Add latest changes from gitlab-org/gitlab@14-8-stable-eev14.8.0-rc42

17 files changed, 52 insertions, 30 deletions

diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md
index 45c1c71158a..e4849b1b658 100644
--- a/doc/security/asset_proxy.md
+++ b/doc/security/asset_proxy.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md
index 1abb0c9e918..8288f7f6a74 100644
--- a/doc/security/crime_vulnerability.md
+++ b/doc/security/crime_vulnerability.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: reference
 ---
diff --git a/doc/security/index.md b/doc/security/index.md
index ab554e9135f..da3fa761f3f 100644
--- a/doc/security/index.md
+++ b/doc/security/index.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 comments: false
 type: index
@@ -30,3 +30,5 @@ type: index
 ## Securing your GitLab installation
 
 Consider access control features like [Sign up restrictions](../user/admin_area/settings/sign_up_restrictions.md) and [Authentication options](../topics/authentication/) to harden your GitLab instance and minimize the risk of unwanted user account creation.
+
+Self-hosting GitLab customers and administrators are responsible for the security of their underlying hosts, and for keeping GitLab itself up to date. It is important to [regularly patch GitLab](../policy/maintenance.md), patch your operating system and its software, and harden your hosts in accordance with vendor guidance.
diff --git a/doc/security/information_exclusivity.md b/doc/security/information_exclusivity.md
index 07b5a688671..0d55881c147 100644
--- a/doc/security/information_exclusivity.md
+++ b/doc/security/information_exclusivity.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: concepts
 ---
diff --git a/doc/security/password_length_limits.md b/doc/security/password_length_limits.md
index 1cfff358c9d..04c3a5c99e1 100644
--- a/doc/security/password_length_limits.md
+++ b/doc/security/password_length_limits.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: reference, howto
 ---
diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md
index 6b71933b1ae..b4c2e27c952 100644
--- a/doc/security/password_storage.md
+++ b/doc/security/password_storage.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: reference
 ---
diff --git a/doc/security/passwords_for_integrated_authentication_methods.md b/doc/security/passwords_for_integrated_authentication_methods.md
index 7281b310a30..d4eb16c07e7 100644
--- a/doc/security/passwords_for_integrated_authentication_methods.md
+++ b/doc/security/passwords_for_integrated_authentication_methods.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: reference
 ---
diff --git a/doc/security/project_import_decompressed_archive_size_limits.md b/doc/security/project_import_decompressed_archive_size_limits.md
index 9727ba1c5f0..5082d917748 100644
--- a/doc/security/project_import_decompressed_archive_size_limits.md
+++ b/doc/security/project_import_decompressed_archive_size_limits.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: reference, howto
 ---
diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md
index 14fc526ca7e..a9b066631e7 100644
--- a/doc/security/rate_limits.md
+++ b/doc/security/rate_limits.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: reference, howto
 ---
@@ -41,6 +41,7 @@ You can set these rate limits in the Admin Area of your instance:
 - [Git LFS rate limits](../user/admin_area/settings/git_lfs_rate_limits.md)
 - [Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md)
 - [Deprecated API rate limits](../user/admin_area/settings/deprecated_api_rate_limits.md)
+- [GitLab Pages rate limits](../administration/pages/index.md#rate-limits)
 
 You can set these rate limits using the Rails console:
 
@@ -89,7 +90,7 @@ The **rate limit** is 5 requests per minute per user.
 
 ### Users sign up
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77835) in GitLab 14.7.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/339151) in GitLab 14.7.
 
 There is a rate limit per IP address on the `/users/sign_up` endpoint. This is to mitigate attempts to misuse the endpoint. For example, to mass
 discover usernames or email addresses in use. 
@@ -98,19 +99,19 @@ The **rate limit** is 20 calls per minute per IP address.
 
 ### Update username
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77221) in GitLab 14.7.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/339152) in GitLab 14.7.
 
-There is a rate limit on the update username action. This is enforced to mitigate misuse of the feature. For example, to mass discover
+There is a rate limit on how frequently a username can be changed. This is enforced to mitigate misuse of the feature. For example, to mass discover
 which usernames are in use.
 
 The **rate limit** is 10 calls per minute per signed-in user.
 
 ### Username exists
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77119) in GitLab 14.7.
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/29040) in GitLab 14.7.
 
-There is a rate limit for the internal endpoint `/users/:username/exists`, used by registration to perform a client-side validation for
-uniqueness of the chosen username. This is to mitigate the risk of misuses, such as mass discovery of usernames in use.
+There is a rate limit for the internal endpoint `/users/:username/exists`, used upon sign up to check if a chosen username has already been taken.
+This is to mitigate the risk of misuses, such as mass discovery of usernames in use.
 
 The **rate limit** is 20 calls per minute per IP address. 
 
diff --git a/doc/security/reset_user_password.md b/doc/security/reset_user_password.md
index f67b1934dc5..1940c5be73a 100644
--- a/doc/security/reset_user_password.md
+++ b/doc/security/reset_user_password.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: howto
 ---
diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md
index a7d852e2754..2e4a737f9aa 100644
--- a/doc/security/ssh_keys_restrictions.md
+++ b/doc/security/ssh_keys_restrictions.md
@@ -1,7 +1,7 @@
 ---
 type: reference, howto
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
@@ -13,9 +13,9 @@ NIST). Some organizations deploying GitLab need to enforce minimum key
 strength, either to satisfy internal security policy or for regulatory
 compliance.
 
-Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over
-the older DSA, and administrators may need to limit the allowed SSH key
-algorithms.
+Similarly, certain standards groups recommend using RSA, ECDSA, ED25519,
+ECDSA_SK, or ED25519_SK over the older DSA, and administrators may need to
+limit the allowed SSH key algorithms.
 
 GitLab allows you to restrict the allowed SSH key technology as well as specify
 the minimum key length for each technology:
@@ -45,6 +45,8 @@ By default, the GitLab.com and self-managed settings for the
 - DSA SSH keys are forbidden ([since GitLab 11.0](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys)).
 - ECDSA SSH keys are allowed.
 - ED25519 SSH keys are allowed.
+- ECDSA_SK SSH keys are allowed (GitLab 14.8 and later).
+- ED25519_SK SSH keys are allowed (GitLab 14.8 and later).
 
 <!-- ## Troubleshooting
 
diff --git a/doc/security/token_overview.md b/doc/security/token_overview.md
index 578bb03563f..a2119c86268 100644
--- a/doc/security/token_overview.md
+++ b/doc/security/token_overview.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: reference
 ---
@@ -44,8 +44,21 @@ are scoped to a project. As with [Personal access tokens](#personal-access-token
 - The GitLab registry.
 
 You can limit the scope and expiration date of project access tokens. When you
-create a project access token, GitLab creates a [project bot user](../user/project/settings/project_access_tokens.md#project-bot-users). Project
-bot users are service accounts and do not count as licensed seats.
+create a project access token, GitLab creates a [bot user for projects](../user/project/settings/project_access_tokens.md#bot-users-for-projects).
+Bot users for projects are service accounts and do not count as licensed seats.
+
+## Group access tokens
+
+[Group access tokens](../user/group/settings/group_access_tokens.md#group-access-tokens)
+are scoped to a group. As with [Personal access tokens](#personal-access-tokens), you can use them to authenticate with:
+
+- The GitLab API.
+- GitLab repositories.
+- The GitLab registry.
+
+You can limit the scope and expiration date of group access tokens. When you
+create a group access token, GitLab creates a [bot user for groups](../user/group/settings/group_access_tokens.md#bot-users-for-groups).
+Bot users for groups are service accounts and do not count as licensed seats.
 
 ## Deploy tokens
 
diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md
index b83d81722fa..e8bb627ccbd 100644
--- a/doc/security/two_factor_authentication.md
+++ b/doc/security/two_factor_authentication.md
@@ -1,7 +1,7 @@
 ---
 type: howto
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
@@ -116,8 +116,10 @@ reactivate 2FA from scratch if they want to use it again.
 WARNING:
 This feature might not be available to you. Check the **version history** note above for details.
 
-Two-factor authentication can be enforced for Git over SSH operations. The one-time password (OTP)
-verification can be done via a GitLab Shell command:
+Two-factor authentication can be enforced for Git over SSH operations. However, we recommend using
+[ED25519_SK](../ssh/index.md#ed25519_sk-ssh-keys) or [ECDSA_SK](../ssh/index.md#ecdsa_sk-ssh-keys) SSH keys instead.
+
+The one-time password (OTP) verification can be done using a command:
 
 ```shell
 ssh git@<hostname> 2fa_verify
diff --git a/doc/security/unlock_user.md b/doc/security/unlock_user.md
index 057d4e87efa..f2ad6696b9a 100644
--- a/doc/security/unlock_user.md
+++ b/doc/security/unlock_user.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: howto
 ---
diff --git a/doc/security/user_email_confirmation.md b/doc/security/user_email_confirmation.md
index 8baddaf1383..54920b15362 100644
--- a/doc/security/user_email_confirmation.md
+++ b/doc/security/user_email_confirmation.md
@@ -1,7 +1,7 @@
 ---
 type: howto
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
diff --git a/doc/security/user_file_uploads.md b/doc/security/user_file_uploads.md
index 734a4cde7e8..e8b0c08e240 100644
--- a/doc/security/user_file_uploads.md
+++ b/doc/security/user_file_uploads.md
@@ -1,12 +1,14 @@
 ---
 type: reference
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
 # User File Uploads **(FREE)**
 
+> - In GitLab 14.8 and later, [authorization checks are enforced](https://gitlab.com/gitlab-org/gitlab/-/issues/26781) on media uploads. This change is being [rolled out incrementally](https://gitlab.com/gitlab-org/gitlab/-/issues/352291) on GitLab.com in 14.9.
+
 Images that are attached to issues, merge requests, or comments
 do not require authentication to be viewed if they are accessed directly by URL.
 This direct URL contains a random 32-character ID that prevents unauthorized
diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md
index 621e6d595bf..07b35ccebe8 100644
--- a/doc/security/webhooks.md
+++ b/doc/security/webhooks.md
@@ -1,6 +1,6 @@
 ---
 stage: Manage
-group: Authentication & Authorization
+group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 type: concepts, reference, howto
 ---