Make account lockout settings configurable by a user admin
Problem to solve
A potential customer recently requested a feature that would enable them to configure their own account lockout settings. Our current default for gitlab.com (as defined here) is set for 10 failed attempts with automatic unlock in 10 minutes. In order to change these values, the customer would have to compile from source and could be overwritten with a routine upgrade.
I propose that we make these account lockout settings easily configurable by customers.
Target audience
Chief Information Security Officer or Director of Security
- Sam, Security Analyst, https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas#sam-security-analyst
-->
Further details
By making these account lockout settings configurable, we enable our customers to align GitLab to their own internal security policies and help them better achieve their security and compliance needs.
Proposal
We can hopefully move the config.maximum_attempts = 10
and config.unlock_in = 10.minutes
variables out of the https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/8_devise.rb file and into a file that contains other customer-defined variables specific to their organization.
Permissions and Security
These new customer-configurable settings would need to be restricted to authenticated administrators.
Documentation
What does success look like, and how can we measure that?
An admin installing GitLab CE would be able to change the account lockout settings to match their internal security requirements.
Links / references
Customer: https://gitlab.my.salesforce.com/0016100000W44Pc?srPos=0&srKp=001