Highlight expired SSH or PAT credentials in the credential inventory
Problem to solve
We introduced a credential inventory in 12.6 and extended it to group-managed accounts for GitLab.com in 12.8 to help customers gain visibility into all of the PAT and SSH credentials that existed within their self-managed instance and groups. This inventory provided necessary insight into the access users had for a particular instance or group, but it does not provide other necessary capabilities such as forcing a credential rotation (in the event of a known compromise).
Currently, when an SSH or PAT expires the specific user is notified of the expiration, but
group owners are completely unaware. There's no way for
group owners to see, in aggregate, when credentials have expired to enable them to engage with the user to rotate that credential, let alone force a rotation with a
On both the PAT tab and SSH tab of the credential inventory:
- Add an "Expired" column that shows the expiration date. The color applied to the expiration date should change as per #214723 (comment 361604419). The hover tooltip should say "This credential has expired."
|PAT tab||SSH tab|
Usersets their optional expiration date of
30 daysfor their SSH key within GitLab
- The SSH key reaches the expiration date
30 daysfrom the initial setting date or
existingSSH keys that are older than
group ownerdefines a PAT expiration date (self-managed; gitlab.com) of
30 daysthat applies to their
Existingcredentials older than
30 daysand any credentials reach the
30 daysexpiration date
Permissions and Security
group owners would see this specific signal since they are the only users who can view the credential inventory.
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
This is the sibling issue to adding an icon for revoked tokens.