You need to sign in or sign up before continuing.

GitLab generated Bots should be excluded from automatic deactivation

Summary

In &5519 (closed) we implemented a feature to allow automatic deactivation of dormant users.

GitLab generated bots should be excluded from this process since there are valid use cases where bots "go dormant" and should not be disabled.

Proposal

Exclude GitLab generated bots from the Deactivation job.

Preserving Original Issue Content

Q: Should the Automatically deactivate dormant users setting be impacting project bot users?

In the referenced Slack thread, we established that Automatically deactivate dormant users is currently impacting project bot users. This appears to be by design -- should this behavior be changed?

📋

Determine whether behavior should be changed.
Update docs to clarify the current state if there are no changes or to describe the new state if there are changes

📓 Details

In the Automate deactivation of dormant users MR, we ask and answer "What is a dormant user?" with can_be_deactivated?. See these lines:

  def can_be_deactivated?
   active? && no_recent_activity? && !internal?
 end

As I interpret this, internal users will not pass can_be_deactivated?. We previously established that project bot users are not excluded with exclude_internal. In other words, we have previously established that Project bot users are not considered to be internal. I can confirm that in my instance:

irb(main):011:0> User.find_by_id(13).internal?
=> false
irb(main):012:0> User.find_by_id(4).internal?
=> true

ID 13 -- a project bot user
ID 4 -- alert-bot

It looks like intervention from an Admin is required to restore the Project bot users even though they are deactivated as project access tokens are for using with the GitLab API or authenticating with Git using HTTP basic authentication but not for logging into the GitLab UI, which would set the account to active:

The docs on deactivating a user indicate:

Once a deactivated user logs back into the GitLab UI, their account is set to active.

I do not believe that this is an option for Project bot users.

See the related issue around the logical categorization of Bots: #213945 (closed)

🎫 Related Ticket

This issue is opened on behalf of a customer who asserts that they experienced an impact on delivery within their environment due to the project bot users associated with project access tokens being deactivated due to the Automatically deactivate dormant users setting. GitLab team members with access to ZenDesk can learn more in the ticket. 🎫

This issue follows up on a Slack thread in #g_manage_access, accessible for the next ~90 days to GitLab team members with access to Slack.

Edited Oct 12, 2021 by Amanda Rueda