diff options
Diffstat (limited to 'doc/user/admin_area')
34 files changed, 307 insertions, 118 deletions
diff --git a/doc/user/admin_area/appearance.md b/doc/user/admin_area/appearance.md index 5513fa3585d..fc42c7770f2 100644 --- a/doc/user/admin_area/appearance.md +++ b/doc/user/admin_area/appearance.md @@ -94,6 +94,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/broadcast_messages.md b/doc/user/admin_area/broadcast_messages.md index e5d0a6e297e..acb3e92fff8 100644 --- a/doc/user/admin_area/broadcast_messages.md +++ b/doc/user/admin_area/broadcast_messages.md @@ -111,6 +111,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/custom_project_templates.md b/doc/user/admin_area/custom_project_templates.md index 551ed667250..de2856c2320 100644 --- a/doc/user/admin_area/custom_project_templates.md +++ b/doc/user/admin_area/custom_project_templates.md @@ -49,6 +49,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/diff_limits.md b/doc/user/admin_area/diff_limits.md index 3a1ecac6ee6..3d7c49c1f2b 100644 --- a/doc/user/admin_area/diff_limits.md +++ b/doc/user/admin_area/diff_limits.md @@ -47,6 +47,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/email_from_gitlab.md b/doc/user/admin_area/email_from_gitlab.md index c1d3521d60c..ba465fbea29 100644 --- a/doc/user/admin_area/email_from_gitlab.md +++ b/doc/user/admin_area/email_from_gitlab.md @@ -55,6 +55,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/geo_nodes.md b/doc/user/admin_area/geo_nodes.md deleted file mode 100644 index 710f37bb344..00000000000 --- a/doc/user/admin_area/geo_nodes.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -redirect_to: 'geo_sites.md' -remove_date: '2022-10-05' ---- - -This document was moved to [another location](geo_sites.md). - -<!-- This redirect file can be deleted after <2022-10-05>. --> -<!-- Redirects that point to other docs in the same project expire in three months. --> -<!-- Redirects that point to docs in a different project or site (link is not relative and starts with `https:`) expire in one year. --> -<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html --> diff --git a/doc/user/admin_area/geo_sites.md b/doc/user/admin_area/geo_sites.md index 093ed84f41a..f3be036fd38 100644 --- a/doc/user/admin_area/geo_sites.md +++ b/doc/user/admin_area/geo_sites.md @@ -112,6 +112,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/img/minimum_password_length_settings_v12_6.png b/doc/user/admin_area/img/minimum_password_length_settings_v12_6.png Binary files differdeleted file mode 100644 index 27634a02a8a..00000000000 --- a/doc/user/admin_area/img/minimum_password_length_settings_v12_6.png +++ /dev/null diff --git a/doc/user/admin_area/index.md b/doc/user/admin_area/index.md index e6ddb810933..4c34d82dc02 100644 --- a/doc/user/admin_area/index.md +++ b/doc/user/admin_area/index.md @@ -136,15 +136,15 @@ For each user, the following are listed: 1. Date of last activity To edit a user, select the **Edit** button in that user's -row. To delete the user, or delete the user and their contributions, select the cog dropdown in +row. To delete the user, or delete the user and their contributions, select the cog dropdown list in that user's row, and select the desired option. To change the sort order: -1. Select the sort dropdown. +1. Select the sort dropdown list. 1. Select the desired order. -By default the sort dropdown shows **Name**. +By default the sort dropdown list shows **Name**. To search for users, enter your criteria in the search field. The user search is case insensitive, and applies partial matching to name and username. To search for an email address, @@ -260,7 +260,7 @@ number of members, and whether the group is private, internal, or public. To edi the **Edit** button in that group's row. To delete the group, select the **Delete** button in that group's row. -To change the sort order, select the sort dropdown and select the desired order. The default +To change the sort order, select the sort dropdown list and select the desired order. The default sort order is by **Last created**. To search for groups by name, enter your criteria in the search field. The group search is case diff --git a/doc/user/admin_area/labels.md b/doc/user/admin_area/labels.md index 524546d447c..8e1ca979707 100644 --- a/doc/user/admin_area/labels.md +++ b/doc/user/admin_area/labels.md @@ -22,6 +22,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/license.md b/doc/user/admin_area/license.md index 5211a18201b..5296a918f56 100644 --- a/doc/user/admin_area/license.md +++ b/doc/user/admin_area/license.md @@ -64,6 +64,17 @@ This error occurs when you use an activation code to activate your instance, but You may have connectivity issues due to the following reasons: -- **You have an offline environment**: Configure your setup to allow connection to GitLab servers. If connection to GitLab servers is not possible, contact [GitLab support](https://about.gitlab.com/support/#contact-support) to request a license key. -- **Firewall settings**: Enable an encrypted HTTPS connection from your GitLab instance to `customers.gitlab.com` (with IP addresses 104.18.26.123 and 104.18.27.123) on port 443. -- **Customers Portal is not operational**: To check for performance or service disruptions, check the Customers Portal [status](https://status.gitlab.com/). +- **You have an offline environment**: + - Configure your setup to allow connection to GitLab servers. If connection to GitLab servers is not possible, contact your Sales Representative to request a license key. You can also contact [GitLab support](https://about.gitlab.com/support/#contact-support) if you need help finding your Sales Representative. +- **Customers Portal is not operational**: + - To check for performance or service disruptions, check the Customers Portal [status](https://status.gitlab.com/). +- **Firewall settings**: + - Check if your GitLab instance has an encrypted connection to `customers.gitlab.com` (with IP addresses 172.64.146.11 and 104.18.41.245) on port 443: + + ```shell + curl --verbose "https://customers.gitlab.com/" + ``` + + - If the curl command returns a failure, either: + - [Configure a proxy](https://docs.gitlab.com/omnibus/settings/environment-variables.html) in `gitlab.rb` to point to your server. + - Contact your network administrator to make changes to the proxy. diff --git a/doc/user/admin_area/license_file.md b/doc/user/admin_area/license_file.md index e6186fb9805..d821d9bab23 100644 --- a/doc/user/admin_area/license_file.md +++ b/doc/user/admin_area/license_file.md @@ -25,7 +25,7 @@ Otherwise, to add your license: 1. Select **Add license**. NOTE: -For GitLab versions 14.1.x or newer, you can access the **Add License** page directly from the URL, `<YourGitLabURL>/admin/license/new`. +In GitLab 14.1.x through 14.10.x, you can access the **Add License** page directly from the URL, `<YourGitLabURL>/admin/license/new`. In GitLab 15.0 and later, the path is `<YourGitLabURL>/admin/subscription`. ## Add your license file during installation @@ -147,3 +147,81 @@ the license. ### `Start GitLab Ultimate trial` still displays after adding license To fix this issue, restart [Puma or your entire GitLab instance](../../administration/restart_gitlab.md). + +### License commands in the rails console + +The following commands can be run in the [rails console](../../administration/operations/rails_console.md#starting-a-rails-console-session). + +WARNING: +Any command that changes data directly could be damaging if not run correctly, or under the right conditions. +We highly recommend running them in a test environment with a backup of the instance ready to be restored, just in case. + +#### See current license information + +```ruby +# License information (name, company, email address) +License.current.licensee + +# Plan: +License.current.plan + +# Uploaded: +License.current.created_at + +# Started: +License.current.starts_at + +# Expires at: +License.current.expires_at + +# Is this a trial license? +License.current.trial? + +# License ID for lookup on CustomersDot +License.current.license_id + +# License data in Base64-encoded ASCII format +License.current.data +``` + +#### Check if a project feature is available on the instance + +Features listed in <https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/license.rb>. + +```ruby +License.current.feature_available?(:jira_dev_panel_integration) +``` + +#### Check if a project feature is available in a project + +Features listed in [`license.rb`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/license.rb). + +```ruby +p = Project.find_by_full_path('<group>/<project>') +p.feature_available?(:jira_dev_panel_integration) +``` + +#### Add a license through the console + +```ruby +key = "<key>" +license = License.new(data: key) +license.save +License.current # check to make sure it applied +``` + +This is needed for example in a known edge-case with +[expired license and multiple LDAP servers](../../administration/auth/ldap/ldap-troubleshooting.md#expired-license-causes-errors-with-multiple-ldap-servers). + +#### Remove licenses + +To clean up the [License History table](../../user/admin_area/license_file.md#view-license-details-and-history): + +```ruby +TYPE = :trial? +# or :expired? + +License.select(&TYPE).each(&:destroy!) + +# or even License.all.each(&:destroy!) +``` diff --git a/doc/user/admin_area/moderate_users.md b/doc/user/admin_area/moderate_users.md index ace1c6be5f8..c0daf029b1f 100644 --- a/doc/user/admin_area/moderate_users.md +++ b/doc/user/admin_area/moderate_users.md @@ -54,7 +54,7 @@ To approve or reject a user sign up: 1. On the left sidebar, select **Overview > Users**. 1. Select the **Pending approval** tab. 1. Optional. Select a user. -1. Select the **{settings}** **User administration** dropdown. +1. Select the **{settings}** **User administration** dropdown list. 1. Select **Approve** or **Reject**. Approving a user: @@ -78,7 +78,7 @@ by removing them in LDAP, or directly from the Admin Area. To do this: 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Overview > Users**. 1. Optional. Select a user. -1. Select the **{settings}** **User administration** dropdown. +1. Select the **{settings}** **User administration** dropdown list. 1. Select **Block**. A blocked user: @@ -102,7 +102,7 @@ A blocked user can be unblocked from the Admin Area. To do this: 1. On the left sidebar, select **Overview > Users**. 1. Select the **Blocked** tab. 1. Optional. Select a user. -1. Select the **{settings}** **User administration** dropdown. +1. Select the **{settings}** **User administration** dropdown list. 1. Select **Unblock**. The user's state is set to active and they consume a @@ -156,13 +156,13 @@ A user can be deactivated from the Admin Area. To do this: 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Overview > Users**. 1. Optional. Select a user. -1. Select the **{settings}** **User administration** dropdown. +1. Select the **{settings}** **User administration** dropdown list. 1. Select **Deactivate**. For the deactivation option to be visible to an administrator, the user: - Must be currently active. -- Must not have signed in, or have any activity, in the last 90 days. +- Must not be [dormant](#automatically-deactivate-dormant-users). NOTE: Users can also be deactivated using the [GitLab API](../../api/users.md#deactivate-user). @@ -203,7 +203,7 @@ To do this: 1. On the left sidebar, select **Overview > Users**. 1. Select the **Deactivated** tab. 1. Optional. Select a user. -1. Select the **{settings}** **User administration** dropdown. +1. Select the **{settings}** **User administration** dropdown list. 1. Select **Activate**. The user's state is set to active and they consume a @@ -235,7 +235,7 @@ Users can be banned using the Admin Area. To do this: 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Overview > Users**. 1. Optional. Select a user. -1. Select the **{settings}** **User administration** dropdown. +1. Select the **{settings}** **User administration** dropdown list. 1. Select **Ban user**. The banned user does not consume a [seat](../../subscriptions/self_managed/index.md#billable-users). @@ -248,7 +248,7 @@ A banned user can be unbanned using the Admin Area. To do this: 1. On the left sidebar, select **Overview > Users**. 1. Select the **Banned** tab. 1. Optional. Select a user. -1. Select the **{settings}** **User administration** dropdown. +1. Select the **{settings}** **User administration** dropdown list. 1. Select **Unban user**. The user's state is set to active and they consume a @@ -283,3 +283,68 @@ You can also delete a user and their contributions, such as merge requests, issu NOTE: Before 15.1, additionally groups of which deleted user were the only owner among direct members were deleted. + +## Troubleshooting + +When moderating users, you may need to perform bulk actions on them based on certain conditions. The following rails console scripts show some examples of this. You may [start a rails console session](../../administration/operations/rails_console.md#starting-a-rails-console-session) and use scripts similar to the following: + +### Deactivate users that have no recent activity + +Administrators can deactivate users that have no recent activity. + +WARNING: +Commands that change data can cause damage if not run correctly or under the right conditions. Always run commands in a test environment first and have a backup instance ready to restore. + +```ruby +days_inactive = 90 +inactive_users = User.active.where("last_activity_on <= ?", days_inactive.days.ago) + +inactive_users.each do |user| + puts "user '#{user.username}': #{user.last_activity_on}" + user.deactivate! +end +``` + +### Block users that have no recent activity + +Administrators can block users that have no recent activity. + +WARNING: +Commands that change data can cause damage if not run correctly or under the right conditions. Always run commands in a test environment first and have a backup instance ready to restore. + +```ruby +days_inactive = 90 +inactive_users = User.active.where("last_activity_on <= ?", days_inactive.days.ago) + +inactive_users.each do |user| + puts "user '#{user.username}': #{user.last_activity_on}" + user.block! +end +``` + +### Block or delete users that have no projects or groups + +Administrators can block or delete users that have no projects or groups. + +WARNING: +Commands that change data can cause damage if not run correctly or under the right conditions. Always run commands in a test environment first and have a backup instance ready to restore. + +```ruby +users = User.where('id NOT IN (select distinct(user_id) from project_authorizations)') + +# How many users are removed? +users.count + +# If that count looks sane: + +# You can either block the users: +users.each { |user| user.blocked? ? nil : user.block! } + +# Or you can delete them: + # need 'current user' (your user) for auditing purposes +current_user = User.find_by(username: '<your username>') + +users.each do |user| + DeleteUserWorker.perform_async(current_user.id, user.id) +end +``` diff --git a/doc/user/admin_area/monitoring/health_check.md b/doc/user/admin_area/monitoring/health_check.md index e6f9c045329..2939a8b0418 100644 --- a/doc/user/admin_area/monitoring/health_check.md +++ b/doc/user/admin_area/monitoring/health_check.md @@ -143,6 +143,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/reporting/git_abuse_rate_limit.md b/doc/user/admin_area/reporting/git_abuse_rate_limit.md index 432205d8fa2..f700b8b1ea3 100644 --- a/doc/user/admin_area/reporting/git_abuse_rate_limit.md +++ b/doc/user/admin_area/reporting/git_abuse_rate_limit.md @@ -4,18 +4,20 @@ group: Anti-Abuse info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- -# Git abuse rate limit **(ULTIMATE SELF)** +# Git abuse rate limit (administration) **(ULTIMATE SELF)** -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/8066) in GitLab 15.2 [with flags](../../../administration/feature_flags.md) named `git_abuse_rate_limit_feature_flag` and `auto_ban_user_on_excessive_projects_download`. Both flags are disabled by default. +> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/8066) in GitLab 15.2 [with a flag](../../../administration/feature_flags.md) named `git_abuse_rate_limit_feature_flag`. Disabled by default. FLAG: -On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flags](../../../administration/feature_flags.md) named `git_abuse_rate_limit_feature_flag` and `auto_ban_user_on_excessive_projects_download`. +On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named `git_abuse_rate_limit_feature_flag`. On GitLab.com, this feature is not available. -Git abuse rate limiting is a feature to automatically [ban users](../moderate_users.md#ban-and-unban-users) who download more than a specified number of repositories in a given time. When the `git_abuse_rate_limit_feature_flag` feature flag is enabled, the administrator receives an email when a user is about to be banned. +Git abuse rate limiting is a feature to automatically [ban users](../moderate_users.md#ban-and-unban-users) who download or clone more than a specified number of repositories in any project in the instance within a given time frame. Banned users cannot sign in to the instance and cannot access any non-public group via HTTP or SSH. -When the `auto_ban_user_on_excessive_projects_download` is not enabled, the user is not banned automatically. You can use this setup to determine the correct values of the rate limit settings. +If the `git_abuse_rate_limit_feature_flag` feature flag is enabled, all application administrators receive an email when a user is about to be banned. -When both flags are enabled, the administrator receives an email when a user is about to be banned, and the user is automatically banned from the GitLab instance. +If automatic banning is disabled, a user is not banned automatically when they exceed the limit. However, administrators are still notified. You can use this setup to determine the correct values of the rate limit settings before enabling automatic banning. + +If automatic banning is enabled, administrators receive an email when a user is about to be banned, and the user is automatically banned from the GitLab instance. ## Configure Git abuse rate limiting @@ -24,6 +26,15 @@ When both flags are enabled, the administrator receives an email when a user is 1. Expand **Git abuse rate limit**. 1. Update the Git abuse rate limit settings: 1. Enter a number in the **Number of repositories** field, greater than or equal to `0` and less than or equal to `10,000`. This number specifies the maximum amount of unique repositories a user can download in the specified time period before they're banned. When set to `0`, Git abuse rate limiting is disabled. - 1. Enter a number in the **Reporting time period (seconds)** field, greater than or equal to `0` and less than or equal to `86,400`. This number specifies the time in seconds a user can download the maximum amount of repositories before they're banned. When set to `0`, Git abuse rate limiting is disabled. - 1. Optional. Exclude users by adding them to the **Excluded users** field. Excluded users are not automatically banned. + 1. Enter a number in the **Reporting time period (seconds)** field, greater than or equal to `0` and less than or equal to `86,400` (10 days). This number specifies the time in seconds a user can download the maximum amount of repositories before they're banned. When set to `0`, Git abuse rate limiting is disabled. + 1. Optional. Exclude up to `100` users by adding them to the **Excluded users** field. Excluded users are not automatically banned. + 1. Optional. Turn on the **Automatically ban users from this namespace when they exceed the specified limits** toggle to enable automatic banning. 1. Select **Save changes**. + +## Unban a user + +1. On the top bar, select **Main menu > Admin**. +1. On the left sidebar, select **Overview > Users**. +1. Select the **Banned** tab and search for the account you want to unban. +1. From the **User administration** dropdown list select **Unban user**. +1. On the confirmation dialog, select **Unban user**. diff --git a/doc/user/admin_area/review_abuse_reports.md b/doc/user/admin_area/review_abuse_reports.md index af2f6640f8e..b8531fded18 100644 --- a/doc/user/admin_area/review_abuse_reports.md +++ b/doc/user/admin_area/review_abuse_reports.md @@ -89,6 +89,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/account_and_limit_settings.md b/doc/user/admin_area/settings/account_and_limit_settings.md index cd1f20a2f4e..44a6bbb9d8e 100644 --- a/doc/user/admin_area/settings/account_and_limit_settings.md +++ b/doc/user/admin_area/settings/account_and_limit_settings.md @@ -259,18 +259,6 @@ Once a lifetime for access tokens is set, GitLab: allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime, or remove it, before revocation takes place. -<!-- start_remove The following content will be removed on remove_date: '2022-08-22' --> -## Allow expired access tokens to be used (removed) **(ULTIMATE SELF)** - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in GitLab 13.1. -> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/296881) in GitLab 13.9. -> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 14.8. -> - [Removed](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 15.0. - -This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 14.8. -This feature was [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 15.0. -<!-- end_remove --> - ## Disable user profile name changes **(PREMIUM SELF)** > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/24605) in GitLab 12.7. @@ -288,11 +276,11 @@ When this ability is disabled, GitLab administrators can still use the [Admin Area](../index.md#administering-users) or the [API](../../../api/users.md#user-modification) to update usernames. -## Prevent users from creating top-level groups +## Prevent new users from creating top-level groups > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367754) in GitLab 15.5. -By default, new users can create top-level groups. GitLab administrators can prevent users from creating top-level groups: +By default, new users can create top-level groups. GitLab administrators can prevent new users from creating top-level groups: - In GitLab 15.5 and later, using either: - The GitLab UI using the steps in this section. @@ -301,7 +289,7 @@ By default, new users can create top-level groups. GitLab administrators can pre 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Settings > General**, then expand **Account and limit**. -1. Clear the **Allow users to create top-level groups** checkbox. +1. Clear the **Allow new users to create top-level groups** checkbox. ## Troubleshooting diff --git a/doc/user/admin_area/settings/continuous_integration.md b/doc/user/admin_area/settings/continuous_integration.md index afc9a006b39..adca9c85af1 100644 --- a/doc/user/admin_area/settings/continuous_integration.md +++ b/doc/user/admin_area/settings/continuous_integration.md @@ -20,10 +20,10 @@ for all projects: 1. Check (or uncheck to disable) the box that says **Default to Auto DevOps pipeline for all projects**. 1. Optionally, set up the [Auto DevOps base domain](../../../topics/autodevops/requirements.md#auto-devops-base-domain) which is used for Auto Deploy and Auto Review Apps. -1. Hit **Save changes** for the changes to take effect. +1. Select **Save changes** for the changes to take effect. From now on, every existing project and newly created ones that don't have a -`.gitlab-ci.yml`, uses the Auto DevOps pipelines. +`.gitlab-ci.yml` use the Auto DevOps pipelines. If you want to disable it for a specific project, you can do so in [its settings](../../../topics/autodevops/index.md#enable-or-disable-auto-devops). @@ -71,7 +71,7 @@ runner settings: To view the rendered details: 1. On the top bar, select **Main menu**, and: - - For a project, select ***Projects** and find your project. + - For a project, select **Projects** and find your project. - For a group, select **Groups** and find your group. 1. On the left sidebar, select **Settings > CI/CD**. 1. Expand **Runners**. @@ -132,7 +132,7 @@ NOTE: Any changes to this setting applies to new artifacts only. The expiration time is not be updated for artifacts created before this setting was changed. The administrator may need to manually search for and expire previously-created -artifacts, as described in the [troubleshooting documentation](../../../administration/troubleshooting/gitlab_rails_cheat_sheet.md#remove-artifacts-more-than-a-week-old). +artifacts, as described in the [troubleshooting documentation](../../../administration/job_artifacts.md#delete-job-artifacts-from-jobs-completed-before-a-specific-date). ## Keep the latest artifacts for all jobs in the latest successful pipelines @@ -174,7 +174,7 @@ To set the duration for which the jobs are considered as old and expired: 1. On the left sidebar, select **Settings > CI/CD**. 1. Expand the **Continuous Integration and Deployment** section. 1. Set the value of **Archive jobs**. -1. Hit **Save changes** for the changes to take effect. +1. Select **Save changes** for the changes to take effect. After that time passes, the jobs are archived in the background and no longer able to be retried. Make it empty to never expire jobs. It has to be no less than 1 day, @@ -201,7 +201,7 @@ of your GitLab instance (`.gitlab-ci.yml` if not set): 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Settings > CI/CD**. 1. Input the new file and path in the **Default CI/CD configuration file** field. -1. Hit **Save changes** for the changes to take effect. +1. Select **Save changes** for the changes to take effect. It is also possible to specify a [custom CI/CD configuration file for a specific project](../../../ci/pipelines/settings.md#specify-a-custom-cicd-configuration-file). @@ -244,7 +244,7 @@ To enable or disable the banner: > [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/352316) from GitLab Premium to GitLab Ultimate in 15.0. NOTE: -An alternative [compliance solution](../../group/manage.md#configure-a-compliance-pipeline) +An alternative [compliance solution](../../group/compliance_frameworks.md#configure-a-compliance-pipeline) is available. We recommend this alternative solution because it provides greater flexibility, allowing required pipelines to be assigned to specific compliance framework labels. @@ -272,7 +272,7 @@ To select a CI/CD template for the required pipeline configuration: 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Settings > CI/CD**. 1. Expand the **Required pipeline configuration** section. -1. Select a CI/CD template from the dropdown. +1. Select a CI/CD template from the dropdown list. 1. Select **Save changes**. ## Package Registry configuration diff --git a/doc/user/admin_area/settings/deprecated_api_rate_limits.md b/doc/user/admin_area/settings/deprecated_api_rate_limits.md index 279cac95fc9..8bf0ffd21a5 100644 --- a/doc/user/admin_area/settings/deprecated_api_rate_limits.md +++ b/doc/user/admin_area/settings/deprecated_api_rate_limits.md @@ -40,10 +40,10 @@ To override the general user and IP rate limits for requests to deprecated API e 1. Select the checkboxes for the types of rate limits you want to enable: - **Unauthenticated API request rate limit** - **Authenticated API request rate limit** -1. _If you enabled unauthenticated API request rate limits:_ +1. If you selected **unauthenticated**: 1. Select the **Maximum unauthenticated API requests per period per IP**. 1. Select the **Unauthenticated API rate limit period in seconds**. -1. _If you enabled authenticated API request rate limits:_ +1. If you selected **authenticated**: 1. Select the **Maximum authenticated API requests per period per user**. 1. Select the **Authenticated API rate limit period in seconds**. diff --git a/doc/user/admin_area/settings/email.md b/doc/user/admin_area/settings/email.md index 6a7c01ff98b..6d2a3c2cdae 100644 --- a/doc/user/admin_area/settings/email.md +++ b/doc/user/admin_area/settings/email.md @@ -92,6 +92,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/external_authorization.md b/doc/user/admin_area/settings/external_authorization.md index 62d3d713616..a34ceac0d95 100644 --- a/doc/user/admin_area/settings/external_authorization.md +++ b/doc/user/admin_area/settings/external_authorization.md @@ -115,6 +115,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/files_api_rate_limits.md b/doc/user/admin_area/settings/files_api_rate_limits.md index e5f5064304c..ef9a3674c49 100644 --- a/doc/user/admin_area/settings/files_api_rate_limits.md +++ b/doc/user/admin_area/settings/files_api_rate_limits.md @@ -36,10 +36,10 @@ To override the general user and IP rate limits for requests to the Repository f 1. Select the checkboxes for the types of rate limits you want to enable: - **Unauthenticated API request rate limit** - **Authenticated API request rate limit** -1. _If you enabled unauthenticated API request rate limits:_ +1. If you selected **unauthenticated**: 1. Select the **Max unauthenticated API requests per period per IP**. 1. Select the **Unauthenticated API rate limit period in seconds**. -1. _If you enabled authenticated API request rate limits:_ +1. If you selected **authenticated**: 1. Select the **Max authenticated API requests per period per user**. 1. Select the **Authenticated API rate limit period in seconds**. diff --git a/doc/user/admin_area/settings/floc.md b/doc/user/admin_area/settings/floc.md index 08f3e8c09b2..f8137afa40f 100644 --- a/doc/user/admin_area/settings/floc.md +++ b/doc/user/admin_area/settings/floc.md @@ -36,6 +36,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/help_page.md b/doc/user/admin_area/settings/help_page.md index a4072f8680b..8d0fef398af 100644 --- a/doc/user/admin_area/settings/help_page.md +++ b/doc/user/admin_area/settings/help_page.md @@ -56,7 +56,7 @@ GitLab marketing-related entries are occasionally shown on the Help page. To hid You can specify a custom URL to which users are directed when they: -- Select **Support** from the Help dropdown. +- Select **Support** from the Help dropdown list. - Select **See our website for help** on the Help page. 1. On the top bar, select **Main menu > Admin**. @@ -106,6 +106,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/index.md b/doc/user/admin_area/settings/index.md index 1bdacf486a2..08c4a0d0167 100644 --- a/doc/user/admin_area/settings/index.md +++ b/doc/user/admin_area/settings/index.md @@ -109,8 +109,8 @@ The **Metrics and profiling** settings contain: Enable and configure Grafana. - [Profiling - Performance bar](../../../administration/monitoring/performance/performance_bar.md#enable-the-performance-bar-for-non-administrators) - Enable access to the Performance Bar for non-administrator users in a given group. -- [Self monitoring](../../../administration/monitoring/gitlab_self_monitoring_project/index.md#create-the-self-monitoring-project) - - Enable or disable instance self monitoring. +- [Self-monitoring](../../../administration/monitoring/gitlab_self_monitoring_project/index.md#create-the-self-monitoring-project) - + Enable or disable instance self-monitoring. - [Usage statistics](usage_statistics.md) - Enable or disable version check and Service Ping. ### Network diff --git a/doc/user/admin_area/settings/instance_template_repository.md b/doc/user/admin_area/settings/instance_template_repository.md index b74f4f68230..bf07c5b2808 100644 --- a/doc/user/admin_area/settings/instance_template_repository.md +++ b/doc/user/admin_area/settings/instance_template_repository.md @@ -28,7 +28,7 @@ To select a project to serve as the custom template repository: 1. Add custom templates to the selected repository. After you add templates, you can use them for the entire instance. -They are available in the [Web Editor's dropdown](../../project/repository/web_editor.md#template-dropdowns) +They are available in the [Web Editor's dropdown list](../../project/repository/web_editor.md#template-dropdowns) and through the [API settings](../../../api/settings.md). ## Supported file types and locations @@ -67,9 +67,9 @@ extension and not be empty. So, the hierarchy should look like this: |-- another_metrics-dashboard.yml ``` -Your custom templates are displayed on the dropdown menu when a new file is added through the GitLab UI: +Your custom templates are displayed on the dropdown list when a new file is added through the GitLab UI: - + If this feature is disabled or no templates are present, no **Custom** section displays in the selection dropdown. @@ -82,6 +82,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/package_registry_rate_limits.md b/doc/user/admin_area/settings/package_registry_rate_limits.md index 7e0c3482e3e..a5c5536f22d 100644 --- a/doc/user/admin_area/settings/package_registry_rate_limits.md +++ b/doc/user/admin_area/settings/package_registry_rate_limits.md @@ -1,6 +1,6 @@ --- stage: Package -group: Package +group: Package Registry info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments type: reference --- diff --git a/doc/user/admin_area/settings/sign_in_restrictions.md b/doc/user/admin_area/settings/sign_in_restrictions.md index 320768e6e5a..4ea420d7ca6 100644 --- a/doc/user/admin_area/settings/sign_in_restrictions.md +++ b/doc/user/admin_area/settings/sign_in_restrictions.md @@ -32,27 +32,70 @@ In the event of an external authentication provider outage, use the [GitLab Rail > [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2158) in GitLab 13.10. -When this feature is enabled, instance administrators are limited as regular users. During that period, -they do not have access to all projects, groups, or the **Admin Area** menu. +If you are an administrator, you might want to work in GitLab without the access that +comes from being an administrator. While you could create a separate user account that +doesn't have administrator access, a more secure solution is to use *Admin Mode*. -To access potentially dangerous resources, an administrator can activate Admin Mode by: +With Admin Mode, your account does not have administrative access by default. +You can continue to access groups and projects you are a member of, but to access +administrative functionality, you must authenticate. -- Selecting the *Enable Admin Mode* button -- Trying to access any part of the UI that requires administrator access, specifically those which call `/admin` endpoints. +When Admin Mode is enabled, it applies to all administrators on the instance. -The main use case allows administrators to perform their regular tasks as a regular -user, based on their memberships, without having to set up a second account for -security reasons. +When Admin Mode is enabled for an instance, administrators: -When Admin Mode status is disabled, administrative users cannot access resources unless -they've been explicitly granted access. For example, when Admin Mode is disabled, they -get a `404` error if they try to open a private group or project, unless -they are members of that group or project. +- Are allowed to access group and projects for which they are members. +- Cannot access the **Admin Area**. -2FA should be enabled for administrators and is supported for the Admin Mode flow, as are -OmniAuth providers and LDAP auth. The Admin Mode status is stored in the active user -session and remains active until it is explicitly disabled (it will be disabled -automatically after a timeout otherwise). +### Enable Admin Mode for your instance + +Administrators can enable Admin Mode though the API, the Rails console, or the UI. + +#### Use the API to enable Admin Mode + +Make the following request to your instance endpoint: + +```shell +curl --request PUT --header "PRIVATE-TOKEN:$ADMIN_TOKEN" "<gitlab.example.com>/api/v4/application/settings?admin_mode=true" +``` + +Replace `<gitlab.example.com>` with your instance URL. + +For more information, see the [list of settings that can be accessed through API calls](../../../api/settings.md). + +#### Use the Rails console to enable Admin Mode + +Open the [Rails console](../../../administration/operations/rails_console.md) and run the following: + +```ruby +::Gitlab::CurrentSettings.update_attributes!(admin_mode: true) +``` + +#### Use the UI to enable Admin Mode + +To enable Admin Mode through the UI: + +1. On the top bar, select **Main menu > Admin**. +1. On the left sidebar, select **Settings > General**. +1. Expand **Sign-in restrictions**. +1. In the **Admin Mode** section, select the **Require additional authentication for administrative tasks** checkbox. + +### Turn on Admin Mode for your session + +To turn on Admin Mode for your current session and access potentially dangerous resources: + +1. On the top bar, select **Enable Admin Mode**. +1. Try to access any part of the UI with `/admin` in the URL (which requires administrator access). + +When Admin Mode status is disabled or turned off, administrators cannot access resources unless +they've been explicitly granted access. For example, administrators get a `404` error +if they try to open a private group or project, unless they are members of that group or project. + +2FA should be enabled for administrators. 2FA, OmniAuth providers, and LDAP +authentication are supported by Admin Mode. Admin Mode status is stored in the current user session and remains active until either: + +- It is explicitly disabled. +- It is disabled automatically after a timeout. ### Limitations of Admin Mode diff --git a/doc/user/admin_area/settings/sign_up_restrictions.md b/doc/user/admin_area/settings/sign_up_restrictions.md index 28fb188731b..76415596dce 100644 --- a/doc/user/admin_area/settings/sign_up_restrictions.md +++ b/doc/user/admin_area/settings/sign_up_restrictions.md @@ -115,7 +115,7 @@ create or update pipelines until their email address is confirmed. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/20661) in GitLab 12.6 -You can [change](../../../security/password_length_limits.md#modify-minimum-password-length-using-gitlab-ui) +You can [change](../../../security/password_length_limits.md#modify-minimum-password-length) the minimum number of characters a user must have in their password using the GitLab UI. ### Password complexity requirements **(PREMIUM SELF)** @@ -198,6 +198,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/terms.md b/doc/user/admin_area/settings/terms.md index 28fe352c684..9a02e50b23f 100644 --- a/doc/user/admin_area/settings/terms.md +++ b/doc/user/admin_area/settings/terms.md @@ -43,6 +43,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/third_party_offers.md b/doc/user/admin_area/settings/third_party_offers.md index fbd282ed5ad..8d2ae72ba69 100644 --- a/doc/user/admin_area/settings/third_party_offers.md +++ b/doc/user/admin_area/settings/third_party_offers.md @@ -31,6 +31,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/usage_statistics.md b/doc/user/admin_area/settings/usage_statistics.md index fb027b462df..df60268a8bf 100644 --- a/doc/user/admin_area/settings/usage_statistics.md +++ b/doc/user/admin_area/settings/usage_statistics.md @@ -48,7 +48,7 @@ tier. Users can continue to access the features in a paid tier without sharing u ### Features available in 14.4 and later - [Repository size limit](../settings/account_and_limit_settings.md#repository-size-limit). -- [Group access restriction by IP address](../../group/access_and_permissions.md#restrict-group-access-by-ip-address). +- [Group access restriction by IP address](../../group/access_and_permissions.md#restrict-access-to-groups-by-ip-address). NOTE: Registration is not yet required for participation, but may be added in a future milestone. @@ -202,6 +202,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/user_and_ip_rate_limits.md b/doc/user/admin_area/settings/user_and_ip_rate_limits.md index 7431fc329d1..e285275f5bb 100644 --- a/doc/user/admin_area/settings/user_and_ip_rate_limits.md +++ b/doc/user/admin_area/settings/user_and_ip_rate_limits.md @@ -225,6 +225,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> diff --git a/doc/user/admin_area/settings/visibility_and_access_controls.md b/doc/user/admin_area/settings/visibility_and_access_controls.md index d3132ae03c6..6d878bcb01c 100644 --- a/doc/user/admin_area/settings/visibility_and_access_controls.md +++ b/doc/user/admin_area/settings/visibility_and_access_controls.md @@ -45,7 +45,7 @@ By default both administrators and anyone with the **Owner** role can delete a p 1. Expand the **Visibility and access controls** section. 1. Scroll to: - (GitLab 15.1 and later) **Allowed to delete projects**, and select **Administrators**. - - (GitLab 15.0 and earlier) **Default project deletion projection** and select **Only admins can delete project**. + - (GitLab 15.0 and earlier) **Default project deletion protection** and select **Only admins can delete project**. 1. Select **Save changes**. ## Deletion protection **(PREMIUM SELF)** @@ -82,8 +82,8 @@ To configure delayed project deletion: 1. On the left sidebar, select **Settings > General**. 1. Expand the **Visibility and access controls** section. 1. Scroll to: - - (GitLab 15.1 and later) **Deletion projection** and select keep deleted groups and projects, and select a retention period. - - (GitLab 15.0 and earlier) **Default delayed project projection** and select **Enable delayed project deletion by + - (GitLab 15.1 and later) **Deletion protection** and select keep deleted groups and projects, and select a retention period. + - (GitLab 15.0 and earlier) **Default delayed project protection** and select **Enable delayed project deletion by default for newly-created groups.** Then set a retention period in **Default deletion delay**. 1. Select **Save changes**. @@ -262,7 +262,7 @@ These options specify the permitted types and lengths for SSH keys. To specify a restriction for each key type: -1. Select the desired option from the dropdown. +1. Select the desired option from the dropdown list. 1. Select **Save changes**. For more details, see [SSH key restrictions](../../../security/ssh_keys_restrictions.md). @@ -280,13 +280,13 @@ work in every repository. They can only be re-enabled by an administrator user o > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87579) in GitLab 15.1 [with a flag](../../../administration/feature_flags.md) named `group_ip_restrictions_allow_global`. Disabled by default. > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) in GitLab 15.4. [Feature flag `group_ip_restrictions_allow_global`](https://gitlab.com/gitlab-org/gitlab/-/issues/366445) removed. -This setting allows you to set IP address ranges to be combined with group-level IP allowlists. -It helps administrators prevent aspects of the GitLab installation from being blocked -from working as intended when an IP allowlist is used. +Administrators can set IP address ranges to be combined with [group-level IP restrictions](../../group/access_and_permissions.md#restrict-access-to-groups-by-ip-address). +Use globally-allowed IP addresses to allow aspects of the GitLab installation to work even when group-level IP address +restrictions are set. -For example, if the GitLab Pages daemon runs on the `10.0.0.0/24` range, specify that range in this -field, as otherwise any group-level restrictions that don't include that range cause the Pages -daemon to be unable to fetch artifacts from the pipeline runs. +For example, if the GitLab Pages daemon runs on the `10.0.0.0/24` range, you can specify that range as globally-allowed. +This means GitLab Pages can still fetch artifacts from pipelines even if group-level IP address restrictions don't +include the `10.0.0.0/24` range. To add a IP address range to the group-level allowlist: @@ -294,7 +294,11 @@ To add a IP address range to the group-level allowlist: 1. On the top bar, select **Main menu > Admin**. 1. On the left sidebar, select **Settings > General**. 1. Expand the **Visibility and access controls** section. -1. In **Globally-allowed IP ranges**, provide a value. +1. In **Globally-allowed IP ranges**, provide a list of IP address ranges. This list: + - Has no limit on the number of IP address ranges. + - Has a size limit of 1 GB. + - Applies to both SSH or HTTP authorized IP address ranges. You cannot split + this list by type of authorization. 1. Select **Save changes**. <!-- ## Troubleshooting @@ -305,6 +309,6 @@ important to describe those, too. Think of things that may go wrong and include This is important to minimize requests for support, and to avoid doc comments with questions that you know someone might ask. -Each scenario can be a third-level heading, e.g. `### Getting error message X`. +Each scenario can be a third-level heading, for example `### Getting error message X`. If you have none to add when creating a doc, leave this section in place but commented out to help encourage others to add to it in the future. --> |
