IP Address Whitelist

About IP Address Whitelist

An IP address whitelist includes an IP address segment and several access control settings. The whitelist restricts users' access, upload, and download permissions to enhance repository security.
The IP address whitelist can be configured only for repositories whose visibility is Private. Repositories whose visibility is Public or Public template are not supported.

IP Address Whitelist Format

IPv4 and IPv6 are supported. The following table lists the three formats of IP address whitelists.

**Table 1** IP address whitelist format
Format	Description
Specified IP Address	This is the simplest IP address whitelist format. You can add the IP address of your PC to the whitelist, for example, 100...123.
IP address segment	If you have multiple servers and their IP addresses are consecutive or the IP address of your server dynamically changes in a network segment, you can add the IP address segment, for example, 100...0 to 100...255.
CIDR block	When your server on a LAN uses the CIDR, you can specify a 32-bit egress IP address of the LAN and the number of bits for a specified network prefix. Requests from the same IP address are accepted if the network prefix is the same as the specified one.

Configuring IP Address Whitelist

IP address whitelists can be created in the following levels:

If the Private repository for which the IP address whitelist has been configured is switched to a Public or Public template repository, you can also upload and download code on the CodeArts Repo page or Git client.

IP Address whitelists. The whitelists are set for all cloud services. IP addresses that are not in the whitelist are blocked upon login. For details, see Access Control.

IP address whitelist for repository. It allows access only from IP addresses in the whitelist to a specific repository. To set the whitelist, choose Settings > Security Management >IP Address Whitelist (IPv4 and IPv6 addresses are supported. For details, see IP Address Whitelist Format).
Allowed to access the repository: Only whitelisted IP addresses and the repository owner can access the repository.

Allowed to download code : Only whitelisted IP addresses can download code online and clone code locally.

Allowed to commit code: Only whitelisted IP addresses can modify and upload code online, or commit code locally. Code-based build project orchestration and YAML file synchronization are not affected.
- Commit code: Create, edit, delete, upload and rename files, create and delete directories, submodules, branches, and tags, resolve code conflicts, create and merge MRs, cherry-pick, revert, use LFS storage, and rebase.
- Download code: Download a single file and branches, tags, repositories and backup repositories.
- Local download: Download code through SSH and HTTPS, and clone repository through deploying keys.
- Local commit: Commit code through SSH and HTTPS.
- Repository synchronization is not affected by the IP address whitelist.

Tenant-level IP address whitelist: To set IP address whitelists for repositories of all accounts from a tenant, log in to the CodeArts Repo repository list page, click the alias in the upper right corner, and choose All Account Settings > Repo > Whitelists for All Accounts, as shown in the following figure. The configuration rules are the same as those of repository-level IP address whitelists.

Only tenant accounts have permissions to configure Whitelist for All Accounts. Click next to Add Address and select Prioritize this List. For details about the logic of cloning the Git client or downloading the repository source code on the UI, see the following table.

Account-level Whitelist Prioritized (Prioritize This List)	Configure Tenant-level Whitelist	Configure Repository-Level Whitelist	Priority
Enabled	×	×	All IP addresses are allowed.
	×	√	The repository-level whitelist prevails.
	√	×	The tenant-level whitelist prevails.
	√	√	The intersection of the tenant-level whitelist and repository-level whitelist prevails.
Disabled	×	×	All IP addresses are allowed.
	×	√	The repository-level whitelist prevails.
	√	×	The tenant-level whitelist prevails.
	√	√	The repository-level whitelist prevails.