This script removes direct members from GitLab repositories that are part of a specified group. It efficiently handles paginated API responses and processes repositories, including those in subgroups.
The script connects to a GitLab instance, retrieves all projects within a specified group (and its subgroups), and removes direct members who are also part of the group. This is useful for maintaining clean and consistent access control across repositories by ensuring that members are not directly added if they are already covered by group membership.
- Clean Up Direct Members: Ensure that members who are already part of a group do not have redundant direct access to repositories.
- Maintain Access Control: Automatically manage repository permissions based on group memberships.
- Audit Memberships: Verify that repository access aligns with group memberships.
- Python 3
gitlablibraryurllib3librarycoloramalibrary (for colored output)
The script can be executed from the command line. You need to provide the GitLab URL, an access token with API scope, and the group ID or path. You can also specify a list of repositories to limit the scope and use a dry-run option to preview changes without making modifications.
usage: gitlab_remove_doubleton_members.py [-h] -u GITLAB_URL -t TOKEN -g GROUP [--dry-run] [--exclude-users [USER1 USER2 ...]]
Remove direct members from repositories that are part of a specified GitLab group.
options:
-h, --help show this help message and exit
-u GITLAB_URL, --gitlab-url GITLAB_URL
The base URL of the GitLab instance
-t TOKEN, --token TOKEN
GitLab personal access token
-g GROUP, --group GROUP
The group ID or path for which to clean up repositories
--dry-run If set, just print members that would be removed
--exclude-users [USER1 USER2 ...]
Optional list of usernames to exclude from removal
To run the script and remove direct members from repositories within a group, use:
python gitlab_remove_doubleton_members.py -u https://gitlab.example.com -t your_access_token -g your_groupFor a dry run that shows what would be removed without making changes:
python gitlab_remove_doubleton_members.py -u https://gitlab.example.com -t your_access_token -g your_group --dry-runTo exclude specific users from removal:
python gitlab_remove_doubleton_members.py -u https://gitlab.example.com -t your_access_token -g your_group --exclude-users admin user1 user2Fetching members of group 1765555
Fetching repositories for group 1765555
Fetching projects from subgroup Projects (ID: 17899)
Fetching projects from subgroup Automation (ID: 17900)
Fetching projects from subgroup Linting (ID: 17901)
Processing repository Automation Templates (ID: 1304)
Processing repository Linting Boilerplate (ID: 1513)
Processing repository Project Templates (ID: 19951)
Dry-run: Would remove member $member from repository Linting (https://gitlab.example.com/projects/linting/-/project_members)This project is licensed under the MIT License - see the LICENSE file for details.