AuthorizedProjectsWorker, AuthorizedProjectUpdate::UserRefreshWithLowUrgencyWorker is issuing many hotspot recursive CTE namespace queries

This morning GitLab.com alerting fired with an SLO alert for the rails_sql SLI:

https://dashboards.gitlab.net/d/patroni-main/patroni-overview?orgId=1

There were also SLO alerts for Sidekiq at the same time:

https://dashboards.gitlab.net/d/sidekiq-main/sidekiq-overview?orgId=1&from=1616483958715&to=1616503979310

Looking at the postgres slowlog, and pg_stat_statements metrics, we can see that the server is dominated by requests for queryid -7232084447659837857.

This query:

WITH RECURSIVE "namespaces_cte" AS ((
    SELECT
      "namespaces"."id",
      "members"."access_level"
    FROM
      "namespaces"
      INNER JOIN "members" ON "namespaces"."id" = "members"."source_id"
    WHERE
      "members"."type" = $1
      AND "members"."source_type" = $2
      AND "namespaces"."type" = $3
      AND "members"."user_id" = $4
      AND "members"."requested_at" IS NULL
      AND (access_level >= $5))
  UNION (
    SELECT
      "namespaces"."id",
      LEAST ("members"."access_level", "group_group_links"."group_access") AS access_level
  FROM
    "namespaces"
    INNER JOIN "group_group_links" ON "group_group_links"."shared_group_id" = "namespaces"."id"
    INNER JOIN "members" ON "group_group_links"."shared_with_group_id" = "members"."source_id"
      AND "members"."source_type" = $6
      AND "members"."requested_at" IS NULL
      AND "members"."user_id" = $7
      AND "members"."access_level" > $8
  WHERE
    "namespaces"."type" = $9)
UNION (
  SELECT
    "namespaces"."id",
    GREATEST ("members"."access_level", "namespaces_cte"."access_level") AS access_level
FROM
  "namespaces"
  INNER JOIN "namespaces_cte" ON "namespaces_cte"."id" = "namespaces"."parent_id"
    LEFT OUTER JOIN "members" ON "members"."source_id" = "namespaces"."id"
      AND "members"."source_type" = $10
      AND "members"."requested_at" IS NULL
      AND "members"."user_id" = $11
      AND "members"."access_level" > $12
  WHERE
    "namespaces"."type" = $13))
SELECT
  "project_authorizations"."project_id",
  MAX(access_level) AS access_level
FROM ((
    SELECT
      projects.id AS project_id,
      members.access_level
    FROM
      "projects"
      INNER JOIN "members" ON "projects"."id" = "members"."source_id"
    WHERE
      "members"."type" = $14
      AND "members"."source_type" = $15
      AND "members"."user_id" = $16
      AND "members"."requested_at" IS NULL)
  UNION (
    SELECT
      projects.id AS project_id,
      $17 AS access_level
    FROM
      "projects"
      INNER JOIN "namespaces" ON "projects"."namespace_id" = "namespaces"."id"
    WHERE
      "namespaces"."owner_id" = $18
      AND "namespaces"."type" IS NULL)
  UNION (
    SELECT
      "projects"."id" AS project_id,
      "namespaces"."access_level"
    FROM
      "namespaces_cte" "namespaces"
      INNER JOIN "projects" ON "projects"."namespace_id" = "namespaces"."id")
UNION (
  SELECT
    "project_group_links"."project_id",
    LEAST ("namespaces"."access_level", "project_group_links"."group_access") AS access_level
  FROM
    "namespaces_cte" "namespaces"
    INNER JOIN project_group_links ON project_group_links.group_id = namespaces.id
    INNER JOIN projects ON projects.id = project_group_links.project_id
    INNER JOIN namespaces p_ns ON p_ns.id = projects.namespace_id
  WHERE (p_ns.share_with_group_lock IS FALSE))) project_authorizations
GROUP BY
  "project_authorizations"."project_id"

Charting at the total time spent in statements, we can see this query dominating during the slowdowns:

https://thanos.gitlab.net/graph?g0.range_input=6h&g0.max_source_resolution=0s&g0.expr=topk(10%2C%20rate(pg_stat_statements_seconds_total%7Benv%3D%22gprd%22%2Cfqdn%3D%22patroni-03-db-gprd.c.gitlab-production.internal%22%7D%5B5m%5D))&g0.tab=0

From the slowlog we can deduce that the problem is AuthorizedProjectsWorker.

cc @lmcandrew @dsatcher @mushakov

Edited Mar 24, 2021 by Andrew Newdigate