Give external access to repository using SSH on Space Cloud
We need to grant access to one git repository from outside(IBM Code Engine) using SSH, how to do that?
I am the administrator and can add an SSH key to my account, but then the external user will have access to my all git repositories. I do not find a way how to specific repository access per SSH or per user.
Please sign in to leave a comment.
All the security and protection settings are configured via the Space UI. Either in the repository settings or in the Administration section.
Please specify what kind of restrictions you are trying to introduce. Do you require some repository from the project to have specific access restrictions? If so, as you said, you need to move the repository to a separate project (https://www.jetbrains.com/help/space/move-a-repository-to-another-project.html#move-a-repository-from-one-project-to-another). To do so:
1. Open the repository that you need to move.
2. Click "Settings" in the top right corner.
3. Click "Move repository to another project".
4. Select the target project in the dropdown list.
5. Make sure the "Remove reference to repository from this project" option is selected. This will detach it from the current project.
6. Click "Move".
After the repository is moved into a new project, set up per-group or per-user permissions according to your requirements:
1. Navigate to the project (https://www.jetbrains.com/help/space/join-a-project.html#find-a-project).
2. Choose "Settings" on the left sidebar.
3. Proceed to the "Access" tab.
4. Choose the Role you want to edit and click "Edit permissions".
To know more about the roles permissions available, please refer to our documentation article (https://www.jetbrains.com/help/space/give-access-to-a-project.html#custom-roles-in-a-project).
Please note that custom roles are only available for the Organization plan (https://www.jetbrains.com/space/buy/?billing=yearly#cloud) or higher.
I have moved the Rep to a new Project, but I still do not understand how to authenticate that particular Rep with SSL and prevent access to other Reps.
I can assign SSH per user, and if I give myself with that SSH to that new Rep with permission Read Only(as per your instruction) no one is forbidden to access other Reps using that SSH. This is a real security hole!
Let's example this.
I have 1,2,3 repositories, I am own them. You asked me to access repository no. 3 using SSH. I give you my Private SSH and Git URL for no. 3 repository URLs. In this case, you have access to 1 and 2 repositories, because SSH is per user and not per Repository. It doesn't matter in which project the repository no 3 in this case. You just need to find out the Git url and you have access to all my repositories.
> I can assign SSH per user, and if I give myself with that SSH to that new Rep with permission Read Only(as per your instruction) no one is forbidden to access other Reps using that SSH. This is a real security hole!
Usually, the private SSH key is not shared with other users. If you decide to share it with someone, it is expected that this person will get access to services associated with it.
> I have 1,2,3 repositories, I am own them. You asked me to access repository no. 3 using SSH. I give you my Private SSH and Git URL for no. 3 repository URLs. In this case, you have access to 1 and 2 repositories, because SSH is per user and not per Repository. It doesn't matter in which project the repository no 3 in this case. You just need to find out the Git url and you have access to all my repositories.
Can you please break down who is assumed to be an external user? Is it a person or some service account? By service account, I mean an app or automation that needs access to your Git repositories to perform some actions on a regular basis.
If it is the latter, we recommend creating the app via the "Extensions" menu and assigning this app a role. To do it, please follow these steps:
1. Click the "Extensions" section in the down-left corner.
2. Click "New application" in the top-right corner.
3. Name your app. E.g. "Git automation via SSH". Add a description if needed. You can also assign an email address to this app for Git commit verification.
4. Click "Go to application" and proceed to the "Authorization" tab.
5. Here you can give access rights to your app by clicking "Authorize in project". Select a project in the drop-down list and click "Authorize".
6. Click "Configure" in the top-right corner and select permissions for your app. Type "git" in the search box to find the permissions associated with Git.
7. Click "Save" and return to your app's settings on the top navigation.
8. In the "Authentication" tab you can set up different authentication flows. More on them here: https://www.jetbrains.com/help/space/authentication-and-authorization.html#authorization-methods
9. In the "Git Keys" tab you can assign and manage SSH keys to your app. You can generate a key that will be used by this app exclusively. The app also won't spend the user pool of your Space instance.
The external user would be IBM Code Engine(a fully managed, serverless platform with CI/CD support), which builds web applications from git repositories. However, it has only SSH authentication. I will try your suggested option at the bottom of the message.
I appreciate the detailed answer you provided.
Dmitrii, thank you for your suggestion. We're almost there in terms of what we need, but I have a concern about your proposal. The problem is that in the Authorization tab, I can only assign the Project and not the Git Repository, which is a crucial part of our setup. I have one Project and three Repositories that are logically connected, so if I were to implement your proposed authorization, I would need to move one of the repositories to a different Project. Is there any way to use your suggestion but for Git Repository?
For now, it is only possible to restrict access based on projects. Thus, you will have to move your repository to the new project. We may introduce per-repo access restrictions, but I cannot provide any timeframe for the release. Please follow this issue for updates: https://youtrack.jetbrains.com/issue/SPACE-19470/Per-repository-access-restrictions.