This document highlights the best practices SIGs interested in using the CentOS namespace on gitlab.com should follow.
The first thing to understand is that gitlab will "link" an existing account with third party authentication system. In other words, you need to have a gitlab account and be logged in onto gitlab.com before you can associate your account with the CentOS Account System (ACO).
So if you do not have a gitlab account, create one. Then visit the following link https://id.centos.org/gitlab to associate your account with CentOS' Account System.
From there on, everytime you visit this link, your group membership defined in ACO, will be refreshed on gitlab.
Any and all content hosted on gitlab.com should follow the Requirements the CentOS project has specified for SIGs: https://wiki.centos.org/SpecialInterestGroup#Requirements
It is expected that access levels are managed via groups on accounts.centos.org (ACO). There are different ways this can be achieved.
For SIGs who are fine with everyone getting the same level of access, a single group can be created on
https://accounts.centos.org where all the SIG members will be added. This group can then be mapped to that
SIG’s namespace under gitlab.com/centos and be given owner
access level.
This means, everyone added to this group on accounts.centos.org will be granted owner
access to each and
every project placed under that SIG’s namespace. This also means, that anyone not in this group will have
no access at all.
For SIGs who want or need a more fine tuned model, it is recommended that they create a groups
namespace under
the SIG’s namespace. In the group namespace will be placed all the groups needed by the SIG and each of this
group will be mapped to a corresponding group on ACO. There should be no project under the groups
namespace.
The groups can then be given access to any project and the access level of the group can be picked on a
per-project basis.
Here is an example of the structure recommended for the complex case:
SIG's namespace │ ├── groups │ ├── group1-developers [grp1] │ ├── group2-maintainers [grp2] │ └── sig [sg] │ ├── rpms │ └── pkg [grp1+grp2] │ ├── src │ └──source_tree [grp1] │ └── sig [sg]
To login via ACO on gitlab.com, you must use the following link: https://id.centos.org/gitlab
Group memberships are refreshed upon login into gitlab.com. So if someone is added to a group in ACO, they will need to visit that link again: XXX to have their membership refreshed.
For SIGs using the more complex case where multiple groups are required or desired, it is expected that the
extra groups created on ACO to manage access on gitlab.com should follow the corresponding pattern:
gitlab-<fedora|centos>-<sig>(-<name>)
Some examples:
To request a namespace under gitlab.com/centos or the creation of a group on ACO, simply open a ticket at: https://pagure.io/centos-infra/