Introduce Agent User Access Finder
NOTE: This MR is built on top of Persist user_access authorizations (!116902 - merged).
What does this MR do and why?
This MR introduces a finder for persisted user_access
authorizations, which is used for optimizing AuthorizeProxyUserService
.
A few notes:
- This feature is behind
kas_user_access
feature flag which is disabled by default. It's not exposed to end-users yet. - These MRs are split into small pieces in order to reduce review load.
- See https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/kubernetes_user_access.md about how
user_access
authorization works. - Related to Persist GitLab agent's user access configuratio... (#389430 - closed)
Query examples of the finder
For fetching user_access: projects
authorizations:
SELECT
agent_user_access_project_authorizations.*,
project_authorizations.access_level AS access_level
FROM
"agent_user_access_project_authorizations"
INNER JOIN project_authorizations ON project_authorizations.project_id = agent_user_access_project_authorizations.project_id
INNER JOIN "cluster_agents" ON "cluster_agents"."id" = "agent_user_access_project_authorizations"."agent_id"
INNER JOIN "projects" ON "projects"."id" = "cluster_agents"."project_id"
WHERE
"project_authorizations"."user_id" = 758045
AND "project_authorizations"."access_level" >= 30
Time: 1.982 ms
- planning: 1.933 ms
- execution: 0.049 ms
- I/O read: 0.000 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 1 (~8.00 KiB) from the buffer pool
- reads: 0 from the OS file cache, including disk I/O
- dirtied: 0
- writes: 0
For fetching user_access: groups
authorizations:
WITH "groups_with_direct_membership" AS MATERIALIZED (
SELECT
namespaces.id AS id,
members.access_level AS access_level
FROM
"namespaces"
INNER JOIN members ON members.source_id = namespaces.id
AND members.source_type = 'Namespace'
WHERE
"namespaces"."type" = 'Group'
AND "members"."user_id" = 758045
AND "members"."access_level" >= 30
),
"all_groups_with_membership" AS MATERIALIZED (
SELECT
namespaces.id AS id,
groups_with_direct_membership.access_level AS access_level
FROM
"namespaces"
INNER JOIN groups_with_direct_membership ON namespaces.traversal_ids @> ARRAY [groups_with_direct_membership.id]
WHERE
"namespaces"."type" = 'Group'
)
SELECT
DISTINCT ON (id) agent_user_access_group_authorizations.*,
all_groups_with_membership.access_level AS access_level
FROM
"agent_user_access_group_authorizations"
INNER JOIN all_groups_with_membership ON all_groups_with_membership.id = agent_user_access_group_authorizations.group_id
INNER JOIN "cluster_agents" ON "cluster_agents"."id" = "agent_user_access_group_authorizations"."agent_id"
INNER JOIN "projects" ON "projects"."id" = "cluster_agents"."project_id"
ORDER BY
id,
access_level DESC
Time: 11.231 ms
- planning: 10.772 ms
- execution: 0.459 ms
- I/O read: 0.000 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 7 (~56.00 KiB) from the buffer pool
- reads: 0 from the OS file cache, including disk I/O
- dirtied: 0
- writes: 0
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Shinya Maeda