RBAC for GitLab

ENTERPRISE: Role based access controls are available for Sensu Enterprise users only.

Reference Documentation

What is RBAC for GitLab?

The Sensu Enterprise Dashboard offers support for built-in Role Based Access Controls (RBAC), which depends on using some external source of truth for authentication. The Sensu Enterprise Dashboard RBAC for GitHub driver provides support for using GitLab for RBAC authentication.

RBAC for GitLab configuration

Example RBAC for GitLab definition

{
  "dashboard": {
    "host": "0.0.0.0",
    "port": 3000,
    "...": "",
    "gitlab": {
      "applicationId": "6141d36e5ea48103bc39bb3eb5eede8735f0dd8f9788d8b30255dbf4d218628f",
      "secret": "7d419a3b2f7b92edab30f963d7c0a4d1841f0dc46b4403b11146b4f1d5cb3a4e",
      "server": "https://gitlab.com",
      "redirecturl": "https://sensu.example.org/login/callback",
      "roles": [
        {
          "name": "guests",
          "members": [
            "myorganization/guests"
          ],
          "datacenters": [
            "us-west-1"
          ],
          "subscriptions": [
            "webserver"
          ],
          "readonly": true
        },
        {
          "name": "operators",
          "members": [
            "myorganization/operators"
          ],
          "datacenters": [],
          "subscriptions": [],
          "readonly": false
        }
      ]
    }
  }
}

RBAC for GitLab definition specification

gitlab attributes

applicationid
description The GitLab OAuth Application “Application Id” NOTE: requires registration of an OAuth application in GitLab.
required true
type String
example 
"applicationid": "6141d36e5ea48103bc39bb3eb5eede8735f0dd8f9788d8b30255dbf4d218628f"
secret
description The GitLab OAuth Application “Secret” NOTE: requires registration of an OAuth application in GitLab.
required true
type String
example 
"secret": "7d419a3b2f7b92edab30f963d7c0a4d1841f0dc46b4403b11146b4f1d5cb3a4e"
server
description The location of the GitLab server you wish to authenticate against.
required true
type String
example 
"server": "https://gitlab.com"
redirecturl
description The GitLab OAuth Application “Callback url” NOTE: requires registration of an OAuth application in GitLab.
required true
type String
example 
"redirecturl": "https://sensu.example.org/login/callback"
roles
description An array of roles definitions.
required true
type Array
example 
"roles": [
  {
    "name": "guests",
    "members": [
      "guests"
    ],
    "datacenters": [
      "us-west-1"
    ],
    "subscriptions": [
      "webserver"
    ],
    "readonly": true
  },
  {
    "name": "operators",
    "members": [
      "operators"
    ],
    "datacenters": [],
    "subscriptions": [],
    "readonly": false
  }
]

roles attributes

Please see the RBAC definition specification for information on how to configure RBAC roles.

Register an OAuth Application in GitLab

To use GitLab for authentication requires registration of your Sensu Enterprise Dashboard as a GitLab “application”. Please note the following instructions:

  1. To register a GitLab OAuth application, please navigate to your GitLab profile section and selection “Applications” => “New application”.
Register a new OAuth application in GitLab

  1. Give your application a name (e.g. “Sensu Enterprise Dashboard”)

  2. Provide the Authorization callback URL (e.g. {HOSTNAME}/login/callback)

    NOTE: this URL does not need to be publicly accessible - as long as a user has network access to both GitLab and the callback URL, s/he will be able to authenticate; for example, this will allow users to authenticate to a Sensu Enterprise Dashboard service running on a private network as long as the user has access to the network (e.g. locally or via VPN).

  3. Select “Submit” and note the application Application Id and Secret.

    Location of Application ID and Secret for the registered GitLab application