Add latest changes from gitlab-org/gitlab@master

6 files changed, 47 insertions, 18 deletions

diff --git a/doc/user/admin_area/settings/user_and_ip_rate_limits.md b/doc/user/admin_area/settings/user_and_ip_rate_limits.md
index 7efd4b5af18..61ff93ee0a5 100644
--- a/doc/user/admin_area/settings/user_and_ip_rate_limits.md
+++ b/doc/user/admin_area/settings/user_and_ip_rate_limits.md
@@ -59,6 +59,29 @@ are marked with `"throttle_safelist":"throttle_bypass_header"` in
 To disable the bypass mechanism, make sure the environment variable
 `GITLAB_THROTTLE_BYPASS_HEADER` is unset or empty.
 
+## Allowing specific users to bypass authenticated request rate limiting
+
+Similarly to the bypass header described above, it is possible to allow
+a certain set of users to bypass the rate limiter. This only applies
+to authenticated requests: with unauthenticated requests, by definition
+GitLab does not know who the user is.
+
+The allowlist is configured as a comma-separated list of user IDs in
+the `GITLAB_THROTTLE_USER_ALLOWLIST` environment variable. If you want
+users 1, 53 and 217 to bypass the authenticated request rate limiter,
+the allowlist configuration would be `1,53,217`.
+
+- For [Omnibus](https://docs.gitlab.com/omnibus/settings/environment-variables.html),
+  set `'GITLAB_THROTTLE_USER_ALLOWLIST' => '1,53,217'` in `gitlab_rails['env']`.
+- For source installations, set `export GITLAB_THROTTLE_USER_ALLOWLIST=1,53,217`
+  in `/etc/default/gitlab`.
+
+Requests that bypassed the rate limiter because of the user allowlist
+are marked with `"throttle_safelist":"throttle_user_allowlist"` in
+[`production_json.log`](../../../administration/logs.md#production_jsonlog).
+
+At application startup, the allowlist is logged in [`auth.log`](../../../administration/logs.md#authlog).
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md
index acfd0f85e52..b58784d238a 100644
--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -412,7 +412,7 @@ Some analyzers make it possible to filter out vulnerabilities under a given thre
 | Environment variable          | Default value            | Description                                                                                                                                                                                                                 |
 |-------------------------------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `SAST_EXCLUDED_PATHS`         | `spec, test, tests, tmp` | Exclude vulnerabilities from output based on the paths. This is a comma-separated list of patterns. Patterns can be globs, or file or folder paths (for example, `doc,spec` ). Parent directories also match patterns. |
-| `SEARCH_MAX_DEPTH`            | 4                        | Maximum number of directories traversed when searching for source code files. |
+| `SEARCH_MAX_DEPTH`            | 4                        | SAST searches the repository to detect the programming languages used, and selects the matching analyzers. Set the value of `SEARCH_MAX_DEPTH` to specify how many directory levels the search phase should span. After the analyzers have been selected, the _entire_ repository is analyzed. |
 | `SAST_BANDIT_EXCLUDED_PATHS`  |                          | Comma-separated list of paths to exclude from scan. Uses Python's [`fnmatch` syntax](https://docs.python.org/2/library/fnmatch.html); For example: `'*/tests/*, */venv/*'`                                                  |
 | `SAST_BRAKEMAN_LEVEL`         | 1                        | Ignore Brakeman vulnerabilities under given confidence level. Integer, 1=Low 3=High.                                                                                                                                        |
 | `SAST_FLAWFINDER_LEVEL`       | 1                        | Ignore Flawfinder vulnerabilities under given risk level. Integer, 0=No risk, 5=High risk.                                                                                                                                  |
diff --git a/doc/user/clusters/agent/index.md b/doc/user/clusters/agent/index.md
index 44f0fe8c36f..5c34e854d1a 100644
--- a/doc/user/clusters/agent/index.md
+++ b/doc/user/clusters/agent/index.md
@@ -82,8 +82,8 @@ Upgrade your agent installations together with GitLab upgrades. To decide which
 1. Open the [GITLAB_KAS_VERSION](https://gitlab.com/gitlab-org/gitlab/-/blob/master/GITLAB_KAS_VERSION) file from the GitLab Repository, which contains the latest `agentk` version associated with the `master` branch.
 1. Change the `master` branch and select the Git tag associated with your version. For instance, you could change it to GitLab [v13.5.3-ee release](https://gitlab.com/gitlab-org/gitlab/-/blob/v13.5.3-ee/GITLAB_KAS_VERSION)
 
-The available `agentk` versions can be found in
-[its container registry](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/container_registry/eyJuYW1lIjoiZ2l0bGFiLW9yZy9jbHVzdGVyLWludGVncmF0aW9uL2dpdGxhYi1hZ2VudC9hZ2VudGsiLCJ0YWdzX3BhdGgiOiIvZ2l0bGFiLW9yZy9jbHVzdGVyLWludGVncmF0aW9uL2dpdGxhYi1hZ2VudC9yZWdpc3RyeS9yZXBvc2l0b3J5LzEyMjMyMDUvdGFncz9mb3JtYXQ9anNvbiIsImlkIjoxMjIzMjA1LCJjbGVhbnVwX3BvbGljeV9zdGFydGVkX2F0IjpudWxsfQ==).
+The available `agentk` and `kas` versions can be found in
+[the container registry](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/container_registry/).
 
 ### Install the Kubernetes Agent Server
 
@@ -537,7 +537,7 @@ issue is in progress, directly edit the deployment with the
 `kubectl edit deployment gitlab-kas` command, and change `--listen-websocket=true` to `--listen-websocket=false`. After running that command, you should be able to use
 `grpc://gitlab-kas.<YOUR-NAMESPACE>:5005`.
 
-#### Agent logs - Decompressor is not installed for grpc-encoding
+### Agent logs - Decompressor is not installed for grpc-encoding
 
 ```plaintext
 {"level":"warn","time":"2020-11-05T05:25:46.916Z","msg":"GetConfiguration.Recv failed","error":"rpc error: code = Unimplemented desc = grpc: Decompressor is not installed for grpc-encoding \"gzip\""}
diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md
index 0d4140dc659..f9a9f17840e 100644
--- a/doc/user/clusters/applications.md
+++ b/doc/user/clusters/applications.md
@@ -740,7 +740,7 @@ for the available configuration options.
 Support for installing the Ingress managed application is provided by the GitLab Configure group.
 If you run into unknown issues, [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new),
 and ping at least 2 people from the
-[Configure group](https://about.gitlab.com/handbook/product/product-categories/#configure-group).
+[Configure group](https://about.gitlab.com/handbook/product/categories/#configure-group).
 
 ### Install cert-manager using GitLab CI/CD
 
@@ -784,7 +784,7 @@ Support for installing the Cert Manager managed application is provided by the
 GitLab Configure group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
 least 2 people from the
-[Configure group](https://about.gitlab.com/handbook/product/product-categories/#configure-group).
+[Configure group](https://about.gitlab.com/handbook/product/categories/#configure-group).
 
 ### Install Sentry using GitLab CI/CD
 
@@ -853,7 +853,7 @@ Support for installing the Sentry managed application is provided by the
 GitLab Health group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
 least 2 people from the
-[Health group](https://about.gitlab.com/handbook/product/product-categories/#health-group).
+[Health group](https://about.gitlab.com/handbook/product/categories/#health-group).
 
 ### Install PostHog using GitLab CI/CD
 
@@ -930,7 +930,7 @@ for the available configuration options.
 Support for installing the Prometheus managed application is provided by the
 GitLab APM group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
-least 2 people from the [APM group](https://about.gitlab.com/handbook/product/product-categories/#apm-group).
+least 2 people from the [APM group](https://about.gitlab.com/handbook/product/categories/#apm-group).
 
 ### Install GitLab Runner using GitLab CI/CD
 
@@ -968,7 +968,7 @@ Support for installing the GitLab Runner managed application is provided by the
 GitLab Runner group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
 least 2 people from the
-[Runner group](https://about.gitlab.com/handbook/product/product-categories/#runner-group).
+[Runner group](https://about.gitlab.com/handbook/product/categories/#runner-group).
 
 ### Install Cilium using GitLab CI/CD
 
@@ -1080,7 +1080,7 @@ Support for installing the Cilium managed application is provided by the
 GitLab Container Security group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
 least 2 people from the
-[Container Security group](https://about.gitlab.com/handbook/product/product-categories/#container-security-group).
+[Container Security group](https://about.gitlab.com/handbook/product/categories/#container-security-group).
 
 ### Install Falco using GitLab CI/CD
 
@@ -1176,7 +1176,7 @@ Support for installing the Falco managed application is provided by the
 GitLab Container Security group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
 least 2 people from the
-[Container Security group](https://about.gitlab.com/handbook/product/product-categories/#container-security-group).
+[Container Security group](https://about.gitlab.com/handbook/product/categories/#container-security-group).
 
 ### Install Vault using GitLab CI/CD
 
@@ -1278,7 +1278,7 @@ Support for installing the Vault managed application is provided by the
 GitLab Release Management group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
 least 2 people from the
-[Release Management group](https://about.gitlab.com/handbook/product/product-categories/#release-management-group).
+[Release Management group](https://about.gitlab.com/handbook/product/categories/#release-management-group).
 
 ### Install JupyterHub using GitLab CI/CD
 
@@ -1335,7 +1335,7 @@ Support for installing the JupyterHub managed application is provided by the Git
 If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
 least 2 people from the
-[Configure group](https://about.gitlab.com/handbook/product/product-categories/#configure-group).
+[Configure group](https://about.gitlab.com/handbook/product/categories/#configure-group).
 
 ### Install Elastic Stack using GitLab CI/CD
 
@@ -1371,7 +1371,7 @@ environment logs through Elasticsearch is unsupported. This is supported if
 Support for installing the Elastic Stack managed application is provided by the
 GitLab APM group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
-least 2 people from the [APM group](https://about.gitlab.com/handbook/product/product-categories/#apm-group).
+least 2 people from the [APM group](https://about.gitlab.com/handbook/product/categories/#apm-group).
 
 ### Install Crossplane using GitLab CI/CD
 
@@ -1432,7 +1432,7 @@ Support for installing the Fluentd managed application is provided by the
 GitLab Container Security group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
 least 2 people from the
-[Container Security group](https://about.gitlab.com/handbook/product/product-categories/#container-security-group).
+[Container Security group](https://about.gitlab.com/handbook/product/categories/#container-security-group).
 
 ### Install Knative using GitLab CI/CD
 
@@ -1461,7 +1461,7 @@ Support for installing the Knative managed application is provided by the
 GitLab Configure group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping at
 least 2 people from the
-[Configure group](https://about.gitlab.com/handbook/product/product-categories/#configure-group).
+[Configure group](https://about.gitlab.com/handbook/product/categories/#configure-group).
 
 #### Knative Metrics
 
@@ -1565,7 +1565,7 @@ Support for installing the AppArmor managed application is provided by the
 GitLab Container Security group. If you run into unknown issues,
 [open a new issue](https://gitlab.com/gitlab-org/gitlab/-/issues/new), and ping
 at least 2 people from the
-[Container Security group](https://about.gitlab.com/handbook/product/product-categories/#container-security-group).
+[Container Security group](https://about.gitlab.com/handbook/product/categories/#container-security-group).
 
 ## Browse applications logs
 
diff --git a/doc/user/infrastructure/index.md b/doc/user/infrastructure/index.md
index 3c00d10bc1d..ad5f743945f 100644
--- a/doc/user/infrastructure/index.md
+++ b/doc/user/infrastructure/index.md
@@ -31,6 +31,12 @@ Amazon S3 or Google Cloud Storage. Its features include:
 
 Read more on setting up and [using GitLab Managed Terraform states](terraform_state.md)
 
+WARNING:
+Like any other job artifact, Terraform plan data is [viewable by anyone with Guest access](../permissions.md) to the repository.
+Neither Terraform nor GitLab encrypts the plan file by default. If your Terraform plan
+includes sensitive data such as passwords, access tokens, or certificates, GitLab strongly
+recommends encrypting plan output or modifying the project visibility settings.
+
 ## Terraform integration in Merge Requests
 
 Collaborating around Infrastructure as Code (IaC) changes requires both code changes and expected infrastructure changes to be checked and approved. GitLab provides a solution to help collaboration around Terraform code changes and their expected effects using the Merge Request pages. This way users don't have to build custom tools or rely on 3rd party solutions to streamline their IaC workflows.
diff --git a/doc/user/todos.md b/doc/user/todos.md
index be50e3b1567..7d5a66a1632 100644
--- a/doc/user/todos.md
+++ b/doc/user/todos.md
@@ -64,7 +64,7 @@ To-do item triggers aren't affected by [GitLab notification email settings](prof
 
 NOTE:
 When a user no longer has access to a resource related to a to-do item (such as
-an issue, merge request, project, or group), for security reasons GitLab
+an issue, merge request, epic, project, or group), for security reasons GitLab
 deletes any related to-do items within the next hour. Deletion is delayed to
 prevent data loss, in the case where a user's access is accidentally revoked.