Updated on 2023-08-07 GMT+08:00

IP Address Whitelists

About IP Address Whitelists

  • An IP address whitelist includes an IP address segment and several access control settings. The whitelist restricts users' access, upload, and download permissions to enhance repository security.
  • The IP address whitelist can be configured only for repositories whose visibility is Private. Repositories whose visibility is Public or Public template are not supported.

IP Address Whitelist Formats

IPv4 and IPv6 are supported. The following table lists the three formats of IP address whitelists.

Table 1 IP address whitelist formats

Format

Description

Specified IP Address

This is the simplest IP address whitelist format. You can add the IP address of your PC to the whitelist, for example, 100.*.*.123.

IP address segment

If you have multiple servers and their IP addresses are consecutive or the IP address of your server dynamically changes in a network segment, you can add the IP address segment, for example, 100.*.*.0 to 100.*.*.255.

CIDR block

  • When your server on a LAN uses the CIDR, you can specify a 32-bit egress IP address of the LAN and the number of bits for a specified network prefix.
  • Requests from the same IP address are accepted if the network prefix is the same as the specified one.

Configuring IP Address Whitelists

IP address whitelists can be created in the following levels:

If the Private repository for which the IP address whitelist has been configured is switched to a Public repository, you can upload and download code on the CodeArts Repo page or Git client.

IP Address whitelists. The whitelists are set for all cloud services. IP addresses that are not in the whitelist are blocked upon login. For details, see Access Control

  • IP address whitelist for repository. It allows access only from IP addresses in the whitelist to a specific repository. To set the whitelist, choose Settings > Security Management >IP Address Whitelist (IPv4 and IPv6 addresses are supported. For details, see IP Address Whitelist Formats).

    Allowed to access the repository: Only whitelisted IP addresses and the repository creator can access the repository.

    Allowed to download code : Only whitelisted IP addresses can download code online and clone code locally.

    Allowed to commit code: Only whitelisted IP addresses can modify and upload code online, or commit code locally. Code-based build project orchestration and YAML file synchronization are not affected.

    • Commit code: Create, edit, delete, upload and rename files, create and delete directories, submodules, branches, and tags, resolve code conflicts, create and merge MRs, cherry-pick, revert, use LFS storage, and rebase.
    • Download code: Download a single file and branches, tags, repositories and backup repositories.
    • Local download: Download code through SSH and HTTPS, and clone repository through deploying keys.
    • Local commit: Commit code through SSH and HTTPS.
    • Repository synchronization is not affected by the IP address whitelist.
  • Tenant-level IP address whitelist: To set IP address whitelists for repositories of all accounts from a tenant, log in to the CodeArts Repo repository list page, click the alias in the upper right corner, and choose All Account Settings > Repo > Whitelists for All Accounts, as shown in the following figure. The configuration rules are the same as those of repository-level IP address whitelists.

    Only tenant accounts have permissions to configure Whitelist for All Accounts. Click next to Add Address and select Prioritize this List. For details about the logic of cloning the Git client or downloading the repository source code on the UI, see the following table.

    Account-level Whitelist Prioritized (Prioritize This List)

    Configure Tenant-level Whitelist

    Configure Repository-Level Whitelist

    Priority

    Enabled

    ×

    ×

    All IP addresses are allowed.

    ×

    The repository-level whitelist prevails.

    ×

    The tenant-level whitelist prevails.

    The intersection of the tenant-level whitelist and repository-level whitelist prevails.

    Disabled

    ×

    ×

    All IP addresses can pass.

    ×

    The repository-level whitelist prevails.

    ×

    The tenant-level whitelist prevails.

    The repository-level whitelist prevails.