[FF] `log_find_with_user_password` -- Enable password authentication logging to improve visibility

Summary

This issue is to roll out the feature on production, that is currently behind the log_find_with_user_password feature flag.

Owners

Most appropriate Slack channel to reach out to: #g_sscs_authentication
Best individual to reach out to: @nmalcolm

Expectations

What are we expecting to happen?

Requests which result in Gitlab::Auth#find_user_with_password will be logged.

What can go wrong and how would we detect it?

If enabled for all requests, the log volume ~~may~~ will lead to significant cost / overhead.
- Log volume increase > 1.3% seen in Kibana
- Prod ElasticSearch Saturation
A logic error could cause authentication to fail
- Authentication: Group grafana dashboard
- system_access errors in Sentry
- Custom kibana dashboard
  - Non-prod
  - Prod
- Kibana log search:
  - Non-prod
  - Prod

Rollout Steps

Note: Please make sure to run the chatops commands in the Slack channel that gets impacted by the command.

Rollout on non-production environments

Verify the MR with the feature flag is merged to master and has been deployed to non-production environments with /chatops run auto_deploy status 2fd72843
Deploy the feature flag at a percentage (recommended percentage: 50%) with /chatops run feature set log_find_with_user_password <rollout-percentage> --actors --dev --pre --staging --staging-ref
- 10%
- 50%
Monitor that the error rates did not increase (repeat with a different percentage as necessary).
Enable the feature globally on non-production environments with /chatops run feature set log_find_with_user_password true --dev --pre --staging --staging-ref
Verify that the feature works as expected. The best environment to validate the feature in is staging-canary as this is the first environment deployed to. Make sure you are configured to use canary.
If the feature flag causes end-to-end tests to fail, disable the feature flag on staging to avoid blocking deployments.
- See #e2e-run-staging Slack channel and look for the following messages:
  - test kicked off: Feature flag log_find_with_user_password has been set to true on **gstg**
  - test result: This pipeline was triggered due to toggling of log_find_with_user_password feature flag

If you encounter end-to-end test failures and are unable to diagnose them, you may reach out to the #s_developer_experience Slack channel for assistance. Note that end-to-end test failures on staging-ref don't block deployments.

Before production rollout

~~If the change is significant and you wanted to announce in #whats-happening-at-gitlab, it best to do it before rollout to gitlab-org/gitlab-com.~~

Specific rollout on production

For visibility, all /chatops commands that target production must be executed in the #production Slack channel and cross-posted (with the command results) to the responsible team's Slack channel.

Ensure that the feature MRs have been deployed to both production and canary with /chatops run auto_deploy status <merge-commit-of-your-feature>
~~Depending on the type of actor you are using, pick one of these options:~~
- For project-actor: /chatops run feature set --project=gitlab-org/gitlab,gitlab-org/gitlab-foss,gitlab-com/www-gitlab-com log_find_with_user_password true
- For group-actor: /chatops run feature set --group=gitlab-org,gitlab-com log_find_with_user_password true
- For user-actor: /chatops run feature set --user=nmalcolm log_find_with_user_password true
- For all internal users: /chatops run feature set --feature-group=gitlab_team_members log_find_with_user_password true
- For request-actor: Can't be done
~~Verify that the feature works for the specific actors.~~

Preparation before global rollout

Set a milestone to this rollout issue to signal for enabling and removing the feature flag when it is stable.
Check if the feature flag change needs to be accompanied with a change management issue. Cross link the issue here if it does.
Ensure that you or a representative in development can be available for at least 2 hours after feature flag updates in production. If a different developer will be covering, or an exception is needed, please inform the oncall SRE by using the @sre-oncall Slack alias.
~~Ensure that documentation exists for the feature, and the version history text has been updated.~~
- None needed. It's behind-the-scenes logging
~~Ensure that any breaking changes have been announced following the release post process to ensure GitLab customers are aware.~~
- It's not a breaking change
Notify the #support_gitlab-com Slack channel and your team channel (more guidance when this is necessary in the dev docs).

Global rollout on production

For visibility, all /chatops commands that target production must be executed in the #production Slack channel and cross-posted (with the command results) to the responsible team's Slack channel.

(Optional) Release the feature with the feature flag

WARNING: This approach has the downside that it makes it difficult for us to clean up the flag. For example, on-premise users could disable the feature on their GitLab instance. But when you remove the flag at some point, they suddenly see the feature as enabled and they can't roll it back to the previous behavior. To avoid this potential breaking change, use this approach only for urgent matters.

See instructions if you're sure about enabling the feature globally through the feature flag definition

If you're still unsure whether the feature is deemed stable but want to release it in the current milestone, you can change the default state of the feature flag to be enabled. To do so, follow these steps:

Release the feature

Click to expand

After the feature has been deemed stable, the clean up should be done as soon as possible to permanently enable the feature and reduce complexity in the codebase.

You can either create a follow-up issue for Feature Flag Cleanup or use the checklist below in this same issue.

Create a merge request to remove the log_find_with_user_password feature flag. Ask for review/approval/merge as usual. The MR should include the following changes:
- Remove all references to the feature flag from the codebase.
- Remove the YAML definitions for the feature from the repository.
Ensure that the cleanup MR has been included in the release package. If the merge request was deployed before the monthly release was tagged, the feature can be officially announced in a release blog post: /chatops run release check https://gitlab.com/gitlab-org/gitlab/-/merge_requests/205476 18.4
Close the feature issue to indicate the feature will be released in the current milestone.
Once the cleanup MR has been deployed to production, clean up the feature flag from all environments by running these chatops command in #production channel: /chatops run feature delete log_find_with_user_password --dev --pre --staging --staging-ref --production
Close this rollout issue.

Remove the feature

Confirm we have gathered enough data for https://gitlab.com/gitlab-org/gitlab/-/issues/567766+s
Stop the logging: /chatops run feature set log_find_with_user_password false
Open an MR to remove the Feature
Once the cleanup MR has been deployed to production, clean up the feature flag from all environments by running these chatops command in #production channel: /chatops run feature delete log_find_with_user_password --dev --pre --staging --staging-ref --production
Close this rollout issue.

Rollback Steps

This feature can be disabled on production by running the following Chatops command:

/chatops run feature set log_find_with_user_password false

Disable the feature flag on non-production environments:

/chatops run feature set log_find_with_user_password false --dev --pre --staging --staging-ref

Delete feature flag from all environments:

/chatops run feature delete log_find_with_user_password --dev --pre --staging --staging-ref --production

Edited Oct 06, 2025 by Nick Malcolm

[FF] log_find_with_user_password -- Enable password authentication logging to improve visibility