diff options
| -rw-r--r-- | doc/api/members.md | 33 | ||||
| -rw-r--r-- | doc/development/geo.md | 5 | ||||
| -rw-r--r-- | doc/integration/bitbucket.md | 2 | ||||
| -rw-r--r-- | doc/integration/kerberos.md | 1 | ||||
| -rw-r--r-- | doc/integration/omniauth.md | 3 | ||||
| -rw-r--r-- | doc/integration/saml.md | 1 | ||||
| -rw-r--r-- | doc/integration/shibboleth.md | 1 | ||||
| -rw-r--r-- | doc/university/training/topics/subtree.md | 8 | ||||
| -rw-r--r-- | doc/user/application_security/container_scanning/index.md | 5 | ||||
| -rw-r--r-- | doc/user/group/saml_sso/index.md | 2 |
10 files changed, 41 insertions, 20 deletions
diff --git a/doc/api/members.md b/doc/api/members.md index ed6fb60f86c..e32f72e14e7 100644 --- a/doc/api/members.md +++ b/doc/api/members.md @@ -45,7 +45,8 @@ Example response: "avatar_url": "https://www.gravatar.com/avatar/c2525a7f58ae3776070e44c106c48e15?s=80&d=identicon", "web_url": "http://192.168.1.8:3000/root", "expires_at": "2012-10-22T14:13:35Z", - "access_level": 30 + "access_level": 30, + "group_saml_identity": null }, { "id": 2, @@ -55,7 +56,12 @@ Example response: "avatar_url": "https://www.gravatar.com/avatar/c2525a7f58ae3776070e44c106c48e15?s=80&d=identicon", "web_url": "http://192.168.1.8:3000/root", "expires_at": "2012-10-22T14:13:35Z", - "access_level": 30 + "access_level": 30, + "group_saml_identity": { + "extern_uid":"ABC-1234567890", + "provider": "group_saml", + "saml_provider_id": 10 + } } ] ``` @@ -94,7 +100,8 @@ Example response: "avatar_url": "https://www.gravatar.com/avatar/c2525a7f58ae3776070e44c106c48e15?s=80&d=identicon", "web_url": "http://192.168.1.8:3000/root", "expires_at": "2012-10-22T14:13:35Z", - "access_level": 30 + "access_level": 30, + "group_saml_identity": null }, { "id": 2, @@ -105,6 +112,11 @@ Example response: "web_url": "http://192.168.1.8:3000/root", "expires_at": "2012-10-22T14:13:35Z", "access_level": 30 + "group_saml_identity": { + "extern_uid":"ABC-1234567890", + "provider": "group_saml", + "saml_provider_id": 10 + } }, { "id": 3, @@ -114,7 +126,8 @@ Example response: "avatar_url": "https://www.gravatar.com/avatar/c2525a7f58ae3776070e44c106c48e15?s=80&d=identicon", "web_url": "http://192.168.1.8:3000/root", "expires_at": "2012-11-22T14:13:35Z", - "access_level": 30 + "access_level": 30, + "group_saml_identity": null } ] ``` @@ -149,7 +162,8 @@ Example response: "avatar_url": "https://www.gravatar.com/avatar/c2525a7f58ae3776070e44c106c48e15?s=80&d=identicon", "web_url": "http://192.168.1.8:3000/root", "access_level": 30, - "expires_at": null + "expires_at": null, + "group_saml_identity": null } ``` @@ -185,7 +199,8 @@ Example response: "avatar_url": "https://www.gravatar.com/avatar/c2525a7f58ae3776070e44c106c48e15?s=80&d=identicon", "web_url": "http://192.168.1.8:3000/root", "access_level": 30, - "expires_at": null + "expires_at": null, + "group_saml_identity": null } ``` @@ -221,7 +236,8 @@ Example response: "avatar_url": "https://www.gravatar.com/avatar/c2525a7f58ae3776070e44c106c48e15?s=80&d=identicon", "web_url": "http://192.168.1.8:3000/root", "expires_at": "2012-10-22T14:13:35Z", - "access_level": 30 + "access_level": 30, + "group_saml_identity": null } ``` @@ -257,7 +273,8 @@ Example response: "avatar_url": "https://www.gravatar.com/avatar/c2525a7f58ae3776070e44c106c48e15?s=80&d=identicon", "web_url": "http://192.168.1.8:3000/root", "expires_at": "2012-10-22T14:13:35Z", - "access_level": 40 + "access_level": 40, + "group_saml_identity": null } ``` diff --git a/doc/development/geo.md b/doc/development/geo.md index a7ce09f822f..c4ce9fed283 100644 --- a/doc/development/geo.md +++ b/doc/development/geo.md @@ -509,6 +509,11 @@ that need to be taken care of: - Health Check. If we can perform some pre-cheŃks and make node unhealthy if something is wrong, we should do that. The `rake gitlab:geo:check` command has to be updated too. +### Geo self-service framework (alpha) + +We started developing a new [Geo self-service framework (alpha)](geo/framework.md) +which makes it a lot easier to add a new data type. + ## History of communication channel The communication channel has changed since first iteration, you can diff --git a/doc/integration/bitbucket.md b/doc/integration/bitbucket.md index 7cead234709..7a1bdf0d65c 100644 --- a/doc/integration/bitbucket.md +++ b/doc/integration/bitbucket.md @@ -89,8 +89,6 @@ you to use. For Omnibus packages: ```ruby - gitlab_rails['omniauth_enabled'] = true - gitlab_rails['omniauth_providers'] = [ { "name" => "bitbucket", diff --git a/doc/integration/kerberos.md b/doc/integration/kerberos.md index 3998089a0e4..14f3bdae864 100644 --- a/doc/integration/kerberos.md +++ b/doc/integration/kerberos.md @@ -72,7 +72,6 @@ For source installations, make sure the `kerberos` gem group 1. Edit `/etc/gitlab/gitlab.rb`: ```ruby - gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['kerberos'] gitlab_rails['kerberos_enabled'] = true diff --git a/doc/integration/omniauth.md b/doc/integration/omniauth.md index 286d06d52a8..c75a2a90c2a 100644 --- a/doc/integration/omniauth.md +++ b/doc/integration/omniauth.md @@ -80,9 +80,6 @@ To change these settings: and change: ```ruby - # Versions prior to 11.4 require this to be set to true - # gitlab_rails['omniauth_enabled'] = nil - # CAUTION! # This allows users to login without having a user account first. Define the allowed providers # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none. diff --git a/doc/integration/saml.md b/doc/integration/saml.md index 10319b83233..30ba390f5cd 100644 --- a/doc/integration/saml.md +++ b/doc/integration/saml.md @@ -37,7 +37,6 @@ in your SAML IdP: For Omnibus package: ```ruby - gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_allow_single_sign_on'] = ['saml'] gitlab_rails['omniauth_block_auto_created_users'] = false ``` diff --git a/doc/integration/shibboleth.md b/doc/integration/shibboleth.md index 885a6fe59da..71ac6012ce6 100644 --- a/doc/integration/shibboleth.md +++ b/doc/integration/shibboleth.md @@ -71,7 +71,6 @@ The following changes are needed to enable Shibboleth: gitlab_rails['omniauth_allow_single_sign_on'] = true gitlab_rails['omniauth_block_auto_created_users'] = false - gitlab_rails['omniauth_enabled'] = true gitlab_rails['omniauth_providers'] = [ { "name" => "'shibboleth"', diff --git a/doc/university/training/topics/subtree.md b/doc/university/training/topics/subtree.md index e1ee7b6a836..5b08832084c 100644 --- a/doc/university/training/topics/subtree.md +++ b/doc/university/training/topics/subtree.md @@ -11,11 +11,11 @@ comments: false ## Subtree Aliases -- Add: `git subtree add --prefix <target-folder> <url> <branch> --squash`. -- Pull: `git subtree add --prefix <target-folder> <url> <branch> --squash`. -- Push: `git subtree add --prefix <target-folder> <url> <branch>`. +- Add: `git subtree add --prefix <target-folder> <url> <branch> --squash` +- Pull: `git subtree pull --prefix <target-folder> <url> <branch> --squash` +- Push: `git subtree add --prefix <target-folder> <url> <branch>` - Ex: `git config alias.sbp 'subtree pull --prefix st / - git@gitlab.com:balameb/subtree-nested-example.git master --squash'`. + git@gitlab.com:balameb/subtree-nested-example.git master --squash'` ```shell # Add an alias diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index 861c0e53103..d779e2a9c38 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -170,6 +170,7 @@ using environment variables. | `DOCKER_PASSWORD` | Password for accessing a Docker registry requiring authentication. | `$CI_REGISTRY_PASSWORD` | | `CLAIR_OUTPUT` | Severity level threshold. Vulnerabilities with severity level higher than or equal to this threshold will be outputted. Supported levels are `Unknown`, `Negligible`, `Low`, `Medium`, `High`, `Critical` and `Defcon1`. | `Unknown` | | `REGISTRY_INSECURE` | Allow [Klar](https://github.com/optiopay/klar) to access insecure registries (HTTP only). Should only be set to `true` when testing the image locally. | `"false"` | +| `DOCKER_INSECURE` | Allow [Klar](https://github.com/optiopay/klar) to access secure Docker registries using HTTPS with bad (or self-signed) SSL certificates. | `"false"` | | `CLAIR_VULNERABILITIES_DB_URL` | (**DEPRECATED - use `CLAIR_DB_CONNECTION_STRING` instead**) This variable is explicitly set in the [services section](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23) of the `Container-Scanning.gitlab-ci.yml` file and defaults to `clair-vulnerabilities-db`. This value represents the address that the [Postgres server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db) is running on and **shouldn't be changed** unless you're running the image locally as described in the [Running the standalone Container Scanning Tool](#running-the-standalone-container-scanning-tool) section. | `clair-vulnerabilities-db` | | `CLAIR_DB_CONNECTION_STRING` | This variable represents the [connection string](https://www.postgresql.org/docs/9.3/libpq-connect.html#AEN39692) to the [Postgres server hosting the vulnerabilities definitions](https://hub.docker.com/r/arminc/clair-db) database and **shouldn't be changed** unless you're running the image locally as described in the [Running the standalone Container Scanning Tool](#running-the-standalone-container-scanning-tool) section. The host value for the connection string must match the [alias](https://gitlab.com/gitlab-org/gitlab/-/blob/898c5da43504eba87b749625da50098d345b60d6/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml#L23) value of the `Container-Scanning.gitlab-ci.yml` template file, which defaults to `clair-vulnerabilities-db`. | `postgresql://postgres:password@clair-vulnerabilities-db:5432/postgres?sslmode=disable&statement_timeout=60000` | | `CI_APPLICATION_REPOSITORY` | Docker repository URL for the image to be scanned. | `$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG` | @@ -226,6 +227,10 @@ Container Scanning can be executed on an offline air-gapped GitLab Ultimate inst CLAIR_DB_IMAGE: $CI_REGISTRY/namespace/clair-vulnerabilities-db ``` +1. If your local Docker container registry is running securely over `HTTPS`, but you're using a + self-signed certificate, then you must set `DOCKER_INSECURE: true` in the above + `container_scanning` section of your `.gitlab-ci.yml`. + It may be worthwhile to set up a [scheduled pipeline](../../project/pipelines/schedules.md) to automatically build a new version of the vulnerabilities database on a preset schedule. You can use the following `.gitlab-yml.ci` as a template: ```yaml diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index 73ac54905e3..b09dba573f2 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -295,6 +295,8 @@ For convenience, we've included some [example resources](../../../administration In troubleshooting the Group SAML setup, any authenticated user can use the API to verify the NameID GitLab already has linked to the user by visiting [https://gitlab.com/api/v4/user](https://gitlab.com/api/v4/user) and checking the `extern_uid` under identities. +Similarly, group members of a role with the appropriate permissions can make use of the [members API](../../../api/members.md) to view group SAML identity information for members of the group. + This can then be compared to the [NameID](#nameid) being sent by the Identity Provider by decoding the message with a [SAML debugging tool](#saml-debugging-tools). We require that these match in order to identify users. ### Message: "SAML authentication failed: Extern uid has already been taken" |