From edaa33dee2ff2f7ea3fac488d41558eb5f86d68c Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 20 Jan 2022 09:16:11 +0000 Subject: Add latest changes from gitlab-org/gitlab@14-7-stable-ee --- doc/security/asset_proxy.md | 2 +- doc/security/crime_vulnerability.md | 2 +- doc/security/img/unlock_user_v14_7.png | Bin 0 -> 31666 bytes doc/security/index.md | 2 +- doc/security/information_exclusivity.md | 2 +- doc/security/password_length_limits.md | 2 +- doc/security/password_storage.md | 2 +- ...swords_for_integrated_authentication_methods.md | 2 +- ...ject_import_decompressed_archive_size_limits.md | 2 +- doc/security/rack_attack.md | 9 ------- doc/security/rate_limits.md | 29 ++++++++++++++++++++- doc/security/reset_user_password.md | 8 +++--- doc/security/ssh_keys_restrictions.md | 2 +- doc/security/token_overview.md | 24 +++++++++-------- doc/security/two_factor_authentication.md | 6 ++--- doc/security/unlock_user.md | 20 +++++++++++--- doc/security/user_email_confirmation.md | 2 +- doc/security/user_file_uploads.md | 2 +- doc/security/webhooks.md | 5 ++-- 19 files changed, 79 insertions(+), 44 deletions(-) create mode 100644 doc/security/img/unlock_user_v14_7.png delete mode 100644 doc/security/rack_attack.md (limited to 'doc/security') diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md index 6c3bce939df..45c1c71158a 100644 --- a/doc/security/asset_proxy.md +++ b/doc/security/asset_proxy.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index 801a294dd81..1abb0c9e918 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/img/unlock_user_v14_7.png b/doc/security/img/unlock_user_v14_7.png new file mode 100644 index 00000000000..51015d932cb Binary files /dev/null and b/doc/security/img/unlock_user_v14_7.png differ diff --git a/doc/security/index.md b/doc/security/index.md index 832af93b95e..ab554e9135f 100644 --- a/doc/security/index.md +++ b/doc/security/index.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments comments: false type: index diff --git a/doc/security/information_exclusivity.md b/doc/security/information_exclusivity.md index 162346c8874..07b5a688671 100644 --- a/doc/security/information_exclusivity.md +++ b/doc/security/information_exclusivity.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: concepts --- diff --git a/doc/security/password_length_limits.md b/doc/security/password_length_limits.md index bedf2ac3ab1..1cfff358c9d 100644 --- a/doc/security/password_length_limits.md +++ b/doc/security/password_length_limits.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md index 7d8ac3bad39..6b71933b1ae 100644 --- a/doc/security/password_storage.md +++ b/doc/security/password_storage.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/passwords_for_integrated_authentication_methods.md b/doc/security/passwords_for_integrated_authentication_methods.md index 9931fd56e83..7281b310a30 100644 --- a/doc/security/passwords_for_integrated_authentication_methods.md +++ b/doc/security/passwords_for_integrated_authentication_methods.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- diff --git a/doc/security/project_import_decompressed_archive_size_limits.md b/doc/security/project_import_decompressed_archive_size_limits.md index 3c5099b1f75..9727ba1c5f0 100644 --- a/doc/security/project_import_decompressed_archive_size_limits.md +++ b/doc/security/project_import_decompressed_archive_size_limits.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md deleted file mode 100644 index a8b55007d2e..00000000000 --- a/doc/security/rack_attack.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -redirect_to: '../user/admin_area/settings/protected_paths.md' -remove_date: '2022-01-14' ---- - -This document was moved to [another location](../user/admin_area/settings/protected_paths.md). - - - diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index 9d49297c9de..14fc526ca7e 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference, howto --- @@ -87,6 +87,33 @@ There is a rate limit for [testing webhooks](../user/project/integrations/webhoo The **rate limit** is 5 requests per minute per user. +### Users sign up + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77835) in GitLab 14.7. + +There is a rate limit per IP address on the `/users/sign_up` endpoint. This is to mitigate attempts to misuse the endpoint. For example, to mass +discover usernames or email addresses in use. + +The **rate limit** is 20 calls per minute per IP address. + +### Update username + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77221) in GitLab 14.7. + +There is a rate limit on the update username action. This is enforced to mitigate misuse of the feature. For example, to mass discover +which usernames are in use. + +The **rate limit** is 10 calls per minute per signed-in user. + +### Username exists + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77119) in GitLab 14.7. + +There is a rate limit for the internal endpoint `/users/:username/exists`, used by registration to perform a client-side validation for +uniqueness of the chosen username. This is to mitigate the risk of misuses, such as mass discovery of usernames in use. + +The **rate limit** is 20 calls per minute per IP address. + ## Troubleshooting ### Rack Attack is denylisting the load balancer diff --git a/doc/security/reset_user_password.md b/doc/security/reset_user_password.md index a61660f6a2f..f67b1934dc5 100644 --- a/doc/security/reset_user_password.md +++ b/doc/security/reset_user_password.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: howto --- @@ -68,12 +68,12 @@ If you know the username, user ID, or email address, you can use the Rails conso user = User.find(123) ``` - - By email address: + - By email address: ```ruby user = User.find_by(email: 'user@example.com') ``` - + 1. Reset the password: ```ruby @@ -105,7 +105,7 @@ To reset the root password, follow the steps listed previously. - If the root account name hasn't changed, use the username `root`. - If the root account name has changed and you don't know the new username, - you might be able to use a Rails console with user ID `1`. In almost all + you might be able to use a Rails console with user ID `1`. In almost all cases, the first user is the default administrator account. ## Troubleshooting diff --git a/doc/security/ssh_keys_restrictions.md b/doc/security/ssh_keys_restrictions.md index 1f1c7457441..a7d852e2754 100644 --- a/doc/security/ssh_keys_restrictions.md +++ b/doc/security/ssh_keys_restrictions.md @@ -1,7 +1,7 @@ --- type: reference, howto stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- diff --git a/doc/security/token_overview.md b/doc/security/token_overview.md index 333548fa1c9..578bb03563f 100644 --- a/doc/security/token_overview.md +++ b/doc/security/token_overview.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- @@ -93,17 +93,19 @@ This table shows available scopes per token. Scopes can be limited further on to | | API access | Registry access | Repository access | |-----------------------------|------------|-----------------|-------------------| -| Personal access token | ✅ | ✅ | ✅ | -| OAuth2 token | ✅ | 🚫 | ✅ | -| Impersonation token | ✅ | ✅ | ✅ | -| Project access token | ✅(1) | ✅(1) | ✅(1) | -| Deploy token | 🚫 | ✅ | ✅ | -| Deploy key | 🚫 | 🚫 | ✅ | -| Runner registration token | 🚫 | 🚫 | ✴️(2) | -| Runner authentication token | 🚫 | 🚫 | ✴️(2) | -| Job token | ✴️(3) | 🚫 | ✅ | +| Personal access token | ✅ | ✅ | ✅ | +| OAuth2 token | ✅ | 🚫 | ✅ | +| Impersonation token | ✅ | ✅ | ✅ | +| Project access token | ✅(1) | ✅(1) | ✅(1) | +| Group access token | ✅(2) | ✅(2) | ✅(2) | +| Deploy token | 🚫 | ✅ | ✅ | +| Deploy key | 🚫 | 🚫 | ✅ | +| Runner registration token | 🚫 | 🚫 | ✴️(3) | +| Runner authentication token | 🚫 | 🚫 | ✴️(3) | +| Job token | ✴️(4) | 🚫 | ✅ | 1. Limited to the one project. +1. Limited to the one group. 1. Runner registration and authentication token don't provide direct access to repositories, but can be used to register and authenticate a new runner that may execute jobs which do have access to the repository 1. Limited to certain [endpoints](../ci/jobs/ci_job_token.md). @@ -113,7 +115,7 @@ Access tokens should be treated like passwords and kept secure. Adding them to URLs is a security risk. This is especially true when cloning or adding a remote, as Git then writes the URL to its `.git/config` file in plain text. URLs are also generally logged by proxies and application servers, which makes those credentials visible to system administrators. -Instead, API calls can be passed an access token using headers, like [the `Private-Token` header](../api/index.md#personalproject-access-tokens). +Instead, API calls can be passed an access token using headers, like [the `Private-Token` header](../api/index.md#personalprojectgroup-access-tokens). Tokens can also be stored using a [Git credential storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage). diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md index 61b26204599..b83d81722fa 100644 --- a/doc/security/two_factor_authentication.md +++ b/doc/security/two_factor_authentication.md @@ -1,7 +1,7 @@ --- type: howto stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- @@ -49,7 +49,7 @@ Gitlab::CurrentSettings.update!('require_two_factor_authentication': false) To enforce 2FA only for certain groups: 1. Go to the group's **Settings > General** page. -1. Expand the **Permissions, LFS, 2FA** section. +1. Expand the **Permissions and group features** section. 1. Select the **Require all users in this group to set up two-factor authentication** option. You can also specify a grace period in the **Time before enforced** option. @@ -76,7 +76,7 @@ The following are important notes about 2FA: groups) the shortest grace period is used. - It is possible to disallow subgroups from setting up their own 2FA requirements: 1. Go to the top-level group's **Settings > General**. - 1. Expand the **Permissions, LFS, 2FA** section. + 1. Expand the **Permissions and group features** section. 1. Uncheck the **Allow subgroups to set up their own two-factor authentication rule** field. This action causes all subgroups with 2FA requirements to stop requiring that from their members. diff --git a/doc/security/unlock_user.md b/doc/security/unlock_user.md index ceb375a9ad1..057d4e87efa 100644 --- a/doc/security/unlock_user.md +++ b/doc/security/unlock_user.md @@ -1,13 +1,27 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: howto --- -# How to unlock a locked user from the command line **(FREE SELF)** +# Locked users **(FREE SELF)** -After ten failed login attempts a user gets in a locked state. +Users are locked after ten failed sign-in attempts. These users remain locked: + +- For 10 minutes, after which time they are automatically unlocked. +- Until an admin unlocks them from the [Admin Area](../user/admin_area/index.md) or the command line in under 10 minutes. + +## Unlock a user from the Admin Area + +1. On the top bar, select **Menu > Admin**. +1. On the left sidebar, select **Overview > Users**. +1. Use the search bar to find the locked user. +1. From the **User administration** dropdown select **Unlock**. + +![Unlock a user from the Admin Area](img/unlock_user_v14_7.png) + +## Unlock a user from the command line To unlock a locked user: diff --git a/doc/security/user_email_confirmation.md b/doc/security/user_email_confirmation.md index 48538e413b4..8baddaf1383 100644 --- a/doc/security/user_email_confirmation.md +++ b/doc/security/user_email_confirmation.md @@ -1,7 +1,7 @@ --- type: howto stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- diff --git a/doc/security/user_file_uploads.md b/doc/security/user_file_uploads.md index 7a8a78cc5f8..734a4cde7e8 100644 --- a/doc/security/user_file_uploads.md +++ b/doc/security/user_file_uploads.md @@ -1,7 +1,7 @@ --- type: reference stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md index 47ef90cbe55..621e6d595bf 100644 --- a/doc/security/webhooks.md +++ b/doc/security/webhooks.md @@ -1,6 +1,6 @@ --- stage: Manage -group: Access +group: Authentication & Authorization info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: concepts, reference, howto --- @@ -74,7 +74,8 @@ allowlist: The allowed entries can be separated by semicolons, commas or whitespaces (including newlines) and be in different formats like hostnames, IP addresses and/or IP ranges. IPv6 is supported. Hostnames that contain Unicode characters should -use Internationalising Domain Names in Applications (IDNA) encoding. +use [Internationalized Domain Names in Applications](https://www.icann.org/resources/pages/glossary-2014-02-04-en#i) +(IDNA) encoding. The allowlist can hold a maximum of 1000 entries. Each entry can be a maximum of 255 characters. -- cgit v1.2.1