@@ -40,7 +40,7 @@ The following is a high-level architecture overview of how Gitaly is used.
...
@@ -40,7 +40,7 @@ The following is a high-level architecture overview of how Gitaly is used.
## Configure Gitaly
## Configure Gitaly
The Gitaly service itself is configured via a [TOML configuration file](reference.md).
The Gitaly service itself is configured by using a [TOML configuration file](reference.md).
To change Gitaly settings:
To change Gitaly settings:
...
@@ -121,7 +121,7 @@ The following list depicts the network architecture of Gitaly:
...
@@ -121,7 +121,7 @@ The following list depicts the network architecture of Gitaly:
- GitLab Shell.
- GitLab Shell.
- Elasticsearch indexer.
- Elasticsearch indexer.
- Gitaly itself.
- Gitaly itself.
- A Gitaly server must be able to make RPC calls **to itself**via its own
- A Gitaly server must be able to make RPC calls **to itself**by uing its own
`(Gitaly address, Gitaly token)` pair as specified in `/config/gitlab.yml`.
`(Gitaly address, Gitaly token)` pair as specified in `/config/gitlab.yml`.
- Authentication is done through a static token which is shared among the Gitaly and GitLab Rails
- Authentication is done through a static token which is shared among the Gitaly and GitLab Rails
nodes.
nodes.
...
@@ -502,8 +502,8 @@ If it's excluded, default Git storage directory is used for that storage shard.
...
@@ -502,8 +502,8 @@ If it's excluded, default Git storage directory is used for that storage shard.
### Disable Gitaly where not required (optional)
### Disable Gitaly where not required (optional)
If you are running Gitaly [as a remote service](#run-gitaly-on-its-own-server), you may want to
If you run Gitaly [as a remote service](#run-gitaly-on-its-own-server), consider
disable the local Gitaly service that runs on your GitLab server by default and have it only running
disabling the local Gitaly service that runs on your GitLab server by default, and only run it
where required.
where required.
Disabling Gitaly on the GitLab instance only makes sense when you run GitLab in a custom cluster configuration, where
Disabling Gitaly on the GitLab instance only makes sense when you run GitLab in a custom cluster configuration, where
...
@@ -538,7 +538,7 @@ To disable Gitaly on a GitLab server:
...
@@ -538,7 +538,7 @@ To disable Gitaly on a GitLab server:
> - [Introduced](https://gitlab.com/gitlab-org/gitaly/-/issues/3160) in GitLab 13.6, outgoing TLS connections to GitLab provide client certificates if configured.
> - [Introduced](https://gitlab.com/gitlab-org/gitaly/-/issues/3160) in GitLab 13.6, outgoing TLS connections to GitLab provide client certificates if configured.
Gitaly supports TLS encryption. To communicate with a Gitaly instance that listens for secure
Gitaly supports TLS encryption. To communicate with a Gitaly instance that listens for secure
connections, you must use `tls://` URL scheme in the `gitaly_address` of the corresponding
connections, use the `tls://` URL scheme in the `gitaly_address` of the corresponding
storage entry in the GitLab configuration.
storage entry in the GitLab configuration.
Gitaly provides the same server certificates as client certificates in TLS
Gitaly provides the same server certificates as client certificates in TLS
...
@@ -935,12 +935,13 @@ Note that `enforced="true"` means that authentication is being enforced.
...
@@ -935,12 +935,13 @@ Note that `enforced="true"` means that authentication is being enforced.
## Direct Git access bypassing Gitaly
## Direct Git access bypassing Gitaly
While it is possible to access Gitaly repositories stored on disk directly with a Git client,
GitLab doesn't advise directly accessing Gitaly repositories stored on disk with
it is not advisable because Gitaly is being continuously improved and changed. Theses improvements may invalidate assumptions, resulting in performance degradation, instability, and even data loss.
a Git client, because Gitaly is being continuously improved and changed. These
improvements may invalidate assumptions, resulting in performance degradation, instability, and even data loss.
@@ -191,9 +189,11 @@ our AsciiDoc snippets, wikis, and repositories using delimited blocks:
...
@@ -191,9 +189,11 @@ our AsciiDoc snippets, wikis, and repositories using delimited blocks:
Alice -> Bob: hi
Alice -> Bob: hi
```
```
You can also use the `uml::` directive for compatibility with [`sphinxcontrib-plantuml`](https://pypi.org/project/sphinxcontrib-plantuml/), but please note that we currently only support the `caption` option.
You can also use the `uml::` directive for compatibility with
Workhorse doesn't let WebSocket requests through to non-WebSocket endpoints, so
Workhorse doesn't let WebSocket requests through to non-WebSocket endpoints, so
it's safe to enable support for these headers globally. If you'd rather had a
it's safe to enable support for these headers globally. If you prefer a
narrower set of rules, you can restrict it to URLs ending with `/terminal.ws`
narrower set of rules, you can restrict it to URLs ending with `/terminal.ws`.
(although this may still have a few false positives).
This approach may still result in a few false positives.
If you installed from source, or have made any configuration changes to your
If you installed from source, or have made any configuration changes to your
Omnibus installation before upgrading to 8.15, you may need to make some changes
Omnibus installation before upgrading to 8.15, you may need to make some changes
to your configuration. See the [Upgrading Community Edition and Enterprise
to your configuration. Read
Edition from source](../../update/upgrading_from_source.md#nginx-configuration)
[Upgrading Community Edition and Enterprise Edition from source](../../update/upgrading_from_source.md#nginx-configuration)
document for more details.
for more details.
If you'd like to disable web terminal support in GitLab, just stop passing
To disable web terminal support in GitLab, stop passing
the `Connection` and `Upgrade` hop-by-hop headers in the *first* HTTP reverse
the `Connection` and `Upgrade` hop-by-hop headers in the *first* HTTP reverse
proxy in the chain. For most users, this is the NGINX server bundled with
proxy in the chain. For most users, this is the NGINX server bundled with
Omnibus GitLab, in which case, you need to:
Omnibus GitLab, in which case, you need to:
...
@@ -104,4 +102,6 @@ they receive a `Connection failed` message.
...
@@ -104,4 +102,6 @@ they receive a `Connection failed` message.
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/8413) in GitLab 8.17.
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/8413) in GitLab 8.17.
Terminal sessions, by default, do not expire.
Terminal sessions, by default, do not expire.
You can limit terminal session lifetime in your GitLab instance. To do so, navigate to [**Admin Area > Settings > Web terminal**](../../user/admin_area/settings/index.md#general), and set a `max session time`.
You can limit terminal session lifetime in your GitLab instance. To do so,
go to [**Admin Area > Settings > Web terminal**](../../user/admin_area/settings/index.md#general),
| `remote_directory` | The bucket name where external diffs will be stored| |
| `remote_directory` | The bucket name where external diffs are stored| |
| `direct_upload` | Set to `true` to enable direct upload of external diffs without the need of local shared storage. Option may be removed once we decide to support only single storage for all files. | `false` |
| `direct_upload` | Set to `true` to enable direct upload of external diffs without the need of local shared storage. Option may be removed once we decide to support only single storage for all files. | `false` |
| `background_upload` | Set to `false` to disable automatic upload. Option may be removed once upload is direct to S3 | `true` |
| `background_upload` | Set to `false` to disable automatic upload. Option may be removed once upload is direct to S3 | `true` |
| `proxy_download` | Set to `true` to enable proxying all files served. Option allows to reduce egress traffic as this allows clients to download directly from remote storage instead of proxying all data | `false` |
| `proxy_download` | Set to `true` to enable proxying all files served. Option allows to reduce egress traffic as this allows clients to download directly from remote storage instead of proxying all data | `false` |
...
@@ -141,7 +141,7 @@ See [the available connection settings for different providers](object_storage.m
...
@@ -141,7 +141,7 @@ See [the available connection settings for different providers](object_storage.m
}
}
```
```
Note that, if you are using AWS IAM profiles, be sure to omit the
If you are using AWS IAM profiles, omit the
AWS access key and secret access key/value pairs. For example:
AWS access key and secret access key/value pairs. For example:
```ruby
```ruby
...
@@ -206,8 +206,8 @@ To enable this feature, perform the following steps:
...
@@ -206,8 +206,8 @@ To enable this feature, perform the following steps:
1. Save the file and [restart GitLab](restart_gitlab.md#installations-from-source) for the changes to take effect.
1. Save the file and [restart GitLab](restart_gitlab.md#installations-from-source) for the changes to take effect.
With this feature enabled, diffs will initially stored in the database, rather
With this feature enabled, diffs are initially stored in the database, rather
than externally. They will be moved to external storage once any of these
than externally. They are moved to external storage after any of these
conditions become true:
conditions become true:
- A newer version of the merge request diff exists
- A newer version of the merge request diff exists
...
@@ -233,7 +233,7 @@ and the exception for that error is of this form:
...
@@ -233,7 +233,7 @@ and the exception for that error is of this form:
Errno::ENOENT (No such file or directory @ rb_sysopen - /var/opt/gitlab/gitlab-rails/shared/external-diffs/merge_request_diffs/mr-6167082/diff-8199789)
Errno::ENOENT (No such file or directory @ rb_sysopen - /var/opt/gitlab/gitlab-rails/shared/external-diffs/merge_request_diffs/mr-6167082/diff-8199789)
```
```
Then you are affected by this issue. Since it's not possible to safely determine
Then you are affected by this issue. Because it's not possible to safely determine
all these conditions automatically, we've provided a Rake task in GitLab v13.2.0
all these conditions automatically, we've provided a Rake task in GitLab v13.2.0
In order for [backups](../raketasks/backup_restore.md) to work correctly, the storage path must **not** be a
For [backups](../raketasks/backup_restore.md) to work correctly, the storage path cannot be a
mount point and the GitLab user should have correct permissions for the parent
mount point, and the GitLab user must have correct permissions for the parent
directory of the path. In Omnibus GitLab this is taken care of automatically,
directory of the path. Omnibus GitLab takes care of these issues for you,
but for source installations you should be extra careful.
but for source installations you should be extra careful.
The thing is that for compatibility reasons `gitlab.yml` has a different
The thing is that for compatibility reasons `gitlab.yml` has a different
...
@@ -52,22 +52,26 @@ indicate `git_data_dirs`, which for the example above would be `/home/git`.
...
@@ -52,22 +52,26 @@ indicate `git_data_dirs`, which for the example above would be `/home/git`.
Then, Omnibus creates a `repositories` directory under that path to use with
Then, Omnibus creates a `repositories` directory under that path to use with
`gitlab.yml`.
`gitlab.yml`.
This little detail matters because while restoring a backup, the current
WARNING:
contents of `/home/git/repositories`[are moved to](https://gitlab.com/gitlab-org/gitlab/blob/033e5423a2594e08a7ebcd2379bd2331f4c39032/lib/backup/repository.rb#L54-56)`/home/git/repositories.old`,
This detail matters because while restoring a backup, the current
so if `/home/git/repositories` is the mount point, then `mv` would be moving
contents of `/home/git/repositories`
[are moved to](https://gitlab.com/gitlab-org/gitlab/blob/033e5423a2594e08a7ebcd2379bd2331f4c39032/lib/backup/repository.rb#L54-56)
`/home/git/repositories.old`.
If `/home/git/repositories` is the mount point, then `mv` would be moving
things between mount points, and bad things could happen. Ideally,
things between mount points, and bad things could happen. Ideally,
`/home/git` would be the mount point, so then things would be moving within the
`/home/git` would be the mount point, so things would remain inside the
same mount point. This is guaranteed with Omnibus installations (because they
same mount point. Omnibus installations guarantee this, because they
don't specify the full repository path but the parent path), but not for source
don't specify the full repository path but instead the parent path, but source
installations.
installations do not.
Now that you've read that big fat warning above, let's edit the configuration
Next, edit the configuration
files and add the full paths of the alternative repository storage paths. In
files, and add the full paths of the alternative repository storage paths. In
the example below, we add two more mount points that are named `nfs_1` and `nfs_2`
the example below, we add two more mount points that are named `nfs_1` and `nfs_2`
respectively.
respectively.
NOTE:
NOTE:
This example uses NFS. We do not recommend using EFS for storage as it may impact GitLab performance. See the [relevant documentation](nfs.md#avoid-using-awss-elastic-file-system-efs) for more details.
This example uses NFS. We do not recommend using EFS for storage as it may impact GitLab performance. Read
the [relevant documentation](nfs.md#avoid-using-awss-elastic-file-system-efs) for more details.
**For installations from source**
**For installations from source**
...
@@ -112,7 +116,7 @@ working, you can remove the `repos_path` line.
...
@@ -112,7 +116,7 @@ working, you can remove the `repos_path` line.
## Choose where new repositories are stored
## Choose where new repositories are stored
Once you set the multiple storage paths, you can choose where new repositories
After you set the multiple storage paths, you can choose where new repositories
are stored in the Admin Area under **Settings > Repository > Repository storage > Storage nodes for new repositories**.
are stored in the Admin Area under **Settings > Repository > Repository storage > Storage nodes for new repositories**.
Each storage can be assigned a weight from 0-100. When a new project is created, these
Each storage can be assigned a weight from 0-100. When a new project is created, these
@@ -18,24 +18,24 @@ abuse of the feature. The default value is **52428800 Bytes** (50 MB).
...
@@ -18,24 +18,24 @@ abuse of the feature. The default value is **52428800 Bytes** (50 MB).
### How does it work?
### How does it work?
The content size limit will be applied when a wiki page is created or updated
The content size limit is applied when a wiki page is created or updated
through the GitLab UI or API. Local changes pushed via Git will not be validated.
through the GitLab UI or API. Local changes pushed via Git are not validated.
In order not to break any existing wiki pages, the limit doesn't have any
To break any existing wiki pages, the limit doesn't take effect until a wiki page
effect on them until a wiki page is edited again and the content changes.
is edited again and the content changes.
### Wiki page content size limit configuration
### Wiki page content size limit configuration
This setting is not available through the [Admin Area settings](../../user/admin_area/settings/index.md).
This setting is not available through the [Admin Area settings](../../user/admin_area/settings/index.md).
In order to configure this setting, use either the Rails console
To configure this setting, use either the Rails console
or the [Application settings API](../../api/settings.md).
or the [Application settings API](../../api/settings.md).
NOTE:
NOTE:
The value of the limit **must** be in bytes. The minimum value is 1024 bytes.
The value of the limit must be in bytes. The minimum value is 1024 bytes.
#### Through the Rails console
#### Through the Rails console
The steps to configure this setting through the Rails console are:
To configure this setting through the Rails console:
1. Start the Rails console:
1. Start the Rails console:
...
@@ -61,14 +61,14 @@ To retrieve the current value, start the Rails console and run:
...
@@ -61,14 +61,14 @@ To retrieve the current value, start the Rails console and run:
#### Through the API
#### Through the API
The process to set the wiki page size limit through the Application Settings API is
To set the wiki page size limit through the Application Settings API, use a command,
exactly the same as you would do to [update any other setting](../../api/settings.md#change-application-settings).
as you would to [update any other setting](../../api/settings.md#change-application-settings):
```shell
```shell
curl --request PUT --header"PRIVATE-TOKEN: <your_access_token>""https://gitlab.example.com/api/v4/application/settings?wiki_page_max_content_bytes=52428800"
curl --request PUT --header"PRIVATE-TOKEN: <your_access_token>""https://gitlab.example.com/api/v4/application/settings?wiki_page_max_content_bytes=52428800"
```
```
You can also use the API to [retrieve the current value](../../api/settings.md#get-current-application-settings).
You can also use the API to [retrieve the current value](../../api/settings.md#get-current-application-settings):
@@ -6,9 +6,9 @@ info: To determine the technical writer assigned to the Stage/Group associated w
...
@@ -6,9 +6,9 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Integrate your GitLab instance with GitHub
# Integrate your GitLab instance with GitHub
You can integrate your GitLab instance with GitHub.com and GitHub Enterprise to
You can integrate your GitLab instance with GitHub.com and GitHub Enterprise. This integration
enable users to import projects from GitHub or sign in to your GitLab instance
enables users to import projects from GitHub, or sign in to your GitLab instance
with your GitHub account.
with their GitHub account.
## Enabling GitHub OAuth
## Enabling GitHub OAuth
...
@@ -24,7 +24,7 @@ To prevent an [OAuth2 covert redirect](https://oauth.net/advisories/2014-1-cover
...
@@ -24,7 +24,7 @@ To prevent an [OAuth2 covert redirect](https://oauth.net/advisories/2014-1-cover
See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings.
See [Initial OmniAuth Configuration](omniauth.md#initial-omniauth-configuration) for initial settings.
After you have configured the GitHub provider, you need the following information, which you must substitute in the GitLab configuration file, in the steps shown next.
After you have configured the GitHub provider, you need the following information. You must substitute that information in the GitLab configuration file in these next steps.
| Setting from GitHub | Substitute in the GitLab configuration file | Description |
| Setting from GitHub | Substitute in the GitLab configuration file | Description |
(order of hundred emails a day minimum to Gmail) for a few weeks at least".
(order of hundred emails a day minimum to Gmail) for a few weeks at least".
- Have a very low rate of spam complaints from users.
- Have a very low rate of spam complaints from users.
- Emails must be authenticated via DKIM or SPF.
- Emails must be authenticated via DKIM or SPF.
- Before sending the final form ("Gmail Schema Whitelist Request"), you must send a real email from your production server. This means that you must find a way to send this email from the email address you are registering. You can do this by, for example, forwarding the real email from the email address you are registering or going into the rails console on the GitLab server and triggering the email sending from there.
- Before sending the final form ("Gmail Schema Whitelist Request"), you must
send a real email from your production server. This means that you must find
a way to send this email from the email address you are registering. You can
do this by forwarding the real email from the email address you are
registering. You can also go into the Rails console on the GitLab server and
trigger sending the email from there.
You can check how it looks going through all the steps laid out in the "Registering with Google" doc in [this GitLab.com issue](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/1517).
You can check how it looks going through all the steps laid out in the "Registering with Google" doc in [this GitLab.com issue](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/1517).
@@ -64,7 +64,7 @@ Grant a GitLab user access to the select GitLab projects.
...
@@ -64,7 +64,7 @@ Grant a GitLab user access to the select GitLab projects.
1. Grant the user permission to the GitLab projects.
1. Grant the user permission to the GitLab projects.
If you're integrating Jenkins with many GitLab projects, consider granting the user global
If you're integrating Jenkins with many GitLab projects, consider granting the user global
Admin permission. Otherwise, add the user to each project, and grant Developer permission.
Administrator permission. Otherwise, add the user to each project, and grant Developer permission.
## Configure GitLab API access
## Configure GitLab API access
...
@@ -166,7 +166,7 @@ to integrate GitLab and Jenkins.
...
@@ -166,7 +166,7 @@ to integrate GitLab and Jenkins.
1. In the configuration of your Jenkins job, in the GitLab configuration section, click **Advanced**.
1. In the configuration of your Jenkins job, in the GitLab configuration section, click **Advanced**.
1. Click the **Generate** button under the **Secret Token** field.
1. Click the **Generate** button under the **Secret Token** field.
1. Copy the resulting token, and save the job configuration.
1. Copy the resulting token, and save the job configuration.
1. In GitLab, create a webhook for your project, enter the trigger URL (e.g.`https://JENKINS_URL/project/YOUR_JOB`) and paste the token in the **Secret Token** field.
1. In GitLab, create a webhook for your project, enter the trigger URL (such as`https://JENKINS_URL/project/YOUR_JOB`) and paste the token in the **Secret Token** field.
1. After you add the webhook, click the **Test** button, and it should succeed.
1. After you add the webhook, click the **Test** button, and it should succeed.
## Troubleshooting
## Troubleshooting
...
@@ -205,8 +205,8 @@ which is set to 10 seconds by default.
...
@@ -205,8 +205,8 @@ which is set to 10 seconds by default.
To fix this the `gitlab_rails['webhook_timeout']` value must be increased
To fix this the `gitlab_rails['webhook_timeout']` value must be increased
in the `gitlab.rb` configuration file, followed by the [`gitlab-ctl reconfigure` command](../administration/restart_gitlab.md).
in the `gitlab.rb` configuration file, followed by the [`gitlab-ctl reconfigure` command](../administration/restart_gitlab.md).
If you don't find the errors above, but do find *duplicate* entries like below (in `/var/log/gitlab/gitlab-rail`), this
If you don't find the errors above, but do find *duplicate* entries like below (in `/var/log/gitlab/gitlab-rail`),
could also indicate that [webhook requests are timing out](../user/project/integrations/webhooks.md#webhook-fails-or-multiple-webhook-requests-are-triggered):
[webhook requests may be timing out](../user/project/integrations/webhooks.md#webhook-fails-or-multiple-webhook-requests-are-triggered):
@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
...
@@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/2381) in [GitLab Premium](https://about.gitlab.com/pricing/) 10.0.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/2381) in [GitLab Premium](https://about.gitlab.com/pricing/) 10.0.
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/233149) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.4.
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/233149) to [GitLab Core](https://about.gitlab.com/pricing/) in 13.4.
The Jira Development Panel integration allows you to reference Jira issues within GitLab, displaying
The Jira Development Panel integration allows you to reference Jira issues in GitLab, displaying
activity in the [Development panel](https://support.atlassian.com/jira-software-cloud/docs/view-development-information-for-an-issue/)
activity in the [Development panel](https://support.atlassian.com/jira-software-cloud/docs/view-development-information-for-an-issue/)
in the issue.
in the issue.
...
@@ -35,7 +35,7 @@ See the [Configuration](#configuration) section for details.
...
@@ -35,7 +35,7 @@ See the [Configuration](#configuration) section for details.
With this integration, you can access related GitLab merge requests, branches, and commits directly from a Jira issue, reflecting your work in GitLab. From the Development panel, you can open a detailed view and take actions including creating a new merge request from a branch. For more information, see [Usage](#usage).
With this integration, you can access related GitLab merge requests, branches, and commits directly from a Jira issue, reflecting your work in GitLab. From the Development panel, you can open a detailed view and take actions including creating a new merge request from a branch. For more information, see [Usage](#usage).
This integration connects all GitLab projects to projects in the Jira instance within either:
This integration connects all GitLab projects to projects in the Jira instance in either:
- A top-level group. A top-level GitLab group is one that does not have any parent group itself. All
- A top-level group. A top-level GitLab group is one that does not have any parent group itself. All
the projects of that top-level group, as well as projects of the top-level group's subgroups nesting
the projects of that top-level group, as well as projects of the top-level group's subgroups nesting
...
@@ -211,7 +211,7 @@ The requested scope is invalid, unknown, or malformed.
...
@@ -211,7 +211,7 @@ The requested scope is invalid, unknown, or malformed.
Potential resolutions:
Potential resolutions:
- Verify the URL shown in the browser after being redirected from Jira in step 5 of [Jira DVCS Connector Setup](#jira-dvcs-connector-setup) includes `scope=api`within the query string.
- Verify the URL shown in the browser after being redirected from Jira in step 5 of [Jira DVCS Connector Setup](#jira-dvcs-connector-setup) includes `scope=api` in the query string.
- If `scope=api` is missing from the URL, return to [GitLab account configuration](#gitlab-account-configuration-for-dvcs) and ensure the application you created in step 1 has the `api` box checked under scopes.
- If `scope=api` is missing from the URL, return to [GitLab account configuration](#gitlab-account-configuration-for-dvcs) and ensure the application you created in step 1 has the `api` box checked under scopes.
##### Jira error adding account and no repositories listed
##### Jira error adding account and no repositories listed
...
@@ -314,6 +314,6 @@ For more information on using Jira Smart Commits to track time against an issue,
...
@@ -314,6 +314,6 @@ For more information on using Jira Smart Commits to track time against an issue,
## Limitations
## Limitations
This integration is currently not supported on GitLab instances under a
This integration is not supported on GitLab instances under a
You're also able to mark an application as _trusted_ when creating it through the Admin Area. By doing that,
You're also able to mark an application as _trusted_ when creating it through the Admin Area. By doing that,
the user authorization step is automatically skipped for this application.
the user authorization step is automatically skipped for this application.
...
@@ -88,9 +87,9 @@ application can perform. The available scopes are depicted in the following tabl
...
@@ -88,9 +87,9 @@ application can perform. The available scopes are depicted in the following tabl
| `write_repository` | Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API). |
| `write_repository` | Grants read-write access to repositories on private projects using Git-over-HTTP (not using the API). |
| `read_registry` | Grants read-only access to container registry images on private projects. |
| `read_registry` | Grants read-only access to container registry images on private projects. |
| `write_registry` | Grants read-only access to container registry images on private projects. |
| `write_registry` | Grants read-only access to container registry images on private projects. |
| `sudo` | Grants permission to perform API actions as any user in the system, when authenticated as an admin user. |
| `sudo` | Grants permission to perform API actions as any user in the system, when authenticated as an administrator user. |
| `openid` | Grants permission to authenticate with GitLab using [OpenID Connect](openid_connect_provider.md). Also gives read-only access to the user's profile and group memberships. |
| `openid` | Grants permission to authenticate with GitLab using [OpenID Connect](openid_connect_provider.md). Also gives read-only access to the user's profile and group memberships. |
| `profile` | Grants read-only access to the user's profile data using [OpenID Connect](openid_connect_provider.md). |
| `profile` | Grants read-only access to the user's profile data using [OpenID Connect](openid_connect_provider.md). |
| `email` | Grants read-only access to the user's primary email address using [OpenID Connect](openid_connect_provider.md). |
| `email` | Grants read-only access to the user's primary email address using [OpenID Connect](openid_connect_provider.md). |
At any time you can revoke any access by just clicking **Revoke**.
At any time you can revoke any access by clicking **Revoke**.
@@ -55,7 +55,7 @@ earlier version, you must explicitly enable it.
...
@@ -55,7 +55,7 @@ earlier version, you must explicitly enable it.
-`allow_single_sign_on` allows you to specify the providers you want to allow to
-`allow_single_sign_on` allows you to specify the providers you want to allow to
automatically create an account. It defaults to `false`. If `false` users must
automatically create an account. It defaults to `false`. If `false` users must
be created manually or they can't sign in via OmniAuth.
be created manually or they can't sign in by using OmniAuth.
-`auto_link_ldap_user` can be used if you have [LDAP / ActiveDirectory](../administration/auth/ldap/index.md)
-`auto_link_ldap_user` can be used if you have [LDAP / ActiveDirectory](../administration/auth/ldap/index.md)
integration enabled. It defaults to `false`. When enabled, users automatically
integration enabled. It defaults to `false`. When enabled, users automatically
created through an OmniAuth provider have their LDAP identity created in GitLab as well.
created through an OmniAuth provider have their LDAP identity created in GitLab as well.
...
@@ -66,7 +66,7 @@ earlier version, you must explicitly enable it.
...
@@ -66,7 +66,7 @@ earlier version, you must explicitly enable it.
NOTE:
NOTE:
If you set `block_auto_created_users` to `false`, make sure to only
If you set `block_auto_created_users` to `false`, make sure to only
define providers under `allow_single_sign_on` that you are able to control, like
define providers under `allow_single_sign_on` that you are able to control, like
SAML, Shibboleth, Crowd or Google, or set it to `false` otherwise any user on
SAML, Shibboleth, Crowd, or Google, or set it to `false` otherwise any user on
the Internet can successfully sign in to your GitLab without
the Internet can successfully sign in to your GitLab without
administrative approval.
administrative approval.
...
@@ -170,8 +170,8 @@ omniauth:
...
@@ -170,8 +170,8 @@ omniauth:
> Introduced in GitLab 8.7.
> Introduced in GitLab 8.7.
You can define which OmniAuth providers you want to be `external` so that all users
You can define which OmniAuth providers you want to be `external`. Users
**creating accounts, or logging in via these providers** can't have
creating accounts, or logging in by using these `external` providers cannot have
access to internal projects. You must use the full name of the provider,
access to internal projects. You must use the full name of the provider,
like `google_oauth2` for Google. Refer to the examples for the full names of the
like `google_oauth2` for Google. Refer to the examples for the full names of the
supported providers.
supported providers.
...
@@ -200,9 +200,9 @@ NOTE:
...
@@ -200,9 +200,9 @@ NOTE:
The following information only applies for installations from source.
The following information only applies for installations from source.
GitLab uses [OmniAuth](https://github.com/omniauth/omniauth) for authentication and already ships
GitLab uses [OmniAuth](https://github.com/omniauth/omniauth) for authentication and already ships
with a few providers pre-installed (e.g. LDAP, GitHub, Twitter). But sometimes that
with a few providers pre-installed, such as LDAP, GitHub, and Twitter. You may also
is not enough and you need to integrate with other authentication solutions. For
need to integrate with other authentication solutions. For
these cases you can use the OmniAuth provider.
these cases, you can use the OmniAuth provider.
### Steps
### Steps
...
@@ -251,10 +251,10 @@ we'd like to at least help those with specific needs.
...
@@ -251,10 +251,10 @@ we'd like to at least help those with specific needs.
> Introduced in GitLab 8.8.
> Introduced in GitLab 8.8.
Administrators are able to enable or disable Sign In via some OmniAuth providers.
Administrators are able to enable or disable Sign In by using some OmniAuth providers.
NOTE:
NOTE:
By default Sign In is enabled via all the OAuth Providers that have been configured in `config/gitlab.yml`.
By default Sign In is enabled by using all the OAuth Providers that have been configured in `config/gitlab.yml`.
In order to enable/disable an OmniAuth provider, go to Admin Area -> Settings -> Sign-in Restrictions section -> Enabled OAuth Sign-In sources and select the providers you want to enable or disable.
In order to enable/disable an OmniAuth provider, go to Admin Area -> Settings -> Sign-in Restrictions section -> Enabled OAuth Sign-In sources and select the providers you want to enable or disable.
...
@@ -345,7 +345,7 @@ omniauth:
...
@@ -345,7 +345,7 @@ omniauth:
Keep in mind that every sign-in attempt is redirected to the OmniAuth
Keep in mind that every sign-in attempt is redirected to the OmniAuth
provider; you can't sign in using local credentials. Ensure at least
provider; you can't sign in using local credentials. Ensure at least
one of the OmniAuth users has admin permissions.
one of the OmniAuth users has administrator permissions.
You may also bypass the auto sign in feature by browsing to
You may also bypass the auto sign in feature by browsing to
@@ -86,4 +86,6 @@ Click the icon to begin the authentication process. Salesforce asks the user to
...
@@ -86,4 +86,6 @@ Click the icon to begin the authentication process. Salesforce asks the user to
If everything goes well, the user is returned to GitLab and is signed in.
If everything goes well, the user is returned to GitLab and is signed in.
NOTE:
NOTE:
GitLab requires the email address of each new user. Once the user is logged in using Salesforce, GitLab redirects the user to the profile page where they must provide the email and verify the email.
GitLab requires the email address of each new user. After the user is signed in
using Salesforce, GitLab redirects the user to the profile page where they must
The preferred approach for integrating a Shibboleth authentication system
The preferred approach for integrating a Shibboleth authentication system
with GitLab 10 or newer is to use the [GitLab SAML integration](saml.md). This documentation is for Omnibus GitLab 9.x installs or older.
with GitLab 10 or newer is to use the [GitLab SAML integration](saml.md). This documentation is for Omnibus GitLab 9.x installs or older.
In order to enable Shibboleth support in GitLab we need to use Apache instead of NGINX (It may be possible to use NGINX, however this is difficult to configure using the bundled NGINX provided in the Omnibus GitLab package). Apache uses mod_shib2 module for Shibboleth authentication and can pass attributes as headers to OmniAuth Shibboleth provider.
To enable Shibboleth support in GitLab we need to use Apache instead of NGINX. (It may be possible to use NGINX, however this is difficult to configure using the bundled NGINX provided in the Omnibus GitLab package.) Apache uses `mod_shib2` module for Shibboleth authentication and can pass attributes as headers to OmniAuth Shibboleth provider.
To enable the Shibboleth OmniAuth provider you must configure Apache Shibboleth module.
To enable the Shibboleth OmniAuth provider you must configure Apache Shibboleth module.
The installation and configuration of the module itself is out of the scope of this document.
The installation and configuration of the module itself is out of the scope of this document.
Check <https://wiki.shibboleth.net/confluence/display/SP3/Apache> for more information.
Check [the Shibboleth documentation](https://wiki.shibboleth.net/confluence/display/SP3/Apache) for more information.
You can find Apache configuration in [GitLab Recipes](https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache).
You can find Apache configuration in [GitLab Recipes](https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache).
The following changes are needed to enable Shibboleth:
The following changes are needed to enable Shibboleth:
1. Protect OmniAuth Shibboleth callback URL:
1. Protect the OmniAuth Shibboleth callback URL:
```apache
```apache
<Location /users/auth/shibboleth/callback>
<Location /users/auth/shibboleth/callback>
...
@@ -53,7 +53,7 @@ The following changes are needed to enable Shibboleth:
...
@@ -53,7 +53,7 @@ The following changes are needed to enable Shibboleth:
```
```
NOTE:
NOTE:
Starting from GitLab 11.4, OmniAuth is enabled by default. If you're using an
In GitLab versions 11.4 and later, OmniAuth is enabled by default. If you're using an
earlier version, you must explicitly enable it in `/etc/gitlab/gitlab.rb`.
earlier version, you must explicitly enable it in `/etc/gitlab/gitlab.rb`.
1. In addition, add Shibboleth to `/etc/gitlab/gitlab.rb` as an OmniAuth provider.
1. In addition, add Shibboleth to `/etc/gitlab/gitlab.rb` as an OmniAuth provider.
...
@@ -100,7 +100,7 @@ The following changes are needed to enable Shibboleth:
...
@@ -100,7 +100,7 @@ The following changes are needed to enable Shibboleth:
1.[Reconfigure](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart](../administration/restart_gitlab.md#installations-from-source) GitLab for the changes to take effect if you
1.[Reconfigure](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart](../administration/restart_gitlab.md#installations-from-source) GitLab for the changes to take effect if you
installed GitLab via Omnibus or from source respectively.
installed GitLab via Omnibus or from source respectively.
On the sign in page, there should now be a "Sign in with: Shibboleth" icon below the regular sign in form. Click the icon to begin the authentication process. You are redirected to IdP server (depends on your Shibboleth module configuration). If everything goes well the user is returned to GitLab and is signed in.
On the sign in page, there should now be a **Sign in with: Shibboleth** icon below the regular sign in form. Click the icon to begin the authentication process. You are redirected to IdP server (depends on your Shibboleth module configuration). If everything goes well the user is returned to GitLab and is signed in.
@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
...
@@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> The `run` command was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/4466) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.6. [Moved](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/24780) to [GitLab Core](https://about.gitlab.com/pricing/) in 11.9.
> The `run` command was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/4466) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 10.6. [Moved](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/24780) to [GitLab Core](https://about.gitlab.com/pricing/) in 11.9.
Slash commands in Mattermost and Slack allow you to control GitLab and view GitLab content right inside your chat client, without having to leave it. For Slack, this requires an [integration configuration](../user/project/integrations/slack_slash_commands.md). Simply type the command as a message in your chat client to activate it.
Slash commands in Mattermost and Slack allow you to control GitLab and view GitLab content right inside your chat client, without having to leave it. For Slack, this requires an [integration configuration](../user/project/integrations/slack_slash_commands.md). Type the command as a message in your chat client to activate it.
Commands are scoped to a project, with a trigger term that is specified during configuration.
Commands are scoped to a project, with a trigger term that is specified during configuration.
...
@@ -28,8 +28,8 @@ Taking the trigger term as `project-name`, the commands are:
...
@@ -28,8 +28,8 @@ Taking the trigger term as `project-name`, the commands are:
| `/project-name deploy <from> to <to>` | Deploy from the `<from>` environment to the `<to>` environment |
| `/project-name deploy <from> to <to>` | Deploy from the `<from>` environment to the `<to>` environment |
| `/project-name run <job name> <arguments>` | Execute [ChatOps](../ci/chatops/README.md) job `<job name>` on `master` |
| `/project-name run <job name> <arguments>` | Execute [ChatOps](../ci/chatops/README.md) job `<job name>` on `master` |
Note that if you are using the [GitLab Slack application](../user/project/integrations/gitlab_slack_application.md) for
If you are using the [GitLab Slack application](../user/project/integrations/gitlab_slack_application.md) for
your GitLab.com projects, you need to [add the `gitlab` keyword at the beginning of the command](../user/project/integrations/gitlab_slack_application.md#usage).
your GitLab.com projects, [add the `gitlab` keyword at the beginning of the command](../user/project/integrations/gitlab_slack_application.md#usage).
If you are new to Sourcegraph, head over to the [Sourcegraph installation documentation](https://docs.sourcegraph.com/admin) and get your instance up and running.
If you are new to Sourcegraph, head over to the [Sourcegraph installation documentation](https://docs.sourcegraph.com/admin) and get your instance up and running.
If you are using an HTTPS connection to GitLab, you will need to[configure HTTPS](https://docs.sourcegraph.com/admin/http_https_configuration) for your Sourcegraph instance.
If you are using an HTTPS connection to GitLab, you must[configure HTTPS](https://docs.sourcegraph.com/admin/http_https_configuration) for your Sourcegraph instance.
### Connect your Sourcegraph instance to your GitLab instance
### Connect your Sourcegraph instance to your GitLab instance
...
@@ -79,9 +79,9 @@ You can skip this step if you already have your GitLab repositories searchable i
...
@@ -79,9 +79,9 @@ You can skip this step if you already have your GitLab repositories searchable i
1. In GitLab, go to **Admin Area > Settings > General**.
1. In GitLab, go to **Admin Area > Settings > General**.
1. Expand the **Sourcegraph** configuration section.
1. Expand the **Sourcegraph** configuration section.
1. Check **Enable Sourcegraph**.
1. Check **Enable Sourcegraph**.
1. Set the Sourcegraph URL to your Sourcegraph instance, e.g.,`https://sourcegraph.example.com`.
1. Set the Sourcegraph URL to your Sourcegraph instance, such as`https://sourcegraph.example.com`.
@@ -95,7 +95,7 @@ If a GitLab administrator has enabled Sourcegraph, you can enable this feature i
...
@@ -95,7 +95,7 @@ If a GitLab administrator has enabled Sourcegraph, you can enable this feature i
## Using Sourcegraph code intelligence
## Using Sourcegraph code intelligence
Once enabled, participating projects will have a code intelligence popover available in
Once enabled, participating projects display a code intelligence popover available in
the following code views:
the following code views:
- Merge request diffs
- Merge request diffs
...
@@ -114,7 +114,7 @@ When visiting one of these views, you can now hover over a code reference to see
...
@@ -114,7 +114,7 @@ When visiting one of these views, you can now hover over a code reference to see
Sourcegraph powered code intelligence is available for all public projects on GitLab.com.
Sourcegraph powered code intelligence is available for all public projects on GitLab.com.
Support for private projects is currently not available for GitLab.com;
Support for private projects is not yet available for GitLab.com;
follow the epic [&2201](https://gitlab.com/groups/gitlab-org/-/epics/2201)
follow the epic [&2201](https://gitlab.com/groups/gitlab-org/-/epics/2201)
for updates.
for updates.
...
@@ -122,7 +122,7 @@ for updates.
...
@@ -122,7 +122,7 @@ for updates.
### Sourcegraph isn't working
### Sourcegraph isn't working
If you enabled Sourcegraph for your project but still it doesn't look like it's working, it might be because Sourcegraph has not indexed the project yet. You can check for Sourcegraph's availability of your project by visiting `https://sourcegraph.com/gitlab.com/<project-path>`replacing `<project-path>` with the path to your GitLab project.
If you enabled Sourcegraph for your project but it isn't working, Sourcegraph may not have indexed the project yet. You can check for Sourcegraph's availability of your project by visiting `https://sourcegraph.com/gitlab.com/<project-path>`replacing `<project-path>` with the path to your GitLab project.
## Sourcegraph and Privacy
## Sourcegraph and Privacy
...
@@ -130,5 +130,5 @@ From Sourcegraph's [extension documentation](https://docs.sourcegraph.com/integr
...
@@ -130,5 +130,5 @@ From Sourcegraph's [extension documentation](https://docs.sourcegraph.com/integr
engine behind the native GitLab integration:
engine behind the native GitLab integration:
> Sourcegraph integrations never send any logs, pings, usage statistics, or telemetry to Sourcegraph.com.
> Sourcegraph integrations never send any logs, pings, usage statistics, or telemetry to Sourcegraph.com.
> They will only connect to Sourcegraph.com as required to provide code intelligence or other functionality on public code.
> They connect only to Sourcegraph.com as required to provide code intelligence or other functionality on public code.
> As a result, no private code, private repository names, usernames, or any other specific data is sent to Sourcegraph.com.
> As a result, no private code, private repository names, usernames, or any other specific data is sent to Sourcegraph.com.
