From 57007c0e6462c5ad9ac8362ea0f46d46b9d12056 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 19 Jan 2022 03:14:09 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- .gitlab/ci/docs.gitlab-ci.yml | 4 +- app/models/concerns/has_wiki.rb | 2 +- app/models/group.rb | 4 +- app/models/project.rb | 6 +- .../copy_design_collection/copy_service.rb | 2 +- doc/administration/gitaly/configure_gitaly.md | 6 ++ doc/administration/gitaly/praefect.md | 16 ++--- doc/development/gitaly.md | 11 ++- .../group/settings/group_access_tokens.md | 7 +- .../project/settings/project_access_tokens.md | 72 ------------------- scripts/lint-doc.sh | 2 +- spec/factories/wikis.rb | 2 +- spec/models/group_spec.rb | 10 +-- spec/models/project_spec.rb | 8 +-- .../shared/wikis/_sidebar.html.haml_spec.rb | 2 +- 15 files changed, 46 insertions(+), 108 deletions(-) diff --git a/.gitlab/ci/docs.gitlab-ci.yml b/.gitlab/ci/docs.gitlab-ci.yml index 553cb8ed07d..c439e9a7c80 100644 --- a/.gitlab/ci/docs.gitlab-ci.yml +++ b/.gitlab/ci/docs.gitlab-ci.yml @@ -44,7 +44,7 @@ docs-lint markdown: - .default-retry - .docs:rules:docs-lint # When updating the image version here, update it in /scripts/lint-doc.sh too. - image: registry.gitlab.com/gitlab-org/gitlab-docs/lint-markdown:alpine-3.14-vale-2.12.0-markdownlint-0.29.0 + image: registry.gitlab.com/gitlab-org/gitlab-docs/lint-markdown:alpine-3.15-vale-2.14.0-markdownlint-0.30.0 stage: lint needs: [] script: @@ -53,7 +53,7 @@ docs-lint markdown: docs-lint links: extends: - .docs:rules:docs-lint - image: registry.gitlab.com/gitlab-org/gitlab-docs/lint-html:alpine-3.14-ruby-2.7.5-08847baa + image: registry.gitlab.com/gitlab-org/gitlab-docs/lint-html:alpine-3.15-ruby-2.7.5-cee62c13 stage: lint needs: [] script: diff --git a/app/models/concerns/has_wiki.rb b/app/models/concerns/has_wiki.rb index df7bbe4dc08..89bcabafb84 100644 --- a/app/models/concerns/has_wiki.rb +++ b/app/models/concerns/has_wiki.rb @@ -17,7 +17,7 @@ module HasWiki def wiki strong_memoize(:wiki) do - Wiki.for_container(self, self.default_owner) + Wiki.for_container(self, self.first_owner) end end diff --git a/app/models/group.rb b/app/models/group.rb index 4e675d3eb8a..9387b581af5 100644 --- a/app/models/group.rb +++ b/app/models/group.rb @@ -725,8 +725,8 @@ class Group < Namespace end end - def default_owner - owners.first || parent&.default_owner || owner + def first_owner + owners.first || parent&.first_owner || owner end def default_branch_name diff --git a/app/models/project.rb b/app/models/project.rb index 5aa4b4d9968..3d6363c3b0f 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -1514,11 +1514,11 @@ class Project < ApplicationRecord group || namespace.try(:owner) end - def default_owner + def first_owner obj = owner - if obj.respond_to?(:default_owner) - obj.default_owner + if obj.respond_to?(:first_owner) + obj.first_owner else obj end diff --git a/app/services/design_management/copy_design_collection/copy_service.rb b/app/services/design_management/copy_design_collection/copy_service.rb index 5e557e9ea53..886077191ab 100644 --- a/app/services/design_management/copy_design_collection/copy_service.rb +++ b/app/services/design_management/copy_design_collection/copy_service.rb @@ -16,7 +16,7 @@ module DesignManagement @temporary_branch = "CopyDesignCollectionService_#{SecureRandom.hex}" # The user who triggered the copy may not have permissions to push # to the design repository. - @git_user = @target_project.default_owner + @git_user = @target_project.first_owner @designs = DesignManagement::Design.unscoped.where(issue: issue).order(:id).load @versions = DesignManagement::Version.unscoped.where(issue: issue).order(:id).includes(:designs).load diff --git a/doc/administration/gitaly/configure_gitaly.md b/doc/administration/gitaly/configure_gitaly.md index d49a0f99595..a0c959d5de9 100644 --- a/doc/administration/gitaly/configure_gitaly.md +++ b/doc/administration/gitaly/configure_gitaly.md @@ -565,6 +565,12 @@ Note the following: - You can configure Gitaly servers with both an unencrypted listening address `listen_addr` and an encrypted listening address `tls_listen_addr` at the same time. This allows you to gradually transition from unencrypted to encrypted traffic if necessary. +- When running Praefect sub-commands such as `dial-nodes` and `list-untracked-repositories` from the command line with Gitaly TLS enabled, you must set + the `SSL_CERT_DIR` or `SSL_CERT_FILE` environment variable so that the Gitaly certificate is trusted. For example: + + ```shell + sudo SSL_CERT_DIR=/etc/gitlab/trusted_certs /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml dial-nodes + ``` To configure Gitaly with TLS: diff --git a/doc/administration/gitaly/praefect.md b/doc/administration/gitaly/praefect.md index c66ba68aec3..e2db30b8358 100644 --- a/doc/administration/gitaly/praefect.md +++ b/doc/administration/gitaly/praefect.md @@ -408,7 +408,7 @@ On the **Praefect** node: # Enable only the Praefect service praefect['enable'] = true - # Prevent database connections during 'gitlab-ctl reconfigure' + # Disable database migrations to prevent database connections during 'gitlab-ctl reconfigure' gitlab_rails['auto_migrate'] = false praefect['auto_migrate'] = false ``` @@ -531,7 +531,7 @@ On the **Praefect** node: 1. For: - The "deploy node": - 1. Enable Praefect auto-migration again by setting `praefect['auto_migrate'] = true` in + 1. Enable Praefect database auto-migration again by setting `praefect['auto_migrate'] = true` in `/etc/gitlab/gitlab.rb`. 1. To ensure database migrations are only run during reconfigure and not automatically on upgrade, run: @@ -767,7 +767,7 @@ For more information on Gitaly server configuration, see our # Enable Prometheus if needed prometheus['enable'] = true - # Prevent database connections during 'gitlab-ctl reconfigure' + # Disable database migrations to prevent database connections during 'gitlab-ctl reconfigure' gitlab_rails['auto_migrate'] = false ``` @@ -1229,9 +1229,9 @@ To migrate existing clusters: 1. Praefect nodes didn't historically keep database records of every repository stored on the cluster. When the `per_repository` election strategy is configured, Praefect expects to have database records of - each repository. A [background migration](https://gitlab.com/gitlab-org/gitaly/-/merge_requests/2749) is - included in GitLab 13.6 and later to create any missing database records for repositories. Before migrating - you should verify the migration has run by checking Praefect's logs: + each repository. A [background database migration](https://gitlab.com/gitlab-org/gitaly/-/merge_requests/2749) is + included in GitLab 13.6 and later to create any missing database records for repositories. Before migrating, + check Praefect's logs to verify that the database migration ran. Check Praefect's logs for `repository importer finished` message. The `virtual_storages` field contains the names of virtual storages and whether they've had any missing database records created. @@ -1248,8 +1248,8 @@ To migrate existing clusters: {"level":"info","msg":"repository importer finished","pid":19752,"time":"2021-04-28T11:41:36.743Z","virtual_storages":{"default":false}} ``` - The migration is ran when Praefect starts up. If the migration is unsuccessful, you can restart - a Praefect node to reattempt it. The migration only runs with `sql` election strategy configured. + The database migration runs when Praefect starts. If the database migration is unsuccessful, you can restart + a Praefect node to reattempt it. 1. Running two different election strategies side by side can cause a split brain, where different Praefect nodes consider repositories to have different primaries. This can be avoided either: diff --git a/doc/development/gitaly.md b/doc/development/gitaly.md index 5a7a5a6abcb..275e9421983 100644 --- a/doc/development/gitaly.md +++ b/doc/development/gitaly.md @@ -112,10 +112,9 @@ bundle exec rake gitlab:features:disable_rugged Most of this code exists in the `lib/gitlab/git/rugged_impl` directory. NOTE: -You should *not* need to add or modify code related to -Rugged unless explicitly discussed with the -[Gitaly Team](https://gitlab.com/groups/gl-gitaly/group_members). This code does -NOT work on GitLab.com or other GitLab instances that do not use NFS. +You should *not* have to add or modify code related to Rugged unless explicitly discussed with the +[Gitaly Team](https://gitlab.com/groups/gl-gitaly/group_members). This code does not work on GitLab.com or other GitLab +instances that do not use NFS. ## `TooManyInvocationsError` errors @@ -197,7 +196,7 @@ If you make changes to your local Gitaly in between test runs you need to manually run `make` again. Note that CI tests do not use your locally modified version of -Gitaly. To use a custom Gitaly version in CI you need to update +Gitaly. To use a custom Gitaly version in CI, you must update GITALY_SERVER_VERSION as described at the beginning of this section. To use a different Gitaly repository, such as if your changes are present @@ -326,7 +325,7 @@ default value. The default value depends on the GitLab version. To be sure that the flag is set correctly and it goes into Gitaly, you can check the integration by using GDK: -1. The state of the flag must be observable. To check it, you need to enable it +1. The state of the flag must be observable. To check it, you must enable it by fetching the Prometheus metrics: 1. Navigate to GDK's root directory. 1. Make sure you have the proper branch checked out for Gitaly. diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md index 4857a0e74de..816edb629f5 100644 --- a/doc/user/group/settings/group_access_tokens.md +++ b/doc/user/group/settings/group_access_tokens.md @@ -7,10 +7,15 @@ type: reference, howto # Group access tokens +With group access tokens, you can use a single token to: + +- Perform actions for groups. +- Manage the projects within the group. + You can use a group access token to authenticate: - With the [GitLab API](../../../api/index.md#personalprojectgroup-access-tokens). -- With Git, when using HTTP Basic Authentication. +- In [GitLab 14.2](https://gitlab.com/gitlab-org/gitlab/-/issues/330718) and later, authenticate with Git over HTTPS. After you configure a group access token, you don't need a password when you authenticate. Instead, you can enter any non-blank value. diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md index 90e9df90593..5a11719430b 100644 --- a/doc/user/project/settings/project_access_tokens.md +++ b/doc/user/project/settings/project_access_tokens.md @@ -84,78 +84,6 @@ To enable or disable project access token creation for all projects in a top-lev Even when creation is disabled, you can still use and revoke existing project access tokens. -## Group access tokens **(FREE SELF)** - -With group access tokens, you can use a single token to: - -- Perform actions for groups. -- Manage the projects within the group. -- In [GitLab 14.2](https://gitlab.com/gitlab-org/gitlab/-/issues/330718) and later, authenticate with Git over HTTPS. - -NOTE: -You cannot use the UI to create a group access token. [An issue exists](https://gitlab.com/gitlab-org/gitlab/-/issues/214045) -to add this functionality. This section describes a workaround. - -If you are an administrator of a self-managed GitLab instance, you can create a group access token in the -[Rails console](../../../administration/operations/rails_console.md). - -
- For a demo of the group access token workaround, see Demo: Group Level Access Tokens. -
-
- -
- -### Create a group access token - -To create a group access token: - -1. Run the following commands in a [Rails console](../../../administration/operations/rails_console.md): - - ```ruby - # Set the GitLab administration user to use. If user ID 1 is not available or is not an administrator, use 'admin = User.admins.first' instead to select an administrator. - admin = User.find(1) - - # Set the group group you want to create a token for. For example, group with ID 109. - group = Group.find(109) - - # Create the group bot user. For further group access tokens, the username should be group_#{group.id}_bot#{bot_count}. For example, group_109_bot2 and email address group_109_bot2@example.com. - bot = Users::CreateService.new(admin, { name: 'group_token', username: "group_#{group.id}_bot", email: "group_#{group.id}_bot@example.com", user_type: :project_bot }).execute - - # Confirm the group bot. - bot.confirm - - # Add the bot to the group with the required role. - group.add_user(bot, :maintainer) - - # Give the bot a personal access token. - token = bot.personal_access_tokens.create(scopes:[:api, :write_repository], name: 'group_token') - - # Get the token value. - gtoken = token.token - ``` - -1. Test if the generated group access token works: - - 1. Use the group access token in the `PRIVATE-TOKEN` header with GitLab REST APIs. For example: - - - [Create an epic](../../../api/epics.md#new-epic) in the group. - - [Create a project pipeline](../../../api/pipelines.md#create-a-new-pipeline) in one of the group's projects. - - [Create an issue](../../../api/issues.md#new-issue) in one of the group's projects. - - 1. Use the group token to [clone a group's project](../../../gitlab-basics/start-using-git.md#clone-with-https) - using HTTPS. - -### Revoke a group access token - -To revoke a group access token, run the following command in a [Rails console](../../../administration/operations/rails_console.md): - -```ruby -bot = User.find_by(username: 'group_109_bot') # the owner of the token you want to revoke -token = bot.personal_access_tokens.last # the token you want to revoke -token.revoke! -``` - ## Project bot users > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/210181) in GitLab 13.0. diff --git a/scripts/lint-doc.sh b/scripts/lint-doc.sh index 1698d724fd2..a036b3f7342 100755 --- a/scripts/lint-doc.sh +++ b/scripts/lint-doc.sh @@ -128,7 +128,7 @@ function run_locally_or_in_docker() { $cmd $args elif hash docker 2>/dev/null then - docker run -t -v ${PWD}:/gitlab -w /gitlab --rm registry.gitlab.com/gitlab-org/gitlab-docs/lint-markdown:alpine-3.14-vale-2.12.0-markdownlint-0.29.0 ${cmd} ${args} + docker run -t -v ${PWD}:/gitlab -w /gitlab --rm registry.gitlab.com/gitlab-org/gitlab-docs/lint-markdown:alpine-3.15-vale-2.14.0-markdownlint-0.30.0 ${cmd} ${args} else echo echo " ✖ ERROR: '${cmd}' not found. Install '${cmd}' or Docker to proceed." >&2 diff --git a/spec/factories/wikis.rb b/spec/factories/wikis.rb index 05f6fb0de58..a357f4b448d 100644 --- a/spec/factories/wikis.rb +++ b/spec/factories/wikis.rb @@ -4,7 +4,7 @@ FactoryBot.define do factory :wiki do transient do container { association(:project) } - user { container.default_owner || association(:user) } + user { container.first_owner || association(:user) } end initialize_with { Wiki.for_container(container, user) } diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb index 332b6705c14..9c9f5554924 100644 --- a/spec/models/group_spec.rb +++ b/spec/models/group_spec.rb @@ -2539,7 +2539,7 @@ RSpec.describe Group do end end - describe '#default_owner' do + describe '#first_owner' do let(:group) { build(:group) } context 'the group has owners' do @@ -2549,7 +2549,7 @@ RSpec.describe Group do end it 'is the first owner' do - expect(group.default_owner) + expect(group.first_owner) .to eq(group.owners.first) .and be_a(User) end @@ -2564,8 +2564,8 @@ RSpec.describe Group do end it 'is the first owner of the parent' do - expect(group.default_owner) - .to eq(parent.default_owner) + expect(group.first_owner) + .to eq(parent.first_owner) .and be_a(User) end end @@ -2576,7 +2576,7 @@ RSpec.describe Group do end it 'is the group.owner' do - expect(group.default_owner) + expect(group.first_owner) .to eq(group.owner) .and be_a(User) end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index f88d741c96e..e63d5b4e10d 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -1299,7 +1299,7 @@ RSpec.describe Project, factory_default: :keep do end end - describe '#default_owner' do + describe '#first_owner' do let_it_be(:owner) { create(:user) } let_it_be(:namespace) { create(:namespace, owner: owner) } @@ -1307,7 +1307,7 @@ RSpec.describe Project, factory_default: :keep do let(:project) { build(:project, namespace: namespace) } it 'is the namespace owner' do - expect(project.default_owner).to eq(owner) + expect(project.first_owner).to eq(owner) end end @@ -1316,9 +1316,9 @@ RSpec.describe Project, factory_default: :keep do let(:project) { build(:project, group: group, namespace: namespace) } it 'is the group owner' do - allow(group).to receive(:default_owner).and_return(Object.new) + allow(group).to receive(:first_owner).and_return(Object.new) - expect(project.default_owner).to eq(group.default_owner) + expect(project.first_owner).to eq(group.first_owner) end end end diff --git a/spec/views/shared/wikis/_sidebar.html.haml_spec.rb b/spec/views/shared/wikis/_sidebar.html.haml_spec.rb index 70991369506..bf050d601e3 100644 --- a/spec/views/shared/wikis/_sidebar.html.haml_spec.rb +++ b/spec/views/shared/wikis/_sidebar.html.haml_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' RSpec.describe 'shared/wikis/_sidebar.html.haml' do let_it_be(:project) { create(:project) } - let_it_be(:wiki) { Wiki.for_container(project, project.default_owner) } + let_it_be(:wiki) { Wiki.for_container(project, project.first_owner) } before do assign(:wiki, wiki)