Is is possible to have control policies when using Github or GitLab authentication?
I’m in the process to replace Gitpod with a self hosted Coder installation.
The setup went well and I wrote an article about it.
Now, to have a more comfortable way to handle the workshop, I need to allow attendees to connect and have a workspace the easiest way.
Currently, I just have to give them the workshop repository on GitLab or Github with the proper Gitpod configuration file.
To do that with Coder, I need several things. The first one, is a way to allow them to connect to my Coder with an account they already have.
But after reading the documentation, it seems that when using Github/GitLab authentication, I only have full access or nothing.
Is there a way to restrict such access to a only allow a predefined workspace?
11 Replies
<#1288375030706602047>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
hi @Thierry Chantier, I don't know whether you can vary the permissions but the default role is going to be "User", which only has access to their own workspaces and read-only access to templates
you can just spawn a workspace under their name if that's possible
i'll look into it but i'm on the go right now so i won't be fast to answer
hey @Thierry Chantier -- do you think this would work out or did you have something else in mind?
I just prepared a test environment yesterday, I’ll test it because I could not understand just with the documentation. I need to understand what you mean by « under their name » if we are talking about users from GitHub that are not known before they connect.
And maybe it will help me to be clearer in my questions 🙂
basically, when you are creating the workspace, you can create it under another user
though it does have to exist beforehand
do you know their email beforehand?
see, the tough part is that you want to creating workspaces for users that don't yet exist on the Coder instance
I think the easiest way to tackle this issue is to have them create the workspace themselves through an "Open in Coder" link
so if I understand correctly, you want newly-created users to have an existing workspace they can start using, right?
could you maybe highlight what made you confused in our docs so that we can improve them?
I don't understand what you mean by "full access" in this context, could you elaborate further?
(are you referring to https://coder.com/docs/admin/auth#github?)
I am finalizing the setup with github auth and I will experiment.
If I just express the overall goal I want to achieve:
- I'm in a workshop session, with people that I don't know before and don't have emails
- I need them to start a workspace, from a github/gitlab link
- the workspace is defined in a file in the repository
- they are only able to start this type of workspace
Sometimes I may just be trying to understand an aspect of Coder instead of focusing on another: I may start to run before knowing how to walk 😉
i see, so I would recommend setting up GitHub/GitLab as OAuth sources on your Coder instance (see "Authentication - GitHub" & "Authentication - OpenID Connect") and then adding an "Open in Coder" link to your repo/as a QR code/etc
if you visit the "Open in Coder" link without being logged in, it'll just ask you to log in, so they can theoretically create their account directly from that link
then they'll be granted by the workspace creation page
to generate that "Open in Coder" link, just go to the "Embed" section of your template's page
if you only want the users to be able to start this specific workspace, then you can set up template access control if you have the Enterprise version, but I don't believe that is your case
so the next best thing that people hosting workshops usually do is set up a Coder instance just for that event and then tear it down afterwards
I won't keep this open because I have so many things to test before going further.
I definitively need to test the Open In Coder link, I hope it's not too complex to implement in a POC.
/close
make sure to ask any questions!
@Phorcys closed the thread.