[Bugzilla-announce-list] Bugzilla APIKey expiration policy
Jeff Fearn
jfearn at redhat.com
Wed Feb 22 02:52:22 UTC 2023
Summary
------------
Red Hat Bugzilla has introduced a 12 month lifetimes for APIKeys. You
must replace your APIKeys at least once a year. Additionally, any APIKey
that is not used for 30 days will be suspended but can be re-enabled on
the account's preferences tab.
Details
---------
All existing production APIKeys have had their creation date set to
2023-02-19 UTC.
When a key is 11 months old a Bugzilla workflow will be triggered to
start the process to ban the key. A bug will be created, the owner of
the key will be CC'd on the bug. The deadline for this bug will be set
for 60 days after the bug is opened, so the maximum lifetime possible is
approximately 13 months. The bug description will include the details of
the key and have a link to the preferences tab to manage the key.
There will be a followup comment to the bug 7 days before the deadline
to remind the key owner of its imminent banning.
On the deadline date the key will be banned and will not be usable again.
If the key's owner revokes a key with a pending banning bug then the bug
will be closed and the key will be banned, and thus will never again be
usable after it is revoked.
Additionally a second policy has been introduced to revoke keys after 30
days of inactivity. Unlike banning, revoking isn't permanent, the key
owner can enable the key in the APIKey preferences page. A link to the
APIKey preferences tab is included in the email sent to notify the key
owner of the revocation.
Cheers, Jeff.
--
Jeff Fearn
Portfolio Life Cycle Management
Red Hat, APAC.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/bugzilla-announce-list/attachments/20230222/4ed2b777/attachment.sig>
More information about the Bugzilla-announce-list
mailing list