Commit 6cfa36b0 authored by Evan Read's avatar Evan Read

Merge branch '351962-deprecate-application-setting-enforce-pat-expiration' into 'master'

Announce deprecation of the option to disable PAT expiration

See merge request gitlab-org/gitlab!79904
parents 13c7fdaa 6a767f9e
- name: "Optional enforcement of PAT expiration" # The name of the feature to be deprecated
announcement_milestone: "14.8" # The milestone when this feature was first announced as deprecated.
announcement_date: "2022-02-22" # The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
removal_milestone: "15.0" # The milestone when this feature is planned to be removed
removal_date: "2022-05-22" # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
breaking_change: true # If this deprecation is a breaking change, set this value to true
reporter: djensen # GitLab username of the person reporting the deprecation
body: | # Do not modify this line, instead modify the lines below.
The feature to disable enforcement of PAT expiration is unusual from a security perspective.
We have become concerned that this unusual feature could create unexpected behavior for users.
Unexpected behavior in a security feature is inherently dangerous, so we have decided to remove this feature.
issue_url: "https://gitlab.com/gitlab-org/gitlab/-/issues/351962" # (optional) This is a link to the deprecation issue in GitLab
documentation_url: "https://docs.gitlab.com/ee/user/admin_area/settings/account_and_limit_settings.html#allow-expired-personal-access-tokens-to-be-used-deprecated" # (optional) This is a link to the current documentation page
...@@ -753,6 +753,20 @@ To align with this change, API calls to list external status checks will also re ...@@ -753,6 +753,20 @@ To align with this change, API calls to list external status checks will also re
**Planned removal milestone: 15.0 (2022-05-22)** **Planned removal milestone: 15.0 (2022-05-22)**
### Optional enforcement of PAT expiration
WARNING:
This feature will be changed or removed in 15.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
The feature to disable enforcement of PAT expiration is unusual from a security perspective.
We have become concerned that this unusual feature could create unexpected behavior for users.
Unexpected behavior in a security feature is inherently dangerous, so we have decided to remove this feature.
**Planned removal milestone: 15.0 (2022-05-22)**
### Querying Usage Trends via the `instanceStatisticsMeasurements` GraphQL node ### Querying Usage Trends via the `instanceStatisticsMeasurements` GraphQL node
WARNING: WARNING:
......
...@@ -38,7 +38,7 @@ The following is an example of the Credentials inventory page: ...@@ -38,7 +38,7 @@ The following is an example of the Credentials inventory page:
If you see a **Revoke** button, you can revoke that user's PAT. Whether you see a **Revoke** button depends on the token state, and if an expiration date has been set. For more information, see the following table: If you see a **Revoke** button, you can revoke that user's PAT. Whether you see a **Revoke** button depends on the token state, and if an expiration date has been set. For more information, see the following table:
| Token state | [Token expiration enforced?](settings/account_and_limit_settings.md#allow-expired-personal-access-tokens-to-be-used) | Show Revoke button? | Comments | | Token state | [Token expiration enforced?](settings/account_and_limit_settings.md#allow-expired-personal-access-tokens-to-be-used-deprecated) | Show Revoke button? | Comments |
|-------------|------------------------|--------------------|----------------------------------------------------------------------------| |-------------|------------------------|--------------------|----------------------------------------------------------------------------|
| Active | Yes | Yes | Allows administrators to revoke the PAT, such as for a compromised account | | Active | Yes | Yes | Allows administrators to revoke the PAT, such as for a compromised account |
| Active | No | Yes | Allows administrators to revoke the PAT, such as for a compromised account | | Active | No | Yes | Allows administrators to revoke the PAT, such as for a compromised account |
......
...@@ -283,10 +283,14 @@ Once a lifetime for personal access tokens is set, GitLab: ...@@ -283,10 +283,14 @@ Once a lifetime for personal access tokens is set, GitLab:
allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime, allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime,
or remove it, before revocation takes place. or remove it, before revocation takes place.
## Allow expired Personal Access Tokens to be used **(ULTIMATE SELF)** ## Allow expired Personal Access Tokens to be used (DEPRECATED) **(ULTIMATE SELF)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in GitLab 13.1. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214723) in GitLab 13.1.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/296881) in GitLab 13.9. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/296881) in GitLab 13.9.
> - [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 14.8.
WARNING:
This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/351962) in GitLab 14.8.
By default, expired personal access tokens (PATs) **are not usable**. By default, expired personal access tokens (PATs) **are not usable**.
......
...@@ -111,7 +111,7 @@ Personal access tokens expire on the date you define, at midnight UTC. ...@@ -111,7 +111,7 @@ Personal access tokens expire on the date you define, at midnight UTC.
- In GitLab Ultimate, administrators can - In GitLab Ultimate, administrators can
[limit the lifetime of personal access tokens](../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-personal-access-tokens). [limit the lifetime of personal access tokens](../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-personal-access-tokens).
- In GitLab Ultimate, administrators can choose whether or not to - In GitLab Ultimate, administrators can choose whether or not to
[enforce personal access token expiration](../admin_area/settings/account_and_limit_settings.md#allow-expired-personal-access-tokens-to-be-used). [enforce personal access token expiration](../admin_area/settings/account_and_limit_settings.md#allow-expired-personal-access-tokens-to-be-used-deprecated).
## Create a personal access token programmatically **(FREE SELF)** ## Create a personal access token programmatically **(FREE SELF)**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment