Improve PAT & SSH credential inventory & management
Improve PAT & SSH credential inventory & management
Problem to solve
Managing user credentials in GitLab as a compliance-minded organization is difficult and tedious. There is no singular place to view all user credentials; data about those credentials, such as expiration dates, revocation, or other issues; and Cameron (Compliance Manager) cannot report on access management easily.
Additional information
In 12.9 we implemented a Personal Access Token expiry policy setting for self-managed administrators and extended this functionality to GitLab.com in 12.10.
The MVC implementation creates a disruptive experience for users where PATs are automatically expired/revoked when they meet or exceed the expiration date. GitLab should empower customers to build disruptive solutions to meet their compliance requirements, but those solutions do not necessarily need to exist natively within GitLab since they're antithetical to our values of efficiency and velocity.
Currently, the implementation of PAT expiration is disruptive and inflexible. There's no way for customers to build flexible solutions to meet the varying degrees of severity in credential management requirements and users have no choice but to address an automatically-revoked token.
We are currently considering downgrading PAT expiration from Ultimate
to Premium
, which means this feature will cause disruption for a broader user base.
A contingency of downgrading the pricing tier is implementing this epic, at least in part, to reduce the friction of the feature for the pending larger user base.
Also of importance are the following dynamics for these issues:
- PAT expiration exists for self-managed customers and GitLab.com customers using Group-Managed Accounts (GMA)
- SSH key expiration exists for all users as an optional input
- There's an open issue to add SSH key expiration enforcement, which will need to be split for self-managed and gitlab.com (group-managed account) implementations
- The changes we're making here for PAT and SSH key credential management would need to be rolled out for both self-managed and gitlab.com (GMAs)
Suggested implementation order
- Allow admins and owners to make PAT expiration job optional
- Highlight expired SSH or PAT credentials in the credential inventory
- Highlight revoked PAT credentials in the credential inventory
- Add additional PAT expiration notification job
- Add a Revoke button to the credential inventory
- Allow admins to revoke PAT tokens via API
- Everything else in this epic
Terminology
- Show closed items