There are occasions when you want to restrict certain steps in your Gitlab pipeline to one or more users only. Today I will show you how this can be made possible.
Gitlab provides some pre-defined variables that can be used as normal variables in your Pipelines. For more info click here. The one that we will use is called GITLAB_USER_LOGIN.
Goal
For this pipeline we are going to create 2 steps that will create a SSH user that has sudo rights and remove any user from a target Linux server.
Pre-requisites
As with any pipeline certain pre-requisites need to be setup. For this very specific use-case, you will need the following information:
- IP Address of the target server
- SSH username to perform admin actions
- SSH private key path to ssh to the target server
The SSH Private Key is generally stored in your Gitlab runner.
DO NOT store a private key in your repository, that is bad security practice.
1.0 Create a new .gitlab-ci.yml file
Lets start building your pipeline. In your repository, create a new file called .gitlab-ci.yml in the root folder. Add the following to define some variables and some steps:
variables:
USERNAME: "temp"
PUBLIC_KEY: "temp"
### STAGES ###
stages:
- Add User
- Remove User
.add_user: &add_user
rules:
- if: $GITLAB_USER_LOGIN == "abcUser123"
when: manual
script:
- eval $(ssh-agent -s)
- ssh-add ${SSH_KEY_PATH}
- ssh -oHostKeyAlgorithms=+ssh-dss -oStrictHostKeyChecking=no ${SERVER_USER}@${SERVER} "sudo useradd ${USERNAME}; exit;"
- ssh -oHostKeyAlgorithms=+ssh-dss -oStrictHostKeyChecking=no ${SERVER_USER}@${SERVER} "echo ${USERNAME} ALL=\(ALL\) NOPASSWD:ALL | sudo tee /etc/sudoers.d/${USERNAME}; exit;"
- ssh -oHostKeyAlgorithms=+ssh-dss -oStrictHostKeyChecking=no ${SERVER_USER}@${SERVER} "sudo mkdir -p /home/${USERNAME}/.ssh; exit;"
- ssh -oHostKeyAlgorithms=+ssh-dss -oStrictHostKeyChecking=no ${SERVER_USER}@${SERVER} "echo ${PUBLIC_KEY} | sudo tee /home/${USERNAME}/.ssh/authorized_keys; exit;"
- ssh -oHostKeyAlgorithms=+ssh-dss -oStrictHostKeyChecking=no ${SERVER_USER}@${SERVER} "sudo chown -R ${USERNAME}:${USERNAME} /home/${USERNAME}; exit;"
.remove_user: &remove_user
rules:
- if: $GITLAB_USER_LOGIN == "abcUser123"
when: manual
script:
- eval $(ssh-agent -s)
- ssh-add ${SSH_KEY_PATH}
- ssh -oHostKeyAlgorithms=+ssh-dss -oStrictHostKeyChecking=no ${SERVER_USER}@${SERVER} "sudo userdel -r ${USERNAME}; exit;"Notice the block:rules:
- if: $GITLAB_USER_LOGIN == "abcUser123"
when: manual
This is where we declare the value of the username that can run the add_user step.
2.0 Get the username value
If you are the administrator, you can extract the username from the Admin console.
3.0 Complete the pipeline
Complete the rest of the pipeline with the following code:
### JOBS ###
add_sudo_user_server_1:
stage: Add User
<<: *add_user
variables:
SERVER: "IP_ADDRESS or DNS"
SSH_KEY_PATH: "PATH TO SSH KEY"
SERVER_USER: "SSH USERNAME"
add_sudo_user_server_2:
stage: Add User
<<: *add_user
variables:
SERVER: "IP_ADDRESS or DNS"
SSH_KEY_PATH: "PATH TO SSH KEY"
SERVER_USER: "SSH USERNAME"
remove_user_server_1:
needs: []
stage: Remove User
<<: *remove_user
variables:
SERVER: "IP_ADDRESS or DNS"
SSH_KEY_PATH: "PATH TO SSH KEY"
SERVER_USER: "SSH USERNAME"
4.0 Run the Pipeline
Now when you execute the pipeline, you will see the following steps only for user "abcUser123".
 |
Lets say we want to restrict the .remove_user step to another user:
$GITLAB_USER_LOGIN == “xyzUser987”
Now when you run the pipeline, you will not see the remove user jobs:
 |
5.0 Conclusion
Gitlab provides a lot of pre-defined variables and for this example we are using the GITLAB_USER_LOGIN variable.