Check parent group membership in LDAP group sync
What does this MR do?
Check parent group membership during LDAP group sync.
This enables groups to remain valid when a LDAP group sync tries to add a user with a lower access level than the user already has in parent groups.
Also significantly improve sync performance by using batch queries instead of individual queries per user.
Fixes #9613 (closed)
/CC @stanhu @dblessing @mkozono
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Performance and testing
LDAP group sync performance increases significantly with this patch:
- In a small environment, LDAP sync time is reduced from 309s to 132s thanks to batching some queries.
- In our larger prod environment, LDAP sync time is down from 80+ minutes to less than 30 minutes.
I.e. LDAP sync is about 2.5x faster than before despite the extra check for inherited access levels.
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
N/A
Edited by Michael Kozono