@@ -11,9 +11,9 @@ This functionality is based on [doorkeeper gem](https://github.com/doorkeeper-ge
GitLab currently supports following authorization flows:
**Web Application Flow* - Most secure and common type of flow, designed for the applications with secure server-side.
**Implicit Flow* - This flow is designed for user-agent only apps (e.g. single page web application running on GitLab Pages).
**Resource Owner Password Credentials Flow* - To be used **only** for securely hosted, first-party services.
-*Web Application Flow* - Most secure and common type of flow, designed for the applications with secure server-side.
-*Implicit Flow* - This flow is designed for user-agent only apps (e.g. single page web application running on GitLab Pages).
-*Resource Owner Password Credentials Flow* - To be used **only** for securely hosted, first-party services.
Please refer to [OAuth RFC](https://tools.ietf.org/html/rfc6749) to find out in details how all those flows work and pick the right one for your use case.
...
...
@@ -89,7 +89,7 @@ To request the access token, you should redirect the user to the `/oauth/authori
This will ask the user to approve the applications access to their account and then redirect back to the `REDIRECT_URI` you provided. The redirect
This will ask the user to approve the application's access to their account and then redirect back to the `REDIRECT_URI` you provided. The redirect
will include a fragment with `access_token` as well as token details in GET parameters, for example:
```
...
...
@@ -109,7 +109,7 @@ client is part of the device operating system or a highly privileged application
available (such as an authorization code).
>**Important:**
Never store the users credentials and only use this grant type when your client is deployed to a trusted environment, in 99% of cases [personal access tokens]
Never store the user's credentials and only use this grant type when your client is deployed to a trusted environment, in 99% of cases [personal access tokens]
are a better choice.
Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used
@@ -7,10 +7,10 @@ We have a performance dashboard available in one of our [grafana instances](http
These pages can be found inside a text file in the gitlab-build-images [repository](https://gitlab.com/gitlab-org/gitlab-build-images) called [gitlab.txt](https://gitlab.com/gitlab-org/gitlab-build-images/blob/master/scripts/gitlab.txt)
Any frontend engineer can contribute to this dashboard. They can contribute by adding or removing urls of pages from this text file. Please have a [frontend monitoring expert](https://about.gitlab.com/team) review your changes before assigning to a maintainer of the `gitlab-build-images` project. The changes will go live on the next scheduled run after the changes are merged into `master`.
There are 3 recommended high impact metrics to review on each page
There are 3 recommended high impact metrics to review on each page:
@@ -13,7 +13,7 @@ Permissions are broken into two parts: `conditions` and `rules`. Conditions are
Conditions are defined by the `condition` method, and are given a name and a block. The block will be executed in the context of the policy object - so it can access `@user` and `@subject`, as well as call any methods defined on the policy. Note that `@user` may be nil (in the anonymous case), but `@subject` is guaranteed to be a real instance of the subject class.
```ruby
```ruby
classFooPolicy<BasePolicy
condition(:is_public)do
# @subject guaranteed to be an instance of Foo
...
...
@@ -37,7 +37,7 @@ Conditions are cached according to their scope. Scope and ordering will be cover
A `rule` is a logical combination of conditions and other rules, that are configured to enable or prevent certain abilities. It is important to note that the rule configuration is static - a rule's logic cannot touch the database or know about `@user` or `@subject`. This allows us to cache only at the condition level. Rules are specified through the `rule` method, which takes a block of DSL configuration, and returns an object that responds to `#enable` or `#prevent`:
```ruby
```ruby
classFooPolicy<BasePolicy
# ...
...
...
@@ -57,10 +57,10 @@ end
Within the rule DSL, you can use:
* A regular word mentions a condition by name - a rule that is in effect when that condition is truthy.
*`~` indicates negation
*`&` and `|` are logical combinations, also available as `all?(...)` and `any?(...)`
*`can?(:other_ability)` delegates to the rules that apply to `:other_ability`. Note that this is distinct from the instance method `can?`, which can check dynamically - this only configures a delegation to another ability.
- A regular word mentions a condition by name - a rule that is in effect when that condition is truthy.
-`~` indicates negation.
-`&` and `|` are logical combinations, also available as `all?(...)` and `any?(...)`.
-`can?(:other_ability)` delegates to the rules that apply to `:other_ability`. Note that this is distinct from the instance method `can?`, which can check dynamically - this only configures a delegation to another ability.
## Scores, Order, Performance
...
...
@@ -72,7 +72,7 @@ When a policy is asked whether a particular ability is allowed (`policy.allowed?
Sometimes, a condition will only use data from `@user` or only from `@subject`. In this case, we want to change the scope of the caching, so that we don't recalculate conditions unnecessarily. For example, given:
Naively, if we call `Ability.can?(user1, :some_ability, foo)` and `Ability.can?(user2, :some_ability, foo)`, we would have to calculate the condition twice - since they are for different users. But if we use the `scope: :subject` option:
@@ -93,7 +93,7 @@ both user and subject (including a simple anonymous check!) your result will be
Sometimes we are checking permissions for a lot of users for one subject, or a lot of subjects for one user. In this case, we want to set a *preferred scope* - i.e. tell the system that we prefer rules that can be cached on the repeated parameter. For example, in `Ability.users_that_can_read_project`:
@@ -9,10 +9,10 @@ This is the directory structure you will end up with following the instructions
| |-- gitlab-shell
| |-- repositories
*`/home/git/.ssh` - contains openssh settings. Specifically the `authorized_keys` file managed by gitlab-shell.
*`/home/git/gitlab` - GitLab core software.
*`/home/git/gitlab-shell` - Core add-on component of GitLab. Maintains SSH cloning and other functionality.
*`/home/git/repositories` - bare repositories for all projects organized by namespace. This is where the git repositories which are pushed/pulled are maintained for all projects. **This area is critical data for projects. [Keep a backup](../raketasks/backup_restore.md)**
-`/home/git/.ssh` - contains openssh settings. Specifically the `authorized_keys` file managed by gitlab-shell.
-`/home/git/gitlab` - GitLab core software.
-`/home/git/gitlab-shell` - Core add-on component of GitLab. Maintains SSH cloning and other functionality.
-`/home/git/repositories` - bare repositories for all projects organized by namespace. This is where the git repositories which are pushed/pulled are maintained for all projects. **This area is critical data for projects. [Keep a backup](../raketasks/backup_restore.md).**
*Note: the default locations for repositories can be configured in `config/gitlab.yml` of GitLab and `config.yml` of gitlab-shell.*
@@ -14,9 +14,9 @@ To get this functioning, you need to be registered with Google.
Pay close attention to:
* Email account used by GitLab to send notification emails needs to have "Consistent history of sending a high volume of mail from your domain (order of hundred emails a day minimum to Gmail) for a few weeks at least".
* "A very very low rate of spam complaints from users."
* Emails must be authenticated via DKIM or SPF
* Before sending the final form("Gmail Schema Whitelist Request"), you must send a real email from your production server. This means that you will have to find a way to send this email from the email address you are registering. You can do this by, for example, forwarding the real email from the email address you are registering or going into the rails console on the GitLab server and triggering the email sending from there.
- Email account used by GitLab to send notification emails needs to have "Consistent history of sending a high volume of mail from your domain (order of hundred emails a day minimum to Gmail) for a few weeks at least".
- "A very very low rate of spam complaints from users."
- Emails must be authenticated via DKIM or SPF.
- Before sending the final form ("Gmail Schema Whitelist Request"), you must send a real email from your production server. This means that you will have to find a way to send this email from the email address you are registering. You can do this by, for example, forwarding the real email from the email address you are registering or going into the rails console on the GitLab server and triggering the email sending from there.
You can check how it looks going through all the steps laid out in the "Registering with Google" doc in [this GitLab.com issue](https://gitlab.com/gitlab-org/gitlab-ce/issues/1517).
@@ -15,9 +15,9 @@ GitLab follows the [Semantic Versioning](http://semver.org/) for its releases:
For example, for GitLab version 10.5.7:
*`10` represents major version
*`5` represents minor version
*`7` represents patch number
-`10` represents major version
-`5` represents minor version
-`7` represents patch number
## Patch releases
...
...
@@ -55,13 +55,13 @@ cases you need to consider.
It is considered safe to jump between patch versions and minor versions within
one major version. For example, it is safe to:
* Upgrade the patch version:
*`8.9.0` -> `8.9.7`
*`8.9.0` -> `8.9.1`
*`8.9.2` -> `8.9.6`
* Upgrade the minor version:
*`8.9.4` -> `8.12.3`
*`9.2.3` -> `9.5.5`
- Upgrade the patch version:
-`8.9.0` -> `8.9.7`
-`8.9.0` -> `8.9.1`
-`8.9.2` -> `8.9.6`
- Upgrade the minor version:
-`8.9.4` -> `8.12.3`
-`9.2.3` -> `9.5.5`
Upgrading the major version requires more attention.
We cannot guarantee that upgrading between major versions will be seamless. As previously mentioned, major versions are reserved for backwards incompatible changes.
* HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab but with your settings.
* HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab-ssl but with your setting
- HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab but with your settings.
- HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab-ssl but with your setting.
* Make `/home/git/gitlab/config/gitlab.yml` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-14-stable/config/gitlab.yml.example but with your settings.
* Make `/home/git/gitlab/config/unicorn.rb` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-14-stable/config/unicorn.rb.example but with your settings.
* Make `/home/git/gitlab-shell/config.yml` the same as https://gitlab.com/gitlab-org/gitlab-shell/blob/v2.6.5/config.yml.example but with your settings.
* Copy rack attack middleware config
- Make `/home/git/gitlab/config/gitlab.yml` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-14-stable/config/gitlab.yml.example but with your settings.
- Make `/home/git/gitlab/config/unicorn.rb` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-14-stable/config/unicorn.rb.example but with your settings.
- Make `/home/git/gitlab-shell/config.yml` the same as https://gitlab.com/gitlab-org/gitlab-shell/blob/v2.6.5/config.yml.example but with your settings.
* HTTP setups: Make `/etc/nginx/sites-available/gitlab` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-14-stable/lib/support/nginx/gitlab but with your settings.
* HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-14-stable/lib/support/nginx/gitlab-ssl but with your settings.
* A new `location /uploads/` section has been added that needs to have the same content as the existing `location @gitlab` section.
- HTTP setups: Make `/etc/nginx/sites-available/gitlab` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-14-stable/lib/support/nginx/gitlab but with your settings.
- HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-14-stable/lib/support/nginx/gitlab-ssl but with your settings.
- A new `location /uploads/` section has been added that needs to have the same content as the existing `location @gitlab` section.
* HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab but with your settings.
* HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab-ssl but with your setting
- HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab but with your settings.
- HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-0-stable/lib/support/nginx/gitlab-ssl but with your setting.
* HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-3-stable/lib/support/nginx/gitlab but with your settings.
* HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-3-stable/lib/support/nginx/gitlab-ssl but with your setting
- HTTP setups: Make `/etc/nginx/sites-available/nginx` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-3-stable/lib/support/nginx/gitlab but with your settings.
- HTTPS setups: Make `/etc/nginx/sites-available/nginx-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-3-stable/lib/support/nginx/gitlab-ssl but with your setting.
* HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-4-stable/lib/support/nginx/gitlab-ssl but with your setting
- HTTPS setups: Make `/etc/nginx/sites-available/gitlab-ssl` the same as https://gitlab.com/gitlab-org/gitlab-ce/blob/7-4-stable/lib/support/nginx/gitlab-ssl but with your setting.
#### MySQL Databases: Update database.yml config file
* Add `collation: utf8_general_ci` to `config/database.yml` as seen in [config/database.yml.mysql][mysql]:
- Add `collation: utf8_general_ci` to `config/database.yml` as seen in [config/database.yml.mysql][mysql]:
1. Install a compatible application. We recommend [Google Authenticator]
\(proprietary\) or [FreeOTP] \(open source\).
1. In the application, add a new entry in one of two ways:
* Scan the code with your phone's camera to add the entry automatically.
* Enter the details provided to add the entry manually.
- Scan the code with your phone's camera to add the entry automatically.
- Enter the details provided to add the entry manually.
**In GitLab:**
...
...
@@ -106,7 +106,7 @@ Enter the pin from your one time password authenticator's application or a recov
### Log in via U2F device
1. Click **Login via U2F Device**
1. Click **Login via U2F Device**.
1. A light will start blinking on your device. Activate it by pressing its button.
You will see a message indicating that your device responded to the authentication request.
...
...
@@ -135,9 +135,9 @@ authenticate with Git over HTTPS on the command line or when using
To disable two-factor authentication on your account (for example, if you
have lost your code generation device) you can:
*[Use a saved recovery code](#use-a-saved-recovery-code)
*[Generate new recovery codes using SSH](#generate-new-recovery-codes-using-ssh)
*[Ask a GitLab administrator to disable two-factor authentication on your account](#ask-a-gitlab-administrator-to-disable-two-factor-authentication-on-your-account)
-[Use a saved recovery code](#use-a-saved-recovery-code).
-[Generate new recovery codes using SSH](#generate-new-recovery-codes-using-ssh).
-[Ask a GitLab administrator to disable two-factor authentication on your account](#ask-a-gitlab-administrator-to-disable-two-factor-authentication-on-your-account).
@@ -10,10 +10,10 @@ In the _Recipients_ area, provide a list of emails separated by spaces or newlin
The following options are available:
+**Push events** - Email will be triggered when a push event is received
+**Tag push events** - Email will be triggered when a tag is created and pushed
+**Send from committer** - Send notifications from the committer's email address if the domain is part of the domain GitLab is running on (e.g. `user@gitlab.com`).
+**Disable code diffs** - Don't include possibly sensitive code diffs in notification body.
-**Push events** - Email will be triggered when a push event is received.
-**Tag push events** - Email will be triggered when a tag is created and pushed.
-**Send from committer** - Send notifications from the committer's email address if the domain is part of the domain GitLab is running on (e.g. `user@gitlab.com`).
-**Disable code diffs** - Don't include possibly sensitive code diffs in notification body.
@@ -46,10 +46,12 @@ project in Jira and then enter the correct values in GitLab.
### Configuring Jira
When connecting to **JIRA Server**, which supports basic authentication, a **username and password** are required. Check the link below and proceed to the next step:
*[Setting up an user in JIRA server](jira_server_configuration.md)
-[Setting up an user in JIRA server](jira_server_configuration.md)
When connecting to **JIRA Cloud**, which supports authentication via API token, an **email and API token**, are required. Check the link below and proceed to the next step:
*[Setting up an user in JIRA cloud](jira_cloud_configuration.md)
-[Setting up an user in JIRA cloud](jira_cloud_configuration.md)
### Configuring GitLab
...
...
@@ -114,11 +116,11 @@ USER mentioned this issue in RESOURCE_NAME of [PROJECT_NAME|LINK_TO_COMMENT]:
ENTITY_TITLE
```
*`USER` A user that mentioned the issue. This is the link to the user profile in GitLab.
*`LINK_TO_THE_COMMENT` Link to the origin of mention with a name of the entity where Jira issue was mentioned.
*`RESOURCE_NAME` Kind of resource which referenced the issue. Can be a commit or merge request.
*`PROJECT_NAME` GitLab project name.
*`ENTITY_TITLE` Merge request title or commit message first line.
-`USER` A user that mentioned the issue. This is the link to the user profile in GitLab.
-`LINK_TO_THE_COMMENT` Link to the origin of mention with a name of the entity where Jira issue was mentioned.
-`RESOURCE_NAME` Kind of resource which referenced the issue. Can be a commit or merge request.
-`PROJECT_NAME` GitLab project name.
-`ENTITY_TITLE` Merge request title or commit message first line.
![example of mentioning or closing the Jira issue](img/jira_issue_reference.png)
There are two ways to set up Prometheus integration, depending on where your apps are running:
* For deployments on Kubernetes, GitLab can automatically [deploy and manage Prometheus](#managed-prometheus-on-kubernetes)
* For other deployment targets, simply [specify the Prometheus server](#manual-configuration-of-prometheus).
- For deployments on Kubernetes, GitLab can automatically [deploy and manage Prometheus](#managed-prometheus-on-kubernetes).
- For other deployment targets, simply [specify the Prometheus server](#manual-configuration-of-prometheus).
Once enabled, GitLab will automatically detect metrics from known services in the [metric library](#monitoring-ci-cd-environments).
...
...
@@ -23,8 +24,8 @@ GitLab can seamlessly deploy and manage Prometheus on a [connected Kubernetes cl
#### Requirements
* A [connected Kubernetes cluster](../clusters/index.md)
* Helm Tiller [installed by GitLab](../clusters/index.md#installing-applications)
- A [connected Kubernetes cluster](../clusters/index.md)
- Helm Tiller [installed by GitLab](../clusters/index.md#installing-applications)
#### Getting started
...
...
@@ -42,9 +43,9 @@ Prometheus is deployed into the `gitlab-managed-apps` namespace, using the [offi
The Prometheus server will [automatically detect and monitor](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#%3Ckubernetes_sd_config%3E) nodes, pods, and endpoints. To configure a resource to be monitored by Prometheus, simply set the following [Kubernetes annotations](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/):
*`prometheus.io/scrape` to `true` to enable monitoring of the resource.
*`prometheus.io/port` to define the port of the metrics endpoint.
*`prometheus.io/path` to define the path of the metrics endpoint. Defaults to `/metrics`.
-`prometheus.io/scrape` to `true` to enable monitoring of the resource.
-`prometheus.io/port` to define the port of the metrics endpoint.
-`prometheus.io/path` to define the path of the metrics endpoint. Defaults to `/metrics`.
CPU and Memory consumption is monitored, but requires [naming conventions](prometheus_library/kubernetes.html#specifying-the-environment) in order to determine the environment. If you are using [Auto DevOps](../../../topics/autodevops/), this is handled automatically.
@@ -21,18 +21,20 @@ GitLab has support for automatically detecting and monitoring the Kubernetes NGI
If you have deployed NGINX Ingress using GitLab's [Kubernetes cluster integration](../../clusters/index.md#installing-applications), it will [automatically be monitored](#about-managed-nginx-ingress-deployments) by Prometheus.
For other deployments, there is [some configuration](#manually-setting-up-nginx-ingress-for-prometheus-monitoring) required depending on your installation:
* NGINX Ingress should be version 0.9.0 or above, with metrics enabled
* NGINX Ingress should be annotated for Prometheus monitoring
* Prometheus should be configured to monitor annotated pods
- NGINX Ingress should be version 0.9.0 or above, with metrics enabled
- NGINX Ingress should be annotated for Prometheus monitoring
- Prometheus should be configured to monitor annotated pods
### About managed NGINX Ingress deployments
NGINX Ingress is deployed into the `gitlab-managed-apps` namespace, using the [official Helm chart](https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress). NGINX Ingress will be [externally reachable via the Load Balancer's IP](../../clusters/index.md#getting-the-external-ip-address).
NGINX is configured for Prometheus monitoring, by setting:
*`enable-vts-status: "true"`, to export Prometheus metrics
*`prometheus.io/scrape: "true"`, to enable automatic discovery
*`prometheus.io/port: "10254"`, to specify the metrics port
-`enable-vts-status: "true"`, to export Prometheus metrics
-`prometheus.io/scrape: "true"`, to enable automatic discovery
-`prometheus.io/port: "10254"`, to specify the metrics port
When used in conjunction with the GitLab deployed Prometheus service, response metrics will be automatically collected.
...
...
@@ -42,8 +44,8 @@ Version 0.9.0 and above of [NGINX ingress](https://github.com/kubernetes/ingress
Next, the ingress needs to be annotated for Prometheus monitoring. Two new annotations need to be added:
*`prometheus.io/scrape: "true"`
*`prometheus.io/port: "10254"`
-`prometheus.io/scrape: "true"`
-`prometheus.io/port: "10254"`
Managing these settings depends on how NGINX ingress has been deployed. If you have deployed via the [official Helm chart](https://github.com/kubernetes/charts/tree/master/stable/nginx-ingress), metrics can be enabled with `controller.stats.enabled` along with the required annotations. Alternatively it is possible edit the NGINX ingress YML directly in the [Kubernetes dashboard](https://github.com/kubernetes/dashboard).