diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-20 09:55:51 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-20 09:55:51 +0000 |
commit | e8d2c2579383897a1dd7f9debd359abe8ae8373d (patch) | |
tree | c42be41678c2586d49a75cabce89322082698334 /doc/security | |
parent | fc845b37ec3a90aaa719975f607740c22ba6a113 (diff) | |
download | gitlab-ce-e8d2c2579383897a1dd7f9debd359abe8ae8373d.tar.gz |
Add latest changes from gitlab-org/gitlab@14-1-stable-eev14.1.0-rc42
Diffstat (limited to 'doc/security')
-rw-r--r-- | doc/security/README.md | 32 | ||||
-rw-r--r-- | doc/security/cicd_environment_variables.md | 9 | ||||
-rw-r--r-- | doc/security/cicd_variables.md | 4 | ||||
-rw-r--r-- | doc/security/index.md | 32 | ||||
-rw-r--r-- | doc/security/passwords_for_integrated_authentication_methods.md | 2 | ||||
-rw-r--r-- | doc/security/token_overview.md | 10 |
6 files changed, 44 insertions, 45 deletions
diff --git a/doc/security/README.md b/doc/security/README.md index 6af3948fdcf..5ab8653dc35 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -1,32 +1,8 @@ --- -stage: none -group: unassigned -info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments -comments: false -type: index +redirect_to: 'index.md' --- -# Security **(FREE)** +This document was moved to [another location](index.md). -- [Password storage](password_storage.md) -- [Password length limits](password_length_limits.md) -- [Generated passwords for users created through integrated authentication](passwords_for_integrated_authentication_methods.md) -- [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md) -- [Rate limits](rate_limits.md) -- [Webhooks and insecure internal web services](webhooks.md) -- [Information exclusivity](information_exclusivity.md) -- [Reset user password](reset_user_password.md) -- [Unlock a locked user](unlock_user.md) -- [User File Uploads](user_file_uploads.md) -- [How we manage the CRIME vulnerability](crime_vulnerability.md) -- [Enforce Two-factor authentication](two_factor_authentication.md) -- [Send email confirmation on sign-up](user_email_confirmation.md) -- [Security of running jobs](https://docs.gitlab.com/runner/security/) -- [Proxying images](asset_proxy.md) -- [CI/CD variables](../ci/variables/README.md#cicd-variable-security) -- [Token overview](token_overview.md) -- [Project Import decompressed archive size limits](project_import_decompressed_archive_size_limits.md) - -## Securing your GitLab installation - -Consider access control features like [Sign up restrictions](../user/admin_area/settings/sign_up_restrictions.md) and [Authentication options](../topics/authentication/) to harden your GitLab instance and minimize the risk of unwanted user account creation. +<!-- This redirect file can be deleted after 2021-09-28. --> +<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/#move-or-rename-a-page --> diff --git a/doc/security/cicd_environment_variables.md b/doc/security/cicd_environment_variables.md deleted file mode 100644 index 49b10af6c1d..00000000000 --- a/doc/security/cicd_environment_variables.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -redirect_to: 'cicd_variables.md' -remove_date: '2021-05-15' ---- - -This document was moved to [another location](cicd_variables.md). - -<!-- This redirect file can be deleted after 2021-05-15. --> -<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/#move-or-rename-a-page --> diff --git a/doc/security/cicd_variables.md b/doc/security/cicd_variables.md index b429b1435be..06fe0ff4276 100644 --- a/doc/security/cicd_variables.md +++ b/doc/security/cicd_variables.md @@ -1,9 +1,9 @@ --- -redirect_to: '../ci/variables/README.md#cicd-variable-security' +redirect_to: '../ci/variables/index.md#cicd-variable-security' remove_date: '2021-07-04' --- -This document was moved to [another location](../ci/variables/README.md#cicd-variable-security). +This document was moved to [another location](../ci/variables/index.md#cicd-variable-security). <!-- This redirect file can be deleted after <2021-07-04>. --> <!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/#move-or-rename-a-page --> diff --git a/doc/security/index.md b/doc/security/index.md new file mode 100644 index 00000000000..35e93fc2c55 --- /dev/null +++ b/doc/security/index.md @@ -0,0 +1,32 @@ +--- +stage: none +group: unassigned +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +comments: false +type: index +--- + +# Security **(FREE)** + +- [Password storage](password_storage.md) +- [Password length limits](password_length_limits.md) +- [Generated passwords for users created through integrated authentication](passwords_for_integrated_authentication_methods.md) +- [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md) +- [Rate limits](rate_limits.md) +- [Webhooks and insecure internal web services](webhooks.md) +- [Information exclusivity](information_exclusivity.md) +- [Reset user password](reset_user_password.md) +- [Unlock a locked user](unlock_user.md) +- [User File Uploads](user_file_uploads.md) +- [How we manage the CRIME vulnerability](crime_vulnerability.md) +- [Enforce Two-factor authentication](two_factor_authentication.md) +- [Send email confirmation on sign-up](user_email_confirmation.md) +- [Security of running jobs](https://docs.gitlab.com/runner/security/) +- [Proxying images](asset_proxy.md) +- [CI/CD variables](../ci/variables/index.md#cicd-variable-security) +- [Token overview](token_overview.md) +- [Project Import decompressed archive size limits](project_import_decompressed_archive_size_limits.md) + +## Securing your GitLab installation + +Consider access control features like [Sign up restrictions](../user/admin_area/settings/sign_up_restrictions.md) and [Authentication options](../topics/authentication/) to harden your GitLab instance and minimize the risk of unwanted user account creation. diff --git a/doc/security/passwords_for_integrated_authentication_methods.md b/doc/security/passwords_for_integrated_authentication_methods.md index 7c4ada4435c..9931fd56e83 100644 --- a/doc/security/passwords_for_integrated_authentication_methods.md +++ b/doc/security/passwords_for_integrated_authentication_methods.md @@ -7,7 +7,7 @@ type: reference # Generated passwords for users created through integrated authentication **(FREE)** -GitLab allows users to set up accounts through integration with external [authentication and authorization providers](../administration/auth/README.md). +GitLab allows users to set up accounts through integration with external [authentication and authorization providers](../administration/auth/index.md). These authentication methods do not require the user to explicitly create a password for their accounts. However, to maintain data consistency, GitLab requires passwords for all user accounts. diff --git a/doc/security/token_overview.md b/doc/security/token_overview.md index f9655210329..c00e5bff383 100644 --- a/doc/security/token_overview.md +++ b/doc/security/token_overview.md @@ -28,7 +28,7 @@ You can limit the scope and lifetime of your OAuth2 tokens. ## Impersonation tokens -An [Impersonation token](../api/README.md#impersonation-tokens) is a special type of personal access +An [Impersonation token](../api/index.md#impersonation-tokens) is a special type of personal access token. It can be created only by an administrator for a specific user. Impersonation tokens can help you build applications or scripts that authenticate with the GitLab API, repositories, and the GitLab registry as a specific user. @@ -71,7 +71,7 @@ You can use the runner registration token to add runners that execute jobs in a After registration, the runner receives an authentication token, which it uses to authenticate with GitLab when picking up jobs from the job queue. The authentication token is stored locally in the runner's [`config.toml`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html) file. -After authentication with GitLab, the runner receives a [job token](../api/README.md#gitlab-cicd-job-token), which it uses to execute the job. +After authentication with GitLab, the runner receives a [job token](../api/index.md#gitlab-cicd-job-token), which it uses to execute the job. In case of Docker Machine/Kubernetes/VirtualBox/Parallels/SSH executors, the execution environment has no access to the runner authentication token, because it stays on the runner machine. They have access to the job token only, which is needed to execute the job. @@ -79,7 +79,7 @@ Malicious access to a runner's file system may expose the `config.toml` file and ## CI/CD job tokens -The [CI/CD](../api/README.md#gitlab-cicd-job-token) job token +The [CI/CD](../api/index.md#gitlab-cicd-job-token) job token is a short lived token only valid for the duration of a job. It gives a CI/CD job access to a limited amount of API endpoints. API authentication uses the job token, by using the authorization of the user @@ -105,7 +105,7 @@ This table shows available scopes per token. Scopes can be limited further on to 1. Limited to the one project. 1. Runner registration and authentication token don't provide direct access to repositories, but can be used to register and authenticate a new runner that may execute jobs which do have access to the repository -1. Limited to certain [endpoints](../api/README.md#gitlab-cicd-job-token). +1. Limited to certain [endpoints](../api/index.md#gitlab-cicd-job-token). ## Security considerations @@ -113,7 +113,7 @@ Access tokens should be treated like passwords and kept secure. Adding them to URLs is a security risk. This is especially true when cloning or adding a remote, as Git then writes the URL to its `.git/config` file in plain text. URLs are also generally logged by proxies and application servers, which makes those credentials visible to system administrators. -Instead, API calls can be passed an access token using headers, like [the `Private-Token` header](../api/README.md#personalproject-access-tokens). +Instead, API calls can be passed an access token using headers, like [the `Private-Token` header](../api/index.md#personalproject-access-tokens). Tokens can also be stored using a [Git credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage). |