Add authn_data_retention_cleanup_enabled application setting
What does this MR do and why?
Add authn_data_retention_cleanup_enabled application setting
Introduces a new application setting to control authentication data retention cleanup workers execution. The setting is stored in a JSONB column (authn_settings) and defaults to false.
This setting gates the execution of three cleanup workers:
- Authn::DataRetention::AuthenticationEventArchiveWorker
- Authn::DataRetention::OauthAccessTokenArchiveWorker
- Authn::DataRetention::OauthAccessGrantArchiveWorker
The setting can be toggled via the API.
Related: #579002
References
Related: #579002
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
Similar to: how-to-set-up-and-validate-locally.
Use the rake task defined there to generate tokens.
- Verify the default value for the configuration, but enable the related FF
Gitlab::CurrentSettings.authn_data_retention_cleanup_enabled
=> false
Feature.enable(:archive_revoked_access_tokens)
=> true- Run the worker and verify no tokens are removed
Authn::DataRetention::OauthAccessTokenArchiveWorker.perform_in 1.minute- Enable the setting via API
- Get your access token from http://gdk.test:3000/-/user_settings/personal_access_tokens
- Create one with 'api' scope if needed
- Enable the settings:
curl -X PUT "http://gdk.test:3000/api/v4/application/settings" \
-H "Authorization: Bearer <YOUR_TOKEN>" \
-H "Content-Type: application/json" \
-d '{"authn_data_retention_cleanup_enabled": true}'- Test the worker execution
Gitlab::CurrentSettings.authn_data_retention_cleanup_enabled
=> true
Authn::DataRetention::OauthAccessTokenArchiveWorker.perform_in 1.minuteMR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Daniele Bracciani