Add latest changes from gitlab-org/gitlab@master

7 files changed, 98 insertions, 11 deletions

diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index e6960b59d9d..76fdacd6b09 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-7a5df4f668644c2fefd7fda1ff6050eb8b68933b
+a22e2401ee6aa35ae70ca67013264b72fc29b6f5
diff --git a/app/assets/javascripts/groups/settings/api/access_dropdown_api.js b/app/assets/javascripts/groups/settings/api/access_dropdown_api.js
index 5560d10d179..37f95a7ab30 100644
--- a/app/assets/javascripts/groups/settings/api/access_dropdown_api.js
+++ b/app/assets/javascripts/groups/settings/api/access_dropdown_api.js
@@ -7,10 +7,15 @@ const buildUrl = (urlRoot, url) => {
   return joinPaths(urlRoot, url);
 };
 
-export const getSubGroups = () => {
+const defaultOptions = { includeParentDescendants: false };
+
+export const getSubGroups = (options = defaultOptions) => {
+  const { includeParentDescendants } = options;
+
   return axios.get(buildUrl(gon.relative_url_root || '', GROUP_SUBGROUPS_PATH), {
     params: {
       group_id: gon.current_group_id,
+      include_parent_descendants: includeParentDescendants,
     },
   });
 };
diff --git a/app/assets/javascripts/groups/settings/components/access_dropdown.vue b/app/assets/javascripts/groups/settings/components/access_dropdown.vue
index 457a2db174c..fee1383c8e2 100644
--- a/app/assets/javascripts/groups/settings/components/access_dropdown.vue
+++ b/app/assets/javascripts/groups/settings/components/access_dropdown.vue
@@ -93,7 +93,11 @@ export default {
       this.loading = true;
 
       if (this.hasLicense) {
-        Promise.all([this.groups.length ? Promise.resolve({ data: this.groups }) : getSubGroups()])
+        Promise.all([
+          this.groups.length
+            ? Promise.resolve({ data: this.groups })
+            : getSubGroups({ includeParentDescendants: true }),
+        ])
           .then(([groupsResponse]) => {
             this.consolidateData(groupsResponse.data);
             this.setSelected({ initial });
diff --git a/db/docs/agent_user_access_group_authorizations.yml b/db/docs/agent_user_access_group_authorizations.yml
index cd4df56d5a0..d6982789cff 100644
--- a/db/docs/agent_user_access_group_authorizations.yml
+++ b/db/docs/agent_user_access_group_authorizations.yml
@@ -4,7 +4,16 @@ classes:
 - Clusters::Agents::Authorizations::UserAccess::GroupAuthorization
 feature_categories:
 - deployment_management
-description: Configuration for a group that is authorized to use a particular cluster agent through user_access keyword
+description: Configuration for a group that is authorized to use a particular cluster
+  agent through user_access keyword
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116901
 milestone: '15.11'
-gitlab_schema: gitlab_main
+gitlab_schema: gitlab_main_cell
+allow_cross_joins:
+- gitlab_main_clusterwide
+allow_cross_transactions:
+- gitlab_main_clusterwide
+allow_cross_foreign_keys:
+- gitlab_main_clusterwide
+sharding_key:
+  group_id: namespaces
diff --git a/doc/administration/reference_architectures/5k_users.md b/doc/administration/reference_architectures/5k_users.md
index 796ff3f2952..65b46474f7a 100644
--- a/doc/administration/reference_architectures/5k_users.md
+++ b/doc/administration/reference_architectures/5k_users.md
@@ -1699,7 +1699,7 @@ examples include the Object storage configuration.
 - `10.6.0.71`: Sidekiq 1
 - `10.6.0.72`: Sidekiq 2
 
-To configure the Sidekiq nodes, one each one:
+To configure the Sidekiq nodes, on each one:
 
 1. SSH in to the Sidekiq server.
 1. [Download and install](https://about.gitlab.com/install/) the Linux package
diff --git a/doc/api/graphql/getting_started.md b/doc/api/graphql/getting_started.md
index 5dea829b91a..868059fb979 100644
--- a/doc/api/graphql/getting_started.md
+++ b/doc/api/graphql/getting_started.md
@@ -42,8 +42,7 @@ You can run GraphQL queries in a `curl` request on the command line on your
 local computer. The requests `POST` to `/api/graphql`
 with the query as the payload. You can authorize your request by generating a
 [personal access token](../../user/profile/personal_access_tokens.md) to use as
-a bearer token.
-This token requires at least the `read_api` scope.
+a bearer token. Read more about [GraphQL Authentication](index.md#authentication).
 
 Example:
 
@@ -162,10 +161,9 @@ More about queries:
 
 ### Authorization
 
-Authorization uses the same engine as the GitLab application (and GitLab.com).
 If you've signed in to GitLab and use [GraphiQL](#graphiql), all queries are performed as
-you, the authenticated user. For more information, read the
-[GitLab API documentation](../rest/index.md#authentication).
+you, the authenticated user. For more information, read about
+[GraphQL Authentication](index.md#authentication).
 
 ### Mutations
 
diff --git a/doc/api/graphql/index.md b/doc/api/graphql/index.md
index e50e511bbac..349b667f595 100644
--- a/doc/api/graphql/index.md
+++ b/doc/api/graphql/index.md
@@ -44,6 +44,77 @@ You can work with sample queries that pull data from public projects on GitLab.c
 
 The [get started](getting_started.md) page includes different methods to customize GraphQL queries.
 
+### Authentication
+
+Some queries can be accessed anonymously without the request needing to be authenticated,
+but others require it. Mutations always require authentication.
+
+Authentication can happen by:
+
+- [Token](#token-authentication)
+- [Session cookie](#session-cookie-authentication)
+
+If the authentication information is not valid, GitLab returns an error message with a status code of 401:
+
+{"errors":[{"message":"Invalid token"}]}
+
+#### Token authentication
+
+Use any of the following tokens to authenticate with the GraphQL API:
+
+- [OAuth 2.0 tokens](../../api/oauth2.md)
+- [Personal access tokens](../../user/profile/personal_access_tokens.md)
+- [Project access tokens](../../user/project/settings/project_access_tokens.md)
+- [Group access tokens](../../user/group/settings/group_access_tokens.md)
+
+Authenticate with a token by passing it through in a [request header](#header-authentication) or as a [parameter](#parameter-authentication).
+
+Tokens require the correct [scope](#token-scopes).
+
+##### Header authentication
+
+Example of token authentication using an `Authorization: Bearer <token>` request header:
+
+```shell
+curl "https://gitlab.com/api/graphql" --header "Authorization: Bearer <token>" \
+     --header "Content-Type: application/json" --request POST \
+     --data "{\"query\": \"query {currentUser {name}}\"}"
+```
+
+##### Parameter authentication
+
+Alternatively, OAuth 2.0 tokens can be passed in using the `access_token` parameter:
+
+```shell
+curl "https://gitlab.com/api/graphql?access_token=<oauth_token>" \
+     --header "Content-Type: application/json" --request POST \
+     --data "{\"query\": \"query {currentUser {name}}\"}"
+```
+
+Personal, project, or group access tokens can be passed in using the `private_token` parameter:
+
+```shell
+curl "https://gitlab.com/api/graphql?private_token=<access_token>" \
+     --header "Content-Type: application/json" --request POST \
+     --data "{\"query\": \"query {currentUser {name}}\"}"
+```
+
+##### Token scopes
+
+Tokens must have the correct scope to access the GraphQL API, either:
+
+| Scope      | Access  |
+|------------|---------|
+| `read_api` | Grants read access to the API. Sufficient for queries. |
+| `api`      | Grants read and write access to the API. Required by mutations. |
+
+#### Session cookie authentication
+
+Signing in to the main GitLab application sets a `_gitlab_session` session cookie.
+
+The [interactive GraphQL explorer](#interactive-graphql-explorer) and the web frontend of
+GitLab itself use this method of authentication.
+
 ### Global IDs
 
 In the GitLab GraphQL API, an `id` field is nearly always a [Global ID](https://graphql.org/learn/global-object-identification/)