GitLab: 普通用户是否可以使用API方式修改自己的密码

在这里插入图片描述

GitLab使用root用户可以通过API修改其他用户的密码，但是GitLab当时有一个issue的关系，提出了一个特性就是这种场景下用户下次登录时要修改密码，基于安全的考虑倒也中规中矩。但是在于如果把GitLab封装一层，不希望用户直接使用到GitLab的时候，这个看似贴心的特性反而变得非常麻烦。这篇文章来确认一下用户使用API来修改自己的密码，是否还需要登录的时候重置密码。

环境准备

docker-compose.yml

liumiaocn:gitlab liumiao$ cat docker-compose.yml
version: ‘2’
services:

Version Control service: Gitlab

gitlab:

image: gitlab/gitlab-ce:12.10.5-ce.0
ports:
  - "32001:80"
  - "30022:22"
  - "443:443"
volumes:
  - ./log/:/var/log/gitlab
  - ./data/:/var/opt/gitlab
  - ./conf/:/etc/gitlab
restart: "no"

liumiaocn:gitlab liumiao$

启动服务

liumiaocn:gitlab liumiao$ docker-compose up -d
Creating network “gitlab_default” with the default driver
Creating gitlab_gitlab_1 … done
liumiaocn:gitlab liumiao$

结果确认

liumiaocn:gitlab liumiao$ docker-compose ps

 Name             Command          State                                     Ports

gitlab_gitlab_1 /assets/wrapper Up (healthy) 0.0.0.0:30022->22/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:32001->80/tcp
liumiaocn:gitlab liumiao$

登录并修改root密码
初次登录时提示修改root密码，此处修改为liumiaocn

创建Token

以root用户登录，创建root用户的token，详细信息如下：
在这里插入图片描述
注：此处产生的token为：Nq7GbNq3rfMhke3tgovz

创建用户

liumiaocn:gitlab liumiao$ access_token="Nq7GbNq3rfMhke3tgovz"
liumiaocn:gitlab liumiao$ gitlab_url="localhost:32001"
liumiaocn:gitlab liumiao$ curl -X POST -H "PRIVATE-TOKEN: ${access_token}" http://${gitlab_url}/api/v4/users \
>   -H 'cache-control: no-cache' \
>   -H 'content-type: application/json' \
>   -d '{ "email": "liumiaocn@outlook.com",
>   "username": "liumiao",
>   "password": "12341234",
>   "name": "liumiao",
>   "skip_confirmation": "true"
> }'
{"id":2,"name":"liumiao","username":"liumiao","state":"active","avatar_url":"https://www.gravatar.com/avatar/95c1f7ff72d71b448592a335ba80fb64?s=80\u0026d=identicon","web_url":"http://ad3812337759/liumiao","created_at":"2020-08-31T12:12:55.031Z","bio":null,"location":null,"public_email":"","skype":"","linkedin":"","twitter":"","website_url":"","organization":null,"job_title":"","work_information":null,"last_sign_in_at":null,"confirmed_at":"2020-08-31T12:12:54.839Z","last_activity_on":null,"email":"liumiaocn@outlook.com","theme_id":1,"color_scheme_id":1,"projects_limit":100000,"current_sign_in_at":null,"identities":[],"can_create_group":true,"can_create_project":true,"two_factor_enabled":false,"external":false,"private_profile":false,"is_admin":false}liumiaocn:gitlab liumiao$ 
liumiaocn:gitlab liumiao$

登录确认

使用上述创建的liumiao/12341234进行登录
在这里插入图片描述

创建新建用户的token

创建新建用户liumiao的token
在这里插入图片描述
注：token信息为8H1SRGb-UeC_su66ckdR

修改密码

使用新用户的token修改自己的密码，详细如下所示：

liumiaocn:gitlab liumiao$ access_token="8H1SRGb-UeC_su66ckdR"
liumiaocn:gitlab liumiao$ gitlab_url="localhost:32001"
liumiaocn:gitlab liumiao$ userid=2
liumiaocn:gitlab liumiao$ curl -X PUT -H "PRIVATE-TOKEN: ${access_token}" http://${gitlab_url}/api/v4/users/${userid} \
>   -H 'cache-control: no-cache' \
>   -H 'content-type: application/json' \
>   -d '{ "password": "56785678"}'
{"message":"403 Forbidden"}liumiaocn:gitlab liumiao$ 
liumiaocn:gitlab liumiao$

看到官方的API使用上有个admin的选项，设定成true/false均不可，比如：

liumiaocn:gitlab liumiao$ curl -X PUT -H "PRIVATE-TOKEN: ${access_token}" http://${gitlab_url}/api/v4/users/${userid} \
>   -H 'cache-control: no-cache' \
>   -H 'content-type: application/json' \
>   -d '{ "admin": "false",
>   "password": "56785678"}'
{"message":"403 Forbidden"}liumiaocn:gitlab liumiao$ 
liumiaocn:gitlab liumiao$ 
liumiaocn:gitlab liumiao$ 
liumiaocn:gitlab liumiao$ curl -X PUT -H "PRIVATE-TOKEN: ${access_token}" http://${gitlab_url}/api/v4/users/${userid} \
>   -H 'cache-control: no-cache' \
>   -H 'content-type: application/json' \
>   -d '{ "admin": "true",
>   "password": "56785678"}'
{"message":"403 Forbidden"}liumiaocn:gitlab liumiao$ 
liumiaocn:gitlab liumiao$