Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-04-21 02:50:22 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2021-04-21 02:50:22 +0300
commit9dc93a4519d9d5d7be48ff274127136236a3adb3 (patch)
tree70467ae3692a0e35e5ea56bcb803eb512a10bedb /doc/security
parent4b0f34b6d759d6299322b3a54453e930c6121ff0 (diff)
Add latest changes from gitlab-org/gitlab@13-11-stable-eev13.11.0-rc43
Diffstat (limited to 'doc/security')
-rw-r--r--doc/security/README.md1
-rw-r--r--doc/security/reset_user_password.md31
-rw-r--r--doc/security/token_overview.md14
3 files changed, 33 insertions, 13 deletions
diff --git a/doc/security/README.md b/doc/security/README.md
index 9b9d4f030ac..83073a4951c 100644
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -25,6 +25,7 @@ type: index
- [Proxying images](asset_proxy.md)
- [CI/CD variables](cicd_variables.md)
- [Token overview](token_overview.md)
+- [Project Import decompressed archive size limits](project_import_decompressed_archive_size_limits.md)
## Securing your GitLab installation
diff --git a/doc/security/reset_user_password.md b/doc/security/reset_user_password.md
index ed7b9f89616..5f46ebcec31 100644
--- a/doc/security/reset_user_password.md
+++ b/doc/security/reset_user_password.md
@@ -11,6 +11,8 @@ There are a few ways to reset the password of a user.
## Rake Task
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/52347) in GitLab 13.9.
+
GitLab provides a Rake Task to reset passwords of users using their usernames,
which can be invoked by the following command:
@@ -38,15 +40,15 @@ The Rake task is capable of finding users via their usernames. However, if only
user ID or email ID of the user is known, Rails console can be used to find user
using user ID and then change password of the user manually.
-1. Start a Rails console
-
- ```shell
- sudo gitlab-rails console -e production
- ```
+1. [Start a Rails console](../administration/operations/rails_console.md)
-1. Find the user either by user ID or email ID:
+1. Find the user either by username, user ID or email ID:
```ruby
+ user = User.find_by_username 'exampleuser'
+
+ #or
+
user = User.find(123)
#or
@@ -81,6 +83,23 @@ using user ID and then change password of the user manually.
NOTE:
You can also reset passwords by using the [Users API](../api/users.md#user-modification).
+## Password reset does not appear to work
+
+If you can't sign on with the new password, it might be because of the [reconfirmation feature](../user/upgrade_email_bypass.md).
+
+Try fixing this on the rails console. For example, if your new `root` password isn't working:
+
+1. [Start a Rails console](../administration/operations/rails_console.md).
+
+1. Find the user and skip reconfirmation. Any of the methods to find the user, above, will work:
+
+ ```ruby
+ user = User.find(1)
+ user.skip_reconfirmation!
+ ```
+
+1. Try to sign in again.
+
## Reset your root password
The previously described steps can also be used to reset the root password.
diff --git a/doc/security/token_overview.md b/doc/security/token_overview.md
index 2bb4ffa8eec..0ca1e07bf54 100644
--- a/doc/security/token_overview.md
+++ b/doc/security/token_overview.md
@@ -22,7 +22,7 @@ they inherit permissions from the user who created them.
## OAuth2 tokens
-GitLab can serve as an [OAuth2 provider](../api/oauth2.md) to allow other services to access the GitLab API on a user’s behalf.
+GitLab can serve as an [OAuth2 provider](../api/oauth2.md) to allow other services to access the GitLab API on a user's behalf.
You can limit the scope and lifetime of your OAuth2 tokens.
@@ -57,7 +57,7 @@ Deploy tokens can be managed by project maintainers and owners.
[Deploy keys](../user/project/deploy_keys/index.md) allow read-only or read-write access to your repositories by importing an SSH public key into your GitLab instance. Deploy keys cannot be used with the GitLab API or the registry.
-This is useful, for example, for cloning repositories to your Continuous Integration (CI) server. By using deploy keys, you don’t have to set up a fake user account.
+This is useful, for example, for cloning repositories to your Continuous Integration (CI) server. By using deploy keys, you don't have to set up a fake user account.
Project maintainers and owners can add or enable a deploy key for a project repository
@@ -65,13 +65,13 @@ Project maintainers and owners can add or enable a deploy key for a project repo
Runner registration tokens are used to [register](https://docs.gitlab.com/runner/register/) a [runner](https://docs.gitlab.com/runner/) with GitLab. Group or project owners or instance admins can obtain them through the GitLab user interface. The registration token is limited to runner registration and has no further scope.
-You can use the runner registration token to add runners that execute jobs in a project or group. The runner has access to the project’s code, so be careful when assigning project and group-level permissions.
+You can use the runner registration token to add runners that execute jobs in a project or group. The runner has access to the project's code, so be careful when assigning project and group-level permissions.
## Runner authentication tokens (also called runner tokens)
After registration, the runner receives an authentication token, which it uses to authenticate with GitLab when picking up jobs from the job queue. The authentication token is stored locally in the runner's [`config.toml`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html) file.
-After authentication with GitLab, the runner receives a [job token](../user/project/new_ci_build_permissions_model.md#job-token), which it uses to execute the job.
+After authentication with GitLab, the runner receives a [job token](../api/README.md#gitlab-cicd-job-token), which it uses to execute the job.
In case of Docker Machine/Kubernetes/VirtualBox/Parallels/SSH executors, the execution environment has no access to the runner authentication token, because it stays on the runner machine. They have access to the job token only, which is needed to execute the job.
@@ -79,9 +79,9 @@ Malicious access to a runner's file system may expose the `config.toml` file and
## CI/CD job tokens
-The [CI/CD](../api/README.md#gitlab-ci-job-token) job token
+The [CI/CD](../api/README.md#gitlab-cicd-job-token) job token
is a short lived token only valid for the duration of a job. It gives a CI/CD job
-access to a limited amount of [API endpoints](../api/README.md#gitlab-ci-job-token).
+access to a limited amount of API endpoints.
API authentication uses the job token, by using the authorization of the user
triggering the job.
@@ -105,4 +105,4 @@ This table shows available scopes per token. Scopes can be limited further on to
1. Limited to the one project.
1. Runner registration and authentication token don't provide direct access to repositories, but can be used to register and authenticate a new runner that may execute jobs which do have access to the repository
-1. Limited to certain [endpoints](../api/README.md#gitlab-ci-job-token).
+1. Limited to certain [endpoints](../api/README.md#gitlab-cicd-job-token).