Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 44,046
    • Issues 44,046
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1,310
    • Merge requests 1,310
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #231493
Closed
Open
Created Jul 24, 2020 by Steve Terhar@SteveTerharDeveloper0 of 6 checklist items completed0/6 checklist items

Feature Proposal: Instance-level controls for RSS tokens

Problem to solve

GitLab enables users to view information such as group activity, and issues, using RSS feeds. By clicking the RSS feed button, the user receives a URL including a token that can be added to their RSS reader. Anyone who is able to obtain the token from an authenticated user, for example through social engineering, will have ongoing access to the feed data without any additional authentication. It may not be clear to users that providing the RSS URL to another person is equivalent to sharing their username / password.

This is somewhat similar to personal access tokens, but we have tools in place to allow administrators to control and monitor their use. We should add instance-level controls for RSS tokens as well.

Intended users

  • Cameron (Compliance Manager)
  • Sam (Security Analyst)

User experience goal

An administrator should be able to either disable all RSS or implement limits on RSS tokens consistent with the policies and required security controls for that organization (e.g. credential lifetime restrictions, 2FA requirements, etc.)

Proposal

MVC

  • Provide an instance level option for administrators to disable all RSS feeds.

Some initial thoughts on other functionality:

  • Provide an instance level option to specify the Maximum allowable lifetime for RSS tokens.
  • Add RSS tokens to the credentials screen

Further details

Permissions and Security

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Assignee
Assign to
Time tracking