Domain verification should initiate Enterprise Users Automatic Claim
As per the new enterprise user definition, groups should verify their domains in GitLab to claim enterprise users in order to manage their accounts.
The user’s primary email has a domain that is owned by the company of the paid group, and ...
This issue aims to make Enterprise Users Claim process automatic.
After a group successfully verifies a domain, Enterprise Users Automatic Claim should be initiated for that domain. That process should identify all users that meet the enterprise user definition based on that domain and associate them with the enterprise group.
The enterprise user definition consists of many conditions. Because of that some users could start meeting the definition after the automatic claim process initiated by successful domain verification is complete. For instance
- user that was created before 2021-02-01
- was added to group members or
- has got SAML or SCIM identity tied to the group
- user email changed from personal email to the email that belongs to the group
-
new user created with email that belongs to the group, see #388410 (closed) - etc. ...
To ensure the Enterprise Users Claim process is initiated for all known and unknown cases and to apply this process to existing verified domains during this feature rollout, successful domain re-verification should also initiate Enterprise Users Automatic Claim.
Domain re-verification automatically happens every 7 days for each domain. Group owners can also manually initiate domain re-verification from UI by "Retry verification" button.
The imperfection of this universal solution is that in cases where users started to meet the enterprise user definition after domain verification, it could take up to 7 days for the GitLab system to initiate Enterprise Users Automatic Claim Process for those users. But it is not a big concern since those are only rare cases since Newly created users should become Enterprise Us... (#388410 - closed). We can eliminate this concern similarly for any such case if needed.
Also, the rollout of this feature, will be considered complete only after the FF has been enabled at 100% for 7 days.
Implementation details
Implement Groups::EnterpriseUsers::BulkAssociateByDomainWorker
that receives pages_domain_id
. In that background job, identify whether the specified domain belongs to a top-level group for which the domain_verification
feature is available. Also, enterprise_users_automatic_claim
FF with the group as an actor should be checked.
The background job should iterate in batches users whose email domain equals the verified domain and schedule Groups::EnterpriseUsers::AssociateWorker
background job for each of those users to associate them with the enterprise group as per the enterprise user definition.
VerifyPagesDomainService
is responsible for domain verification. Hook into that service class to schedule Groups::EnterpriseUsers::BulkAssociateByDomainWorker
background job after successful domain verification. Ensure this background job is also scheduled after successful domain re-verification.
For optimization, prevent Groups::EnterpriseUsers::BulkAssociateByDomainWorker
from scheduling Groups::EnterpriseUsers::AssociateWorker
background jobs for users that are already associated with the enterprise group. Despite Groups::EnterpriseUsers::AssociateWorker
is idempotent, scheduling this background job and its execution consumes system resources in this case, too. This optimization will be very noticeable because there could be groups with thousands of enterprise users. This optimization will prevent scheduling thousands of Groups::EnterpriseUsers::AssociateWorker
background jobs during their domain re-verification.