Are you using G Suite as a user directory? Do you want to simplify your process for handling joiners/leavers to your organisation? Are you also using GitLab?
This project provides a script that will synchronise membership of a group on GitLab.com (other GitLab editions have other mechanisms for single sign on) with your users in your G Suite directory (GitLab.com does support SSO for joining a group, but this handles also removing those members).
It does this by having a custom attribute in your G Suite directory that corresponds to a GitLab username, and inviting those users to your GitLab group if they are not already a member. If you have any members of your group who do not have a username recorded against a corresponding user in your G Suite Directory will be removed from your group.
-
Install this script:
- Classic way:
python3 setup.py install - Docker way:
docker build -t 1500cloud/gitlab-user-sync:latest .
- Classic way:
-
You will need to create a new field in your G Suite directory to hold the relevant Gitlab usernames.
- Go to https://admin.google.com/u/1/ac/customschema
- Select 'Add a Custom Attribute' (or if you have a category called 'External Services' already, edit it)
- Name the Category 'External Services' and under custom fields create a field with name 'GitLab username', type text, 'visible to admin' and single value (case is important in both cases)
-
You will need to create a service account to allow the script to read from your G Suite directory. Follow Google's docs to create a service account, and ensure that the Admin SDK is enabled. Make a note of the client ID, and download the service account credentials file in JSON form. Keep this secret.
-
Enable the service account to read from your Directory. Go to Manage API client access and add an entry with the Client Name being the ID (long number string) of the service account, and the API scope
https://www.googleapis.com/auth/admin.directory.user.readonly. -
Use the G Suite users panel to populate the appropriate users with their GitLab usernames.
-
Find out your G Suite customer ID and make a note of it.
-
Create a personal API token in GitLab.com for someone who is an administrator of the group. Also keep this secret.
-
Find out what the numeric ID of your GitLab group is. This is shown on the settings page for the group.
-
Run the script. Configuration options are passed as environment variables.
- Classic way:
GOOGLE_CREDENTIALS_PATH=credentials.json \ GOOGLE_ADMINISTRATOR_ACCOUNT=administrator@example.com \ GOOGLE_CUSTOMER_ID=C12345678 \ GITLAB_ACCESS_TOKEN=ABCDEFABCEDF \ GITLAB_GROUP_ID=123456 \ sync-gitlab-users - Docker way:
docker run -e GOOGLE_CREDENTIALS_PATH=/secrets/credentials.json \ -e GOOGLE_ADMINISTRATOR_ACCOUNT=administrator@example.com \ -e GOOGLE_CUSTOMER_ID=C12345678 \ -e GITLAB_ACCESS_TOKEN=ABCDEFABCEDF \ -e GITLAB_GROUP_ID=123456 \ --mount src=/root/secrets/user-sync/,dst=/secrets/,readonly=true,type=bind \ 1500cloud/gitlab-user-sync:latest
Any changes that have been made are printed out to the terminal. As a get out clause, if the script thinks that every member who is currently in the GitLab group should be removed, it will exit without doing anything.
- Classic way: