Discover GitLab Access Patterns with Teleport Policy
With Teleport Policy's Access Graph, you gain insights into access patterns within your GitLab account. By scanning all permissions, users, groups, and projects, it provides a visual representation to help enhance the permission model within your GitLab environment. This functionality enables you to answer queries such as:
- What projects are accessible to users?
- Which users have write permissions to projects?
Access Graph is a feature of the Teleport Policy product available to Teleport Enterprise edition customers.
After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found under the Permission Management section.
How it works
Access Graph synchronizes various GitLab resources, including users, projects and groups. These resources are then visualized using the graph representation detailed in the Access Graph page.
The importing process involves two primary steps:
Polling GitLab APIs
The Teleport cluster continuously scans the configured GitLab accounts and retrieves the following resources:
- Users
- Groups
- Projects
- Group memberships
- Project memberships
Once all the necessary resources are fetched, Teleport pushes them to the Access Graph, ensuring that it remains updated with the latest information from your GitLab instance.
Importing resources
Teleport Policy’s Access Graph feature delves into the resources imported and their relationships, crafting a graphical representation thereof.
Prerequisites
- A running Teleport Enterprise cluster v14.3.20/v15.3.1/v16.0.0 or later.
- For self-hosted clusters, an updated
license.pem
with Teleport Policy enabled. - For self-hosted clusters, a running Access Graph node v1.21.4 or later. Check Access Graph page for details on how to set up Access Graph.
- For self-hosted clusters, the node running the Access Graph service must be reachable from Teleport Auth Service.
- A GitLab instance running GitLab v9.0 or later.
Step 1/3. Create GitLab token
To set up the GitLab integration, you'll need to create a GitLab token with the following permissions:
read_api
Navigate to your GitLab instance, access the User Settings, and select the Access Tokens option.
Create a new token with the read_api
scope and copy the generated token. For more information, refer to the
GitLab documentation.
The importer will use this token to fetch the necessary resources from your GitLab instance.
The GitLab importer will only fetch resources that the token has access to. Ensure that the user associated with the token has the necessary permissions to access/view the resources you want to import.
If you're using a GitLab.com account, the importer will only fetch the users who are part of the organization or have access to the projects that the token can access.
If you're using a self-hosted GitLab instance, the importer will fetch all resources that the token has access to, including all users who are part of the instance.
The token will be used in the next step to configure the GitLab Sync integration.
Step 2/3. Set up Access Graph GitLab Sync
To initiate the setup wizard for configuring GitLab Sync, access the Teleport UI, navigate to the Management tab, and choose the Access Graph option within the Permission Management section.
In the Access Graph page, you'll notice a button labeled Integrations
. Click on it to
to access the Integrations page. On the Integrations page, click on the Setup
button next to the GitLab integration.
You'll be prompted to provide the GitLab token created in Step 1 and the GitLab instance domain. Once the token is successfully validated, you'll be able to see the resources imported in Access Graph.
Step 3/3. View GitLab resources in Access Graph
After the GitLab resources are imported, you can view them in the Access Graph page. The graph representation will show the relationships between users, groups, and projects within your GitLab instance.
Users can have permissions to access a Group or Project. When a user has access to a Group, they inherit permissions to all projects and sub-projects within that group.
You can view the permissions granted to users, groups, and projects by clicking on the respective nodes in the graph.
For example, to view the permissions granted to a user, click on the user node and select View Access
from the context menu.
This will display the permissions granted to the user and the resources they have access to.
You can also run queries to fetch specific information from the Access Graph, such as:
Fetch All Projects Accessible to a User
The following query fetches all projects accessible to a user user:
SELECT * FROM access_path WHERE "identity" = 'user' AND source='Gitlab'
Additionally, you filter projects by the user's access level, owner
, maintainer
, developer
, guest
, or reporter
by running the following query:
SELECT * FROM access_path WHERE "identity" = 'user' AND source='Gitlab' AND action='owner'
Change the action
parameter to maintainer
, developer
, guest
, or reporter
to fetch the respective projects.
Fetch All Users with Write Access to a Project
The following query fetches all users with read/write access to a project named project:
SELECT * FROM access_path WHERE "resource" = 'project' AND source='Gitlab'
Troubleshooting
After setting up the GitLab integration, you can monitor the import process status on the Access Graph's Integrations page. If the import fails, an error message will help identify the issue.
You can also check whether the import process is currently running or has completed successfully by viewing the status.
If you encounter any Unauthorized
errors, ensure that the GitLab token has the necessary permissions to access the resources
and that the token is valid. If the token has expired, you'll need to create a new token and update the integration settings.
If you encounter any other issues, please ensure that the Teleport cluster can reach the GitLab instance and that the GitLab APIs are accessible.
If you're still facing issues, please inspect the error log on the Access Graph's Integrations page for more details.