Discovery: Inventory all PAT/SSH credentials in a single view
Problem
GitLab administrators have specific company policies they need to enforce on the technologies they use. Currently, password policies for GitLab don't exist and can't be enforced by an administrator outside of GitLab's hard-coded settings. Administrators need the ability to define password policy in order to comply with internal company policies and, by extension, specific industry or regulatory compliance frameworks.
Use Cases
As an administrator I have access over users and their credentials, but I'd like a way to easily inventory all credentials and revoke them if I feel it's needed.
As an administrator I should be able to see when a PAT or SSH token was last accessed, who it's associated with, and how it's scoped.
As an administrator I need to know what access credentials exist for my environment.
Additional Information
GitLab administrators are responsible for the overall security of their instance. Risk management is part of their job. There are a number of access points into the application - personal access tokens and SSH keys are high on the list. Administrators must be able to manage risk for PAT and SSH credentials.
Proposal
Create a new "Credentials" view in the admin panel.
- List all PATs and public SSH keys in a table. Columns: type, owner, expiration, scope, last used, and actions. Columns should be sortable and filterable.
- Type: Type of credential, PAT, SSH key, etc.
- Owner: User it's associated with, if any.
- Scope: How it's scoped, if relevant (
api
, etc.) - Last user: Last time this key was used.
- Expiration: When the credential expires, if any.
- Actions: Each row should have "Revoke" as an action.
Owner | Type | Scope | Last Used | Expiration |
---|---|---|---|---|
sydney@example.com | SSH | api read_repository |
2019-11-14 | Never |
devon@example.com | PAT | api sudo write_repository |
2019-10-03 | 2020-05-25 |
(Prototype currently WIP. Will update issue once complete)
Include other credentials in future iterations (SCIM token, CI_JOB_TOKEN, global shared deploy keys, etc).
Implementation
Please see the implementation issue for the current MVC.
Action Items
-
Determine level of frontend support required -
Create separate FE issue
-