summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-01-20 21:14:18 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-01-20 21:14:18 +0000
commit76365117183054e95bbb2f3a6392ac333628eacf (patch)
tree579d45ed571d5f65ae0966e2b2badf91cb430cb1 /doc
parent39cb2fdf01699eb5ac000c918f469c58dc75f7e8 (diff)
downloadgitlab-ce-76365117183054e95bbb2f3a6392ac333628eacf.tar.gz
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc')
-rw-r--r--doc/administration/audit_event_streaming.md14
-rw-r--r--doc/api/graphql/reference/index.md1
-rw-r--r--doc/ci/examples/authenticating-with-hashicorp-vault/index.md4
-rw-r--r--doc/ci/secrets/index.md4
-rw-r--r--doc/install/installation.md12
-rw-r--r--doc/user/permissions.md104
-rw-r--r--doc/user/project/code_owners.md2
7 files changed, 79 insertions, 62 deletions
diff --git a/doc/administration/audit_event_streaming.md b/doc/administration/audit_event_streaming.md
index eac54416924..59918e5660a 100644
--- a/doc/administration/audit_event_streaming.md
+++ b/doc/administration/audit_event_streaming.md
@@ -13,7 +13,7 @@ FLAG:
On self-managed GitLab, by default this feature is available. To hide the feature per group, ask an administrator to [disable the feature flag](../administration/feature_flags.md) named `ff_external_audit_events_namespace`. On GitLab.com, this feature is available.
Event streaming allows owners of top-level groups to set an HTTP endpoint to receive **all** audit events about the group, and its
-subgroups and projects.
+subgroups and projects as structured JSON.
Top-level group owners can manage their audit logs in third-party systems such as Splunk, using the Splunk
[HTTP Event Collector](https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector). Any service that can receive
@@ -37,6 +37,7 @@ mutation {
externalAuditEventDestination {
destinationUrl
group {
+ verificationToken
name
}
}
@@ -60,6 +61,7 @@ query {
externalAuditEventDestinations {
nodes {
destinationUrl
+ verificationToken
id
}
}
@@ -68,3 +70,13 @@ query {
```
If the resulting list is empty, then audit event streaming is not enabled for that group.
+
+## Verify event authenticity
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/345424) in GitLab 14.8.
+
+Each streaming destination has a unique verification token (`verificationToken`) that can be used to verify the authenticity of the event. This
+token is generated when the event destination is created and cannot be changed.
+
+Each streamed event contains a random alphanumeric identifier for the `X-Gitlab-Event-Streaming-Token` HTTP header that can be verified against
+the destination's value when [listing streaming destinations](#list-currently-enabled-streaming-destinations).
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 818192f5a2a..bb069e2ad66 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -10531,6 +10531,7 @@ Represents an external resource to send audit events to.
| <a id="externalauditeventdestinationdestinationurl"></a>`destinationUrl` | [`String!`](#string) | External destination to send audit events to. |
| <a id="externalauditeventdestinationgroup"></a>`group` | [`Group!`](#group) | Group the destination belongs to. |
| <a id="externalauditeventdestinationid"></a>`id` | [`ID!`](#id) | ID of the destination. |
+| <a id="externalauditeventdestinationverificationtoken"></a>`verificationToken` | [`String!`](#string) | Verification token to validate source of event. |
### `ExternalIssue`
diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
index aed45951239..edc58684057 100644
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -1,6 +1,6 @@
---
-stage: Release
-group: Release
+stage: Verify
+group: Pipeline Authoring
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
type: tutorial
---
diff --git a/doc/ci/secrets/index.md b/doc/ci/secrets/index.md
index c0a763c80f0..ea0c0d9cc84 100644
--- a/doc/ci/secrets/index.md
+++ b/doc/ci/secrets/index.md
@@ -1,6 +1,6 @@
---
-stage: Configure
-group: Configure
+stage: Verify
+group: Pipeline Authoring
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
type: concepts, howto
---
diff --git a/doc/install/installation.md b/doc/install/installation.md
index f405bc40f43..898ff59585c 100644
--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@@ -1041,9 +1041,8 @@ To use GitLab with HTTPS:
1. Update `ssl_certificate` and `ssl_certificate_key`.
1. Review the configuration file and consider applying other security and performance enhancing features.
-Using a self-signed certificate is discouraged but if you must use it, follow the normal directions. Then:
-
-1. Generate a self-signed SSL certificate:
+Using a self-signed certificate is discouraged. If you must use one,
+follow the normal directions and generate a self-signed SSL certificate:
```shell
mkdir -p /etc/nginx/ssl/
@@ -1052,7 +1051,12 @@ Using a self-signed certificate is discouraged but if you must use it, follow th
sudo chmod o-r gitlab.key
```
-1. In the `config.yml` of GitLab Shell set `self_signed_cert` to `true`.
+WARNING:
+The `self_signed_cert` variable is
+[deprecated and redundant](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/120).
+It is set to `false` by default, but still accepts self-signed certificates. Setting
+this value to `true` allows any certificate to be accepted, and can make
+machine-in-the-middle attacks possible.
### Enable Reply by email
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index 36c49e39151..5efb31868e6 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -73,8 +73,7 @@ The following table lists project permissions available for each role:
| [CI/CD](../ci/index.md):<br>View a job with [debug logging](../ci/variables/index.md#debug-logging) | | | ✓ | ✓ | ✓ |
| [CI/CD](../ci/index.md):<br>Manage CI/CD variables | | | | ✓ | ✓ |
| [CI/CD](../ci/index.md):<br>Manage job triggers | | | | ✓ | ✓ |
-| [CI/CD](../ci/index.md):<br>Manage group runners | | | | | ✓ |
-| [CI/CD](../ci/index.md):<br>Manage project runners | | | | ✓ | ✓ |
+| [CI/CD](../ci/index.md):<br>Manage runners | | | | ✓ | ✓ |
| [CI/CD](../ci/index.md):<br>Run Web IDE's Interactive Web Terminals **(ULTIMATE ONLY)** | | | | ✓ | ✓ |
| [CI/CD](../ci/index.md):<br>Use [environment terminals](../ci/environments/index.md#web-terminals-deprecated) | | | | ✓ | ✓ |
| [CI/CD](../ci/index.md):<br>Delete pipelines | | | | | ✓ |
@@ -293,56 +292,57 @@ The following table lists group permissions available for each role:
<!-- Keep this table sorted: first, by minimum role, then alphabetically. -->
-| Action | Guest | Reporter | Developer | Maintainer | Owner |
-|--------------------------------------------------------|-------|----------|-----------|------------|-------|
-| Browse group | ✓ | ✓ | ✓ | ✓ | ✓ |
-| Edit SAML SSO Billing **(PREMIUM SAAS)** | ✓ | ✓ | ✓ | ✓ | ✓ (4) |
-| Pull a container image using the dependency proxy | ✓ | ✓ | ✓ | ✓ | ✓ |
-| View Contribution analytics | ✓ | ✓ | ✓ | ✓ | ✓ |
-| View group epic **(PREMIUM)** | ✓ | ✓ | ✓ | ✓ | ✓ |
-| View group wiki pages **(PREMIUM)** | ✓ (6) | ✓ | ✓ | ✓ | ✓ |
-| View Insights **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ |
-| View Insights charts **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ |
-| View Issue analytics **(PREMIUM)** | ✓ | ✓ | ✓ | ✓ | ✓ |
-| View Value Stream analytics | ✓ | ✓ | ✓ | ✓ | ✓ |
-| Create/edit group epic **(PREMIUM)** | | ✓ | ✓ | ✓ | ✓ |
-| Create/edit/delete epic boards **(PREMIUM)** | | ✓ | ✓ | ✓ | ✓ |
-| Manage group labels | | ✓ | ✓ | ✓ | ✓ |
-| Pull [packages](packages/index.md) | | ✓ | ✓ | ✓ | ✓ |
-| View a container registry | | ✓ | ✓ | ✓ | ✓ |
-| View Group DevOps Adoption **(ULTIMATE)** | | ✓ | ✓ | ✓ | ✓ |
-| View metrics dashboard annotations | | ✓ | ✓ | ✓ | ✓ |
-| View Productivity analytics **(PREMIUM)** | | ✓ | ✓ | ✓ | ✓ |
-| Create and edit group wiki pages **(PREMIUM)** | | | ✓ | ✓ | ✓ |
-| Create project in group | | | ✓ (3)(5) | ✓ (3) | ✓ (3) |
-| Create/edit/delete group milestones | | | ✓ | ✓ | ✓ |
-| Create/edit/delete iterations | | | ✓ | ✓ | ✓ |
-| Create/edit/delete metrics dashboard annotations | | | ✓ | ✓ | ✓ |
-| Enable/disable a dependency proxy | | | ✓ | ✓ | ✓ |
-| Purge the dependency proxy for a group | | | | | ✓ |
-| Publish [packages](packages/index.md) | | | ✓ | ✓ | ✓ |
-| Use security dashboard **(ULTIMATE)** | | | ✓ | ✓ | ✓ |
-| View group Audit Events | | | ✓ (7) | ✓ (7) | ✓ |
-| Create subgroup | | | | ✓ (1) | ✓ |
-| Delete group wiki pages **(PREMIUM)** | | | ✓ | ✓ | ✓ |
-| Edit epic comments (posted by any user) **(ULTIMATE)** | | | | ✓ (2) | ✓ (2) |
-| List group deploy tokens | | | | ✓ | ✓ |
-| Manage [group push rules](group/index.md#group-push-rules) **(PREMIUM)** | | | | ✓ | ✓ |
-| View/manage group-level Kubernetes cluster | | | | ✓ | ✓ |
-| Administer project compliance frameworks | | | | | ✓ |
-| Create/Delete group deploy tokens | | | | | ✓ |
-| Change group visibility level | | | | | ✓ |
-| Delete group | | | | | ✓ |
-| Delete group epic **(PREMIUM)** | | | | | ✓ |
-| Disable notification emails | | | | | ✓ |
-| Edit group settings | | | | | ✓ |
-| Filter members by 2FA status | | | | | ✓ |
-| Manage group level CI/CD variables | | | | | ✓ |
-| Manage group members | | | | | ✓ |
-| Share (invite) groups with groups | | | | | ✓ |
-| View 2FA status of members | | | | | ✓ |
-| View Billing **(FREE SAAS)** | | | | | ✓ (4) |
-| View Usage Quotas **(FREE SAAS)** | | | | | ✓ (4) |
+| Action | Guest | Reporter | Developer | Maintainer | Owner |
+|--------------------------------------------------------------------------|-------|----------|-----------|------------|-------|
+| Browse group | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Edit SAML SSO Billing **(PREMIUM SAAS)** | ✓ | ✓ | ✓ | ✓ | ✓ (4) |
+| Pull a container image using the dependency proxy | ✓ | ✓ | ✓ | ✓ | ✓ |
+| View Contribution analytics | ✓ | ✓ | ✓ | ✓ | ✓ |
+| View group epic **(PREMIUM)** | ✓ | ✓ | ✓ | ✓ | ✓ |
+| View group wiki pages **(PREMIUM)** | ✓ (6) | ✓ | ✓ | ✓ | ✓ |
+| View Insights **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ |
+| View Insights charts **(ULTIMATE)** | ✓ | ✓ | ✓ | ✓ | ✓ |
+| View Issue analytics **(PREMIUM)** | ✓ | ✓ | ✓ | ✓ | ✓ |
+| View Value Stream analytics | ✓ | ✓ | ✓ | ✓ | ✓ |
+| Create/edit group epic **(PREMIUM)** | | ✓ | ✓ | ✓ | ✓ |
+| Create/edit/delete epic boards **(PREMIUM)** | | ✓ | ✓ | ✓ | ✓ |
+| Manage group labels | | ✓ | ✓ | ✓ | ✓ |
+| Pull [packages](packages/index.md) | | ✓ | ✓ | ✓ | ✓ |
+| View a container registry | | ✓ | ✓ | ✓ | ✓ |
+| View Group DevOps Adoption **(ULTIMATE)** | | ✓ | ✓ | ✓ | ✓ |
+| View metrics dashboard annotations | | ✓ | ✓ | ✓ | ✓ |
+| View Productivity analytics **(PREMIUM)** | | ✓ | ✓ | ✓ | ✓ |
+| Create and edit group wiki pages **(PREMIUM)** | | | ✓ | ✓ | ✓ |
+| Create project in group | | | ✓ (3)(5) | ✓ (3) | ✓ (3) |
+| Create/edit/delete group milestones | | | ✓ | ✓ | ✓ |
+| Create/edit/delete iterations | | | ✓ | ✓ | ✓ |
+| Create/edit/delete metrics dashboard annotations | | | ✓ | ✓ | ✓ |
+| Enable/disable a dependency proxy | | | ✓ | ✓ | ✓ |
+| Purge the dependency proxy for a group | | | | | ✓ |
+| Publish [packages](packages/index.md) | | | ✓ | ✓ | ✓ |
+| Use security dashboard **(ULTIMATE)** | | | ✓ | ✓ | ✓ |
+| View group Audit Events | | | ✓ (7) | ✓ (7) | ✓ |
+| Create subgroup | | | | ✓ (1) | ✓ |
+| Delete group wiki pages **(PREMIUM)** | | | ✓ | ✓ | ✓ |
+| Edit epic comments (posted by any user) **(ULTIMATE)** | | | | ✓ (2) | ✓ (2) |
+| List group deploy tokens | | | | ✓ | ✓ |
+| Manage [group push rules](group/index.md#group-push-rules) **(PREMIUM)** | | | | ✓ | ✓ |
+| View/manage group-level Kubernetes cluster | | | | ✓ | ✓ |
+| Administer project compliance frameworks | | | | | ✓ |
+| Create/Delete group deploy tokens | | | | | ✓ |
+| Change group visibility level | | | | | ✓ |
+| Delete group | | | | | ✓ |
+| Delete group epic **(PREMIUM)** | | | | | ✓ |
+| Disable notification emails | | | | | ✓ |
+| Edit group settings | | | | | ✓ |
+| Filter members by 2FA status | | | | | ✓ |
+| Manage group level CI/CD variables | | | | | ✓ |
+| Manage group members | | | | | ✓ |
+| Share (invite) groups with groups | | | | | ✓ |
+| View 2FA status of members | | | | | ✓ |
+| View Billing **(FREE SAAS)** | | | | | ✓ (4) |
+| View Usage Quotas **(FREE SAAS)** | | | | | ✓ (4) |
+| Manage runners | | | | | ✓ |
1. Groups can be set to [allow either Owners or Owners and
Maintainers to create subgroups](group/subgroups/index.md#creating-a-subgroup)
diff --git a/doc/user/project/code_owners.md b/doc/user/project/code_owners.md
index 4068d8e056c..eb18834cc6b 100644
--- a/doc/user/project/code_owners.md
+++ b/doc/user/project/code_owners.md
@@ -281,7 +281,7 @@ README.md @docs
### Approvals shown as optional
-A Code Owner approval rule is optional if these conditions are not met:
+A Code Owner approval rule is optional if any of these conditions are true:
- The user or group are not a member of the project or parent group.
- [Code Owner approval on a protected branch](protected_branches.md#require-code-owner-approval-on-a-protected-branch) has not been set up.
View Lorry Controller Status