Skip to content

Commit

Permalink
Merge pull request #3395 from travis-ci/DU-4/Log_out
Browse files Browse the repository at this point in the history
Du 4/log out
  • Loading branch information
stan-travis authored Nov 5, 2024
2 parents b6144dc + 0cfcd33 commit 2f83912
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 0 deletions.
1 change: 1 addition & 0 deletions _includes/enterprise_sidebar.html
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ <h3>Enterprise Operations Manual</h3>
<li><a href="/user/enterprise/troubleshooting-guide/">Troubleshooting Guide</a></li>
<li><a href="/user/enterprise/user-management/">User Management</a></li>
<li><a href="/user/enterprise/user-role-management/">User Role Management</a></li>
<li><a href="/user/enterprise/support-admin-tool/">Support Admin Tool</a></li>
<li><a href="/user/enterprise/Multi-CPU-Builds/">Multi CPU builds</a></li>
<li><a href="/user/enterprise/workspaces-eom/">Workspaces & Cache</a></li>
</ul>
Expand Down
43 changes: 43 additions & 0 deletions user/enterprise/support-admin-tool.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
---
title: Support Admin Tool
layout: en_enterprise

---

> The tool is only visible to Platform maintainers from TCIE 3.x as **Admin-v2**. The tool must be configured with a list of GitHub handles that allow **admin** access.
> The tool is only accessible via web browser.
## Forcefully logging out users from Travis
To increase security and prevent unauthorized access, Travis CI introduces the new **“Log out user and revoke all tokens”** option, which allows admin users to manually log out of any unwanted user.

### Log out Users
Travis CI admin users can now click the **“Logout”** button next to the **“Log out user and revoke all tokens”** option in the User view to log out specific users manually.

By clicking the **“Logout”** button, Travis CI invalidates all Travis authentication tokens and logs out the selected user from all Travis CI platforms. This prevents access via web browser, public API, and travis cli.

Logged-out users cannot access Travis CI via the web browser or travis-cli tool without re-accessing the system. Any build automation based on an API token associated with such a user will cease to work.

### Why must I log out of my user and revoke all tokens?

Consider the following: The user gets suspended, e.g., in the GHE server (3rd-party app), and Travis CI is not notified of the action; therefore, no action is taken on Travis CI's side. At the same time, such users may still have a valid Travis Web UI browser, travis-cli access tokens, and a working Travis API authentication token.

Such a situation may be valid and desired. However, there are cases, like a person leaving a company or team, when it is simply a security matter to revoke all accesses for such users. Travis CI cannot react automatically since no automated notification has been sent out, e.g., the GHE server account is suspended. If you are considering a less drastic approach, you may consider manually [suspending a user](/user/enterprise/user-management/) instead of logging out and revoking all tokens.

Suspended users still have access to Travis CI via browser or travis-cli (assuming they have valid Travis access tokens present in these tools) but cannot trigger builds.

### Auth tokens

Following environment variables are used to manage the life of token.

- `WEB_TOKEN_EXPIRES_IN_HOURS`
- `AUTH_TOKEN_EXPIRES_IN_DAYS`
- `AUTH_CLI_TOKEN_EXPIRES_IN_DAYS`

These tokens can be set using the admin console `kubectl kots admin-console -n tci-enterprise-kots` under the "Advanced Setting" menu.

## Re-accessing Travis CI
To re-access Travis CI, users must log in using a 3rd-party authenticator such as GitHub (browser, travis-cli), GitLab, or BitBucket (browser). Only with access can users see the private repositories, build history, build job logs, and obtain new Travis API tokens.

Please note: if such users (logged out and tokens revoked) are, e.g., suspended in the GHE server, they will be unable to successfully use their GHE server account to log into Travis CI UI or travis-cli.

0 comments on commit 2f83912

Please sign in to comment.