Fix cross-joins between `personal_access_tokens` and `members` and `users`
-
app/controllers/concerns/access_tokens_actions.rb:77
:PersonalAccessTokensFinder.new(resource.bots)
joinsgroups
/project
tomembers
tousers
topersonal_access_tokens
- Group#reached_project_access_token_limit? joins
group
tomembers to
users topersonal_access_tokens
Notes
Some of the allow_cross_joins_across_databases(url: "https://gitlab.com/gitlab-org/gitlab/-/issues/422405")
are related to this, especially:
Group.users
Project.users
You will need to temporarily remove this allow and see which queries have a cross-join
Possible fix
We have two alternative suggestions
personal_access_tokens scoped to organizations
This is preferred. We mark personal_access_tokens
as cell-local.
Potentially add organization_id
column to personal_access_tokens
table
Fix any cross-joins that arise
personal_access_tokens as cluster-wide
If personal_access_tokens
is cluster-wide, then
Create, and backfill two new cell-local tables:
group_bot_access_tokens
- group_id
- personal_access_token_id
project_bot_access_token
- project_id
- personal_access_token_id
Fix any cross-joins that arise
/cc @dblessing @DylanGriffith @engwan @ayufan @ifarkas @tachyons-gitlab @manojmj
Previous solutions
!133912 (closed) naively tried pluck
but it decreased performance by a lot as it needed to search through all group members to find bot members.