diff options
Diffstat (limited to 'doc/user/admin_area/settings/account_and_limit_settings.md')
| -rw-r--r-- | doc/user/admin_area/settings/account_and_limit_settings.md | 105 |
1 files changed, 81 insertions, 24 deletions
diff --git a/doc/user/admin_area/settings/account_and_limit_settings.md b/doc/user/admin_area/settings/account_and_limit_settings.md index c511e85f3ce..5868f20d0d8 100644 --- a/doc/user/admin_area/settings/account_and_limit_settings.md +++ b/doc/user/admin_area/settings/account_and_limit_settings.md @@ -9,7 +9,12 @@ type: reference ## Default projects limit -You can change the default maximum number of projects that users can create in their personal namespace: +You can configure the default maximum number of projects new users can create in their +personal namespace. This limit affects only new user accounts created after you change +the setting. This setting is not retroactive for existing users, but you can separately edit +the [project limits for existing users](#projects-limit-for-a-user). + +To configure the maximum number of projects in personal namespaces for new users: 1. On the top bar, select **Menu > Admin**. 1. On the left sidebar, select **Settings > General**, then expand **Account and limit**. @@ -18,6 +23,17 @@ You can change the default maximum number of projects that users can create in t If you set **Default projects limit** to 0, users are not allowed to create projects in their users personal namespace. However, projects can still be created in a group. +### Projects limit for a user + +You can edit a specific user, and change the maximum number of projects this user +can create in their personal namespace: + +1. On the top bar, select **Menu > Admin**. +1. On the left sidebar, select **Overview** > **Users**. +1. From the list of users, select a user. +1. Select **Edit**. +1. Increase or decrease the **Projects limit** value. + ## Max attachment size You can change the maximum file size for attachments in comments and replies in GitLab: @@ -59,21 +75,21 @@ If you choose a size larger than the configured value for the web server, you may receive errors. See the [troubleshooting section](#troubleshooting) for more details. -## Personal Access Token prefix +## Personal access token prefix -> [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/342327) in GitLab 14.5. Default prefix added. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20968) in GitLab 13.7. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/342327) in GitLab 14.5, a default prefix. -You can set a global prefix for all generated Personal Access Tokens. +You can specify a prefix for personal access tokens. You might use a prefix +to find tokens more quickly, or for use with automation tools. -A prefix can help you identify PATs visually, as well as with automation tools. +The default prefix is `glpat-` but administrators can change it. -NOTE: -For GitLab.com and self-managed instances, the default prefix is `glpat-`. +[Project access tokens](../../project/settings/project_access_tokens.md) also inherit this prefix. ### Set a prefix -Only a GitLab administrator can set the prefix, which is a global setting applied -to any PAT generated in the system by any user: +To change the default global prefix: 1. On the top bar, select **Menu > Admin**. 1. On the left sidebar, select **Settings > General**. @@ -81,8 +97,8 @@ to any PAT generated in the system by any user: 1. Fill in the **Personal Access Token prefix** field. 1. Click **Save changes**. -It is also possible to configure the prefix via the [settings API](../../../api/settings.md) -using the `personal_access_token_prefix` field. +You can also configure the prefix by using the +[settings API](../../../api/settings.md). ## Repository size limit **(PREMIUM SELF)** @@ -176,38 +192,46 @@ To set a limit on how long these sessions are valid: 1. Fill in the **Session duration for Git operations when 2FA is enabled (minutes)** field. 1. Click **Save changes**. -## Limit the lifetime of personal access tokens **(ULTIMATE SELF)** +## Limit the lifetime of SSH keys **(ULTIMATE SELF)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3649) in GitLab 12.6. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1007) in GitLab 14.6 [with a flag](../../../administration/feature_flags.md) named `ff_limit_ssh_key_lifetime`. Disabled by default. +> - [Enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/346753) in GitLab 14.6. + +FLAG: +On self-managed GitLab, by default this feature is available. To hide the feature, +ask an administrator to [disable the feature flag](../../../administration/feature_flags.md) named `ff_limit_ssh_key_lifetime`. +On GitLab.com, this feature is not available. Users can optionally specify a lifetime for -[personal access tokens](../../profile/personal_access_tokens.md). +[SSH keys](../../../ssh/index.md). This lifetime is not a requirement, and can be set to any arbitrary number of days. -Personal access tokens are the only tokens needed for programmatic access to GitLab. +SSH keys are user credentials to access GitLab. However, organizations with security requirements may want to enforce more protection by -requiring the regular rotation of these tokens. +requiring the regular rotation of these keys. ### Set a lifetime Only a GitLab administrator can set a lifetime. Leaving it empty means there are no restrictions. -To set a lifetime on how long personal access tokens are valid: +To set a lifetime on how long SSH keys are valid: 1. On the top bar, select **Menu > Admin**. 1. On the left sidebar, select **Settings > General**. 1. Expand the **Account and limit** section. -1. Fill in the **Maximum allowable lifetime for personal access tokens (days)** field. +1. Fill in the **Maximum allowable lifetime for SSH keys (days)** field. 1. Click **Save changes**. -Once a lifetime for personal access tokens is set, GitLab: +Once a lifetime for SSH keys is set, GitLab: -- Applies the lifetime for new personal access tokens, and require users to set an expiration date - and a date no later than the allowed lifetime. -- After three hours, revoke old tokens with no expiration date or with a lifetime longer than the - allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime, - or remove it, before revocation takes place. +- Requires users to set an expiration date that is no later than the allowed lifetime on new + SSH keys. +- Applies the lifetime restriction to existing SSH keys. Keys with no expiry or a lifetime + greater than the maximum immediately become invalid. + +NOTE: +When a user's SSH key becomes invalid they can delete and re-add the same key again. ## Allow expired SSH keys to be used **(ULTIMATE SELF)** @@ -225,6 +249,39 @@ To allow the use of expired SSH keys: Disabling SSH key expiration immediately enables all expired SSH keys. +## Limit the lifetime of personal access tokens **(ULTIMATE SELF)** + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3649) in GitLab 12.6. + +Users can optionally specify a lifetime for +[personal access tokens](../../profile/personal_access_tokens.md). +This lifetime is not a requirement, and can be set to any arbitrary number of days. + +Personal access tokens are the only tokens needed for programmatic access to GitLab. +However, organizations with security requirements may want to enforce more protection by +requiring the regular rotation of these tokens. + +### Set a lifetime + +Only a GitLab administrator can set a lifetime. Leaving it empty means +there are no restrictions. + +To set a lifetime on how long personal access tokens are valid: + +1. On the top bar, select **Menu > Admin**. +1. On the left sidebar, select **Settings > General**. +1. Expand the **Account and limit** section. +1. Fill in the **Maximum allowable lifetime for personal access tokens (days)** field. +1. Click **Save changes**. + +Once a lifetime for personal access tokens is set, GitLab: + +- Applies the lifetime for new personal access tokens, and require users to set an expiration date + and a date no later than the allowed lifetime. +- After three hours, revoke old tokens with no expiration date or with a lifetime longer than the + allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime, + or remove it, before revocation takes place. + ## Allow expired Personal Access Tokens to be used **(ULTIMATE SELF)** > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in GitLab 13.1. |