Create bot users with indefinite group and project membership
What does this MR do and why?
When a Resource (Group or Project) Access Token is created for, the following occurs:
- a User is created (a bot)
- a PAT is created for the bot (known as a Group or Project Access Token)
- a Member record is created to associate the bot and the resource
Previously, the membership would expire when the token expired. When
the Membership expired, the RemoveExpiredMembersWorker would destroy
the Member and bot User records. Expired tokens would no longer have
any association with the resource, making auditing and security reviews
more challenging.
Now, when the Feature Flag
retain_resource_access_token_user_after_revoke is enabled for a
Resource, new Resource Access Tokens will have Member records that do
not expire. When the token expires, the Member and User records are
retained. (In a different MR these inactive tokens are displayed in
Group and Project Settings).
Note that it does not affect Member records for existing Resource Access Tokens. That would require a migration to update existing records.
This is part of List Revoked and Expired Project and Group Acce... (#462217)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
Related to #462217