Skip to content

Move Personal Access Token Expiry Policy down from Ultimate license

Move Personal access token expiry policy

The Personal access token expiry policy #3649 (closed) has been resolved with !17344 (merged) and !19296 (merged)

This issue is to move the discussion to which tier should we move the feature

Based on the previous discussions #3649 (closed)

Jeremy Watson:

for which tier should be this enable?

Thanks for the question. Based on our buyer model, I think this should go into Ultimate. This is a feature primarily relevant to compliance and security needs.

Roger Meier:

@jeremy Token expiration is relevant for all people, even open source projects have to rotate their tokens. I could offer to implement that if you are open to accept a merge request here. WDYT?

Jeremy Watson:

@bufferoverflow: Thanks a lot. At this time, @sarcila is looking into this. I agree that it's of relevance to a wide variety of organizations, but I'm approaching this in accordance with our buyer model and see this as a part of Ultimate, as the tier that helps executives keep organizations compliant and shipping securely.

Neil Schneider:

@jeremy I am disappointed to see this moved to the GitLab Ultimate tier. In the current form, someone only has to authenticate once and they have access for life through a token. To me, it feels like it should be closer to the LDAP/AD offerings than the compliance/security offerings. In fact, your own documentation talks about limits on web access tokens using the remember me option. https://gitlab.com/gitlab-org/gitlab/blob/master/doc/user/profile/index.md#why-do-i-keep-getting-signed-out

There is a disconnect between a default limit of 2 weeks for the remember_user_token and the default of never expires on personal access tokens. There is still the discussion of control over this functionality. I would agree that even if GitLab modified the default length on the tokens for all users, only Enterprise clients would want control over the expiry length.

Mike Terhar:

Large public sector client requires this capability. https://gitlab.my.salesforce.com/0016100000Kvad5 @jeremy this specific customer will not be able to purchase “ultimate” due to the name and cost associated with that tier. They are requesting it be moved down to premium. I think there’s room for a basic version of this control at premium that is a single setting, instance-wide. Then the ultimate version is enhanced to be Gitlab group oriented environment or user team or LDAP group associated for more advanced compliance requirements.