Audit events for project access tokens
What does this MR do?
Related issue: #230007 (closed)
Add app and audit events for project access token creation and revocation.
App logs can be found in application.log
and look like this:
Audit events are available in EE and can be found in Project > Security & Compliance > Audit Events:
Edit: Successful token creation audit event message now includes the access token's scopes:
In the screenshot,
token-scopes
has api
, read_api
, read_repository
, and write_repository
checked
no-scope
has none of the boxes checked
api-token
has api
checked
Screenshots (strongly suggested)
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Merge request reports
Activity
1 Message This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge. Documentation review
The following files require a review from a technical writer:
doc/administration/audit_events.md
The review does not need to block merging this merge request. See the:
- Technical Writers assignments for the appropriate technical writer for this review.
- Documentation workflows for information on when to assign a merge request for review.
Reviewer roulette
Changes that require review have been detected! A merge request is normally reviewed by both a reviewer and a maintainer in its primary category (e.g. frontend or backend), and by a maintainer in all other categories.
To spread load more evenly across eligible reviewers, Danger has picked a candidate for each review slot, based on their timezone. Feel free to override these selections if you think someone else would be better-suited or use the GitLab Review Workload Dashboard to find other available reviewers.
To read more on how to use the reviewer roulette, please take a look at the Engineering workflow and code review guidelines. Please consider assigning a reviewer or maintainer who is a domain expert in the area of the merge request.
Once you've decided who will review this merge request, mention them as you normally would! Danger does not automatically notify them for you.
Category Reviewer Maintainer backend Steve Abrams ( @sabrams
) (UTC-7, 1 hour behind@serenafang
)Mikołaj Wawrzyniak ( @mikolaj_wawrzyniak
) (UTC+1, 7 hours ahead of@serenafang
)If needed, you can retry the
danger-review
job that generated this comment.Generated by
DangerEdited by 🤖 GitLab Bot 🤖mentioned in issue #238991 (closed)
- Resolved by Serena Fang
- Resolved by Serena Fang
- Resolved by Serena Fang
- Resolved by Serena Fang
changed milestone to %13.9
- Resolved by Serena Fang
added documentation label
- Resolved by Serena Fang
@mjang1 Hi Mike, would you mind TW reviewing this? The TW related changes are in:
app/services/resource_access_tokens/create_service.rb
app/services/resource_access_tokens/revoke_service.rb
ee/app/services/ee/resource_access_tokens/create_service.rb
ee/app/services/ee/resource_access_tokens/revoke_service.rb
doc/administration/audit_events.md
I also put screenshots of the TW changes in the MR description and in the comments.
requested review from @mjang1
assigned to @mjang1
- Resolved by Robert Speicher
@nmilojevic1 Hi Nikola! Would you mind doing the initial backend review on this? Thank you!
I left comments about the failures in
spec/services/resource_access_tokens/create_service_spec.rb
andspec/services/resource_access_tokens/revoke_service_spec.rb:44
in the comments, please see !51660 (comment 485815737) and !51660 (comment 485850369)Edited by Serena Fang
requested review from @nmilojevic1
assigned to @nmilojevic1
mentioned in merge request !48094 (closed)
added Category:Audit Events label
added workflowin review label and removed workflowin dev label
- Resolved by Serena Fang
- Resolved by Serena Fang
- Resolved by Serena Fang
- Resolved by Serena Fang
- Resolved by Serena Fang
- Resolved by Serena Fang
unassigned @nmilojevic1