Allow admins to revoke PAT tokens via API
Problem to solve
In #214811 (closed) we will implement a manual Revoke
button inside the credentials inventory to enable administrators
to revoke access tokens they know to be out of date.
A manual Revoke
button does not sufficiently support larger organizations that rely on GitLab's APIs to programmatically carry out many functions within the application. Further, there's no way for a compliance-minded organization to automatically enforce their credential rotation policy.
Intended users
Further details
Striking a balance between disruptive workflows and what compliance-minded organizations require from GitLab is a challenge. With this issue, part of &3084, I believe we can find that balance.
This implementation would allow for organizations to implement an enforcement policy for their users without GitLab building in native, programmatic enforcement that may not be desirable for all scenarios.
Proposal
Create an API endpoint, e.g. /tokens
, that allows anyone who can revoke a particular PAT credential within the UI to do the following:
Define PAT expiration duration (should update the setting within theadmin area
)- Revoke a single PAT from a single user
Revoke all PATs from a single user
Note: Revoking all PATs from all users seems potentially too heavy-handed and may be unnecessary with a script to revoke all PATs from a single user
Permissions and Security
Only administrators
or users
who own the PAT credential should be able to use this feature via API.