Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Spike: Workflow authentication solution for Duo & other machine - machine access based on user's permissions

Topic to Evaluate

We currently support a host of authentication options such as personal access tokens, resource access tokens (PrATs/GrATs), OAuth and service accounts. Most of these are however designed for end user consumption and may not always be a good fit for GitLab's internal integration workflows such as Duo agents, remote development etc. This spike is to review what those teams require, have currently used as a workaround and come up with a blueprint/design proposal of a common auth service that they can eventually switch over to.

The goal is to avoid the mix of PATs, OAuth tokens implementations as they exist today as they result in workarounds where user may not be aware of why that token is generated or is used for, along with incorrect notifications or expiration policies as we try to clean up the tokens generated for temporary use.

Please note that there are a few use cases listed in the issues below. We would like to come up with a solution that can address a greater number of them, but it doesn't have to support everything. Key considerations would be one that supports Duo use case, Web IDE/remote development and potentially any external service that needs to interact with GitLab (in the order of priority).

The following issues have a fair amount of research done that would be important to review, and reach out to Jessie (& those teams) to gather requirements, and to see if built, they can switch to a new solution. Once we have a proposal, we can collaborate with additional teams to build it together.

Workflows access to GitLab (long term) (#468370)
Discussion: Standardized Authentication and Aut... (#421983)
Spike: Investigate support of reverse workload ... (#463407)

The research and design proposal for this spike should ideally be completed within 1 milestone.

Tasks prior to evaluation

Clearly document the topic to evaluated in this issue description
Determine specific scope including time-bounds for investigation

This spike is weighted at 3 and the goal is to complete the spike within {to be scheduled}

Tasks to Evaluate

Determine feasibility of the feature
Document the approach and technical design on engineering handbook
Any POC tasks that need to occur before the customer facing MVC is begun
Create issues for implementation or update existing implementation issue description with implementation proposal
Set initial weights on implementation issues
If weight is greater than 5, break issue into smaller issues

Risks and Implementation Considerations

As this spike is evaluated, the feasibility and outcome should be reviewed with UX/PM. Consider not only the implementation design, but also how it will be rolled out, licensing considerations and backward compatibility.

Team

Add workflowplanning breakdown typefeature and the corresponding ~devops::<stage> and ~group::<group> labels.
Ping the PM and EM.

Assignee Loading

Time tracking Loading

Confidentiality

Confidentiality controls have moved to the issue actions menu () at the top of the page.