Page MenuHomePhabricator
Create Task
Maniphest T385930

Consider disabling personal access token forced expiration
Closed, ResolvedPublicFeature
Actions

Description

In T385480#10532935, @brennen wrote:

I suppose at least theoretically, we could have a service that rotates tokens, although they're definitely scattered around a bunch of places...

GitLab's paywalled version allows creating "service accounts" and loosens restrictions so that these accounts can have non-expiring personal access tokens.

GitLab 17.3 quietly added a configuration option in all tiers to disable forced token expiration dates.

Admin areaGeneralAccount and limit:

Screenshot 2025-02-07 at 18.05.09.png (198×1 px, 71 KB)

I think we should toggle the forced expiration off in the gitlab.wikimedia.org instance. Once the switch is off we could either figure out how to update the database directly to remove the expiration date from tokens known to be used by infrastructure bots or rotate tokens everywhere to get back to non-expiring tokens.

Details

TitleReferenceAuthorSource BranchDest Branch
disable forced token expiryrepos/releng/gitlab-settings!68brennenwork/T385930-disable-token-expirymain
Customize query in GitLab

Related Objects

Event Timeline

bd808 created this task.Feb 8 2025, 1:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 8 2025, 1:06 AM
bd808 moved this task from Inbox to Administration, Settings & Policy on the GitLab board.Feb 8 2025, 1:07 AM
bd808 edited projects, added GitLab (Administration, Settings & Policy); removed GitLab.
bd808 added a subscriber: thcipriani.
Aklapper mentioned this in T385480: Show related Gitlab patches on Phabricator tasks.Feb 10 2025, 12:03 PM
dancy subscribed.Feb 12 2025, 5:52 PM
bd808 added a comment.Feb 14 2025, 6:41 PM

This task was discussed in the 2025-02-12 RelEng check-in meeting. I believe the consensus there was that we should disable the setting and also follow up by extending/removing the expiration date of active tokens directly via the rails console. Does that sound like what was concluded to you as well @brennen?

bd808 added a project: Release-Engineering-Team (Priority Backlog 📥).Feb 19 2025, 9:31 PM
brennen added a comment.Feb 19 2025, 10:03 PM

This task was discussed in the 2025-02-12 RelEng check-in meeting. I believe the consensus there was that we should disable the setting and also follow up by extending/removing the expiration date of active tokens directly via the rails console. Does that sound like what was concluded to you as well @brennen?

Yep, concur.

Looks like for the settings API we want:

  • require_personal_access_token_expiry
  • service_access_tokens_expiration_enforced
brennen claimed this task.Feb 20 2025, 12:34 AM
brennen added a project: User-brennen.
CodeReviewBot added a project: Patch-For-Review.Feb 20 2025, 6:36 PM

brennen opened https://gitlab.wikimedia.org/repos/releng/gitlab-settings/-/merge_requests/68

disable forced token expiry

brennen added a comment.Feb 21 2025, 7:33 PM

Looks like there's a tool for handling expiration removal: https://docs.gitlab.com/administration/raketasks/tokens/ - will experiment with that.

CodeReviewBot added a comment.Feb 21 2025, 10:38 PM

brennen merged https://gitlab.wikimedia.org/repos/releng/gitlab-settings/-/merge_requests/68

disable forced token expiry

Stashbot added a comment.Feb 21 2025, 10:54 PM

Mentioned in SAL (#wikimedia-releng) [2025-02-21T22:54:12Z] <brennen> gitlab: removing expiration date for 14 tokens expiring in 2025 (T385930)

brennen closed this task as Resolved.Feb 21 2025, 10:56 PM
brennen moved this task from Backlog to Done or Declined on the User-brennen board.

I ran:

brennen@gitlab2002:~$ sudo gitlab-rake gitlab:tokens:analyze

To get a summary of tokens, and then:

brennen@gitlab2002:~$ sudo gitlab-rake gitlab:tokens:edit

I removed the expiry from 14 personal access tokens in total expiring in 2025. I'm operating on the assumption that stuff which already expired at the end of 2024 has probably been fixed by now. We can maybe revisit if there's anything lingering.

Maintenance_bot removed a project: Patch-For-Review.Feb 21 2025, 11:30 PM
Lferreira awarded a token.Feb 24 2025, 4:35 PM
Jelto added a project: collaboration-services.Feb 25 2025, 8:07 AM
Dzahn awarded a token.Feb 25 2025, 5:32 PM
bd808 added a comment.Wed, Mar 12, 5:42 PM
In T385930#10572444, @brennen wrote:

I removed the expiry from 14 personal access tokens in total expiring in 2025. I'm operating on the assumption that stuff which already expired at the end of 2024 has probably been fixed by now. We can maybe revisit if there's anything lingering.

Yesterday gitlab emailed the https://gitlab.wikimedia.org/pywikibugs account to let it know that it's PAT named "read-only" would expire on 2025-05-11. I guess this means that the attempt to remove expiration from all tokens set to expire in 2025 didn't completely work. For this particular instance I just issued a new non-expiring token and rotated the credentials for the bot to use it. I have left the other token attached to the account, so we could try to use that to verify another attempt at removing expiry if folks are interested in trying that.

LSobanski subscribed.Fri, Mar 21, 12:53 PM

Same thing for gitlab-exporter, we got a 60 day expiry notification yesterday.

Jelto subscribed.Mon, Mar 24, 2:37 PM
In T385930#10661714, @LSobanski wrote:

Same thing for gitlab-exporter, we got a 60 day expiry notification yesterday.

I double checked the gitlab-exporter token and it also had a expiration date. So I rotated the token and added a small description here https://wikitech.wikimedia.org/wiki/GitLab/Monitoring#Custom_exporter. The new token has no expiry date anymore.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits