Merge branch 'doc-token-expiry-enforcement' into 'master'

Docs: Optional Enforcement of Personal Access Token expiry See merge request gitlab-org/gitlab!34774

Merge branch 'doc-token-expiry-enforcement' into 'master'
Docs: Optional Enforcement of Personal Access Token expiry See merge request gitlab-org/gitlab!34774
27dac95b · Mike Jang · 0c6d5eb8 · 49b6ded7 · 27dac95b · 27dac95b
Commit 27dac95b authored Jun 18, 2020 by Mike Jang
Showing with 34 additions and 0 deletions

doc/user/admin_area/settings/account_and_limit_settings.md doc/user/admin_area/settings/account_and_limit_settings.md +33 -0

doc/user/profile/personal_access_tokens.md doc/user/profile/personal_access_tokens.md +1 -0

No files found.
--- a/doc/user/admin_area/settings/account_and_limit_settings.md
+++ b/doc/user/admin_area/settings/account_and_limit_settings.md
@@ -140,6 +140,39 @@ Once a lifetime for personal access tokens is set, GitLab will:
  allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime,
  or remove it, before revocation takes place.

+## Optional enforcement of Personal Access Token expiry **(ULTIMATE ONLY)**
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.1.
+> - It is deployed behind a feature flag, disabled by default.
+> - It is disabled on GitLab.com.
+> - It is not recommended for production use.
+> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-optional-enforcement-of-personal-access-token-expiry-feature-core-only). **(CORE ONLY)**
+
+GitLab administrators can choose to prevent personal access tokens from expiring automatically. The tokens will be usable after the expiry date, unless they are revoked explicitly.
+
+To do this:
+
+1. Navigate to **Admin Area > Settings > General**.
+1. Expand the **Account and limit** section.
+1. Uncheck the **Enforce personal access token expiration** checkbox.
+
+### Enable or disable optional enforcement of Personal Access Token expiry Feature **(CORE ONLY)**
+
+Optional Enforcement of Personal Access Token Expiry is under development and not ready for production use. It is deployed behind a feature flag that is **disabled by default**.
+[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can enable it for your instance from the [rails console](../../../administration/feature_flags.md#start-the-gitlab-rails-console).
+
+To enable it:
+
+```ruby
+Feature.enable(:enforce_personal_access_token_expiration)
+```
+
+To disable it:
+
+```ruby
+Feature.disable(:enforce_personal_access_token_expiration)
+```
+
 ## Disabling user profile name changes **(PREMIUM ONLY)**

 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/24605) in GitLab 12.7.

--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -19,6 +19,7 @@ Personal access tokens expire on the date you define, at midnight UTC.

 - GitLab runs a check at 01:00 AM UTC every day to identify personal access tokens that will expire in under seven days. The owners of these tokens are notified by email.
 - In GitLab Ultimate, administrators may [limit the lifetime of personal access tokens](../admin_area/settings/account_and_limit_settings.md#limiting-lifetime-of-personal-access-tokens-ultimate-only).
+- In GitLab Ultimate, administrators may [toggle enforcement of personal access token expiry](../admin_area/settings/account_and_limit_settings.md#optional-enforcement-of-personal-access-token-expiry-ultimate-only).

 For examples of how you can use a personal access token to authenticate with the API, see the following section from our [API Docs](../../api/README.md#personalproject-access-tokens).