ~/game]$ echo v2 > index.html
#提交暂存区文件到本地仓库
[ops@m-61 ~/game]$ git add .
[ops@m-61 ~/game]$ git commit -m "add v2"
[dev 2848d8b] add v2
1 file changed, 1 insertion(+), 1 deletion(-)
#提交到远程分支提示报错,没有提交权限
[ops@m-61 ~/game]$ git push origin dev
remote:
remote: ========================================================================
remote:
remote: You are not allowed to push code to this project.
remote:
remote: ========================================================================
remote:
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
更新: 2024-06-30 21:31:31