Password / Credential Manager
Problem to solve
Our group has had the annoying task of keeping passwords for various systems in a shared password manager. We're not super pleased with the idea of storing all this valuable information in some shared system that has a target painted on it and prefer using a self-hosted option. We were looking at Passbolt, but it proved to be less than valuable because it didn't sync password access with the projects that a user was working on automatically. We thought that maybe if Gitlab really wants to own the entire dev workflow, it would make sense to add a feature to manage shared passwords and credentials on not only a project level, but also a global level so that even weird things like building access codes and gate codes could be shared.
Intended users
This would be used by folks that use passwords and need to remember them. So, like, most people.
Further details
It would also be cool if these credentials could be used during CI jobs. But that would just be icing on the cake. Or maybe even password-level permissions management. So, you could have a password available in a Project, but only Maintainers would be able to use/view it. This would be similar to how environment variable are stored. If you're clever, you may even be able to store this data in the same table as the env vars...
Proposal
Maybe I should have spread out the answer I put for Problem to Solve
...
Permissions and Security
Ideally, passwords would be able to be stored on the group, project, and global levels. Access would adjust according to user's access to each level. Encrypting the values would be important, of course.
Documentation
Yeah, we'd probably need documentation to help describe the feature. I'm happy to write the docs if someone else does the dev work.
Testing
Encryption would be important, obviously.
What does success look like, and how can we measure that?
I would just use traditional usage metrics. Look at the number of stored values per instance, as well as access rates.
Links / references
1Pass for reference: https://1password.com/
What we're using now and isn't perfect: https://www.passbolt.com/
The Samsung Incident, lest we forget: https://www.engadget.com/2019/05/08/samsung-exposed-source-code-gitlab/