Skip to content

Discovery: Inventory all PAT/SSH credentials in a single view

Problem

GitLab administrators have specific company policies they need to enforce on the technologies they use. Currently, password policies for GitLab don't exist and can't be enforced by an administrator outside of GitLab's hard-coded settings. Administrators need the ability to define password policy in order to comply with internal company policies and, by extension, specific industry or regulatory compliance frameworks.

Use Cases

As an administrator I have access over users and their credentials, but I'd like a way to easily inventory all credentials and revoke them if I feel it's needed.

As an administrator I should be able to see when a PAT or SSH token was last accessed, who it's associated with, and how it's scoped.

As an administrator I need to know what access credentials exist for my environment.

Additional Information

GitLab administrators are responsible for the overall security of their instance. Risk management is part of their job. There are a number of access points into the application - personal access tokens and SSH keys are high on the list. Administrators must be able to manage risk for PAT and SSH credentials.

Proposal

Create a new "Credentials" view in the admin panel.

  • List all PATs and public SSH keys in a table. Columns: type, owner, expiration, scope, last used, and actions. Columns should be sortable and filterable.
    • Type: Type of credential, PAT, SSH key, etc.
    • Owner: User it's associated with, if any.
    • Scope: How it's scoped, if relevant (api, etc.)
    • Last user: Last time this key was used.
    • Expiration: When the credential expires, if any.
    • Actions: Each row should have "Revoke" as an action.
Owner Type Scope Last Used Expiration
sydney@example.com SSH api
read_repository		 2019-11-14 Never
devon@example.com PAT api
sudo
write_repository		 2019-10-03 2020-05-25

(Prototype currently WIP. Will update issue once complete)

Include other credentials in future iterations (SCIM token, CI_JOB_TOKEN, global shared deploy keys, etc).

Implementation

Please see the implementation issue for the current MVC.

Action Items

  • Determine level of frontend support required
    • Create separate FE issue
Edited by Matt Gonzales (ex-GitLab)