WIP: Allow GMA groups to specify their own PAT expiry setting (2/2)
What does this MR do?
This is MR No:2 towards implementing #118893 (closed)
MR No:1 - !25963 (merged)
This MR adds:
-
Add database column in namespacestable for PAT expiry -
All GMA groups inherit the instance-level PAT expiry setting by default -
UI: Add ability for GMA groups to specify their own PAT expiry setting via Group settings (this setting is not shown for normal groups) -
API: Add ability for GMA groups to update their own PAT expiry setting (this setting is not available for normal groups) -
API: Expose this setting via the Group API (only for GMA groups) -
When the PAT expiry setting is updated for a GMA, a worker is scheduled 3hours into the future and:* Revoke all `PersonalAccessToken.active` with `expires_at` higher than the maximum lifetime and with `expires_at` not set. * Notify the users about the revoked tokens -
UI: When a user in a GMA group tries to create a new PAT, show callout banner in the UI about the expiry rules.
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec -
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team