Include runner authentication token expiration option for a Project
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Release notes
Problem to solve
!71607 (closed) adds an option in the UI to make the authentication token for runners expire after a set amount of time. This issue is specific to evaluating how to do so for runners within a Project.
Runner registration and authentication keys need to be rotated periodically (e.g., daily), or at least gitlab should provide support to enable key rotation. The registration token used for attaching runners is visible to users via the browser, and will allow an arbitrary runner which has that token to register. During registration, the runner gets an authentication token which it can store locally and reuse that authentication token on restart. Because both the registration token and authentication token live until manually revoked, old copies of these tokens can be compromised and used, e.g., by an ex-employee, resulting in arbitrary code running from arbitrary locations masquerading as runners.\
--> See #30942 (closed) for more details.
Intended users
User experience goal
This user should be able to use the functionality set out in this MR !71607 (closed) in the UI to set a runner authentication token to expire after a certain amount of time, if desired.
Proposal
We need to figure out where is best to place this configuration option within a Project. The current suggestion pushes the existing runner information down even further and doesn't immediately connect with the existing information in the card.
Further details
Permissions and Security
Documentation
Availability & Testing
Available Tier
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Current MR for this feature in the UI: !71607 (closed)
MR for API: !69561 (merged)
Original feature request: #30942 (closed)