Fix cross-joins between `personal_access_tokens` and `members` and `users`

  • app/controllers/concerns/access_tokens_actions.rb:77: PersonalAccessTokensFinder.new(resource.bots) joins groups/project to members to users to personal_access_tokens
  • Group#reached_project_access_token_limit? joins group to members to users to personal_access_tokens

Notes

Some of the allow_cross_joins_across_databases(url: "https://gitlab.com/gitlab-org/gitlab/-/issues/422405") are related to this, especially:

  • Group.users
  • Project.users

You will need to temporarily remove this allow and see which queries have a cross-join

Possible fix

We have two alternative suggestions

personal_access_tokens scoped to organizations

This is preferred. We mark personal_access_tokens as cell-local.

Potentially add organization_id column to personal_access_tokens table

Fix any cross-joins that arise

personal_access_tokens as cluster-wide

If personal_access_tokens is cluster-wide, then

Create, and backfill two new cell-local tables:

group_bot_access_tokens
  - group_id
  - personal_access_token_id

project_bot_access_token
  - project_id
  - personal_access_token_id

Fix any cross-joins that arise

/cc @dblessing @DylanGriffith @engwan @ayufan @ifarkas @tachyons-gitlab @manojmj

Previous solutions

!133912 (closed) naively tried pluck but it decreased performance by a lot as it needed to search through all group members to find bot members.

Edited by Thong Kuah