Add descendant filter to security policies graphql query
What does this MR do and why?
This MR adds a new descendant
filter to the SecurityPolicyRelationType
to return all policies associated to a group and its descendants. This is needed to list all policies in the hierarchy for #432657
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Database Query
SELECT
"security_orchestration_policy_configurations"."id",
"security_orchestration_policy_configurations"."project_id",
"security_orchestration_policy_configurations"."security_policy_management_project_id",
"security_orchestration_policy_configurations"."created_at",
"security_orchestration_policy_configurations"."updated_at",
"security_orchestration_policy_configurations"."configured_at",
"security_orchestration_policy_configurations"."namespace_id"
FROM
"security_orchestration_policy_configurations"
WHERE
"security_orchestration_policy_configurations"."namespace_id" IN (
SELECT
namespaces.traversal_ids[array_length(namespaces.traversal_ids,
1)] AS id
FROM
"namespaces"
WHERE
"namespaces"."type" = 'Group'
AND (
traversal_ids @> (
'{64024513}'
)
)
)
Nested Loop (cost=266.98..341.44 rows=37 width=56) (actual time=305.632..321.203 rows=23 loops=1)
Buffers: shared hit=158 read=234 dirtied=5
I/O Timings: read=314.669 write=0.000
-> HashAggregate (cost=266.70..267.07 rows=37 width=28) (actual time=301.751..301.795 rows=78 loops=1)
Group Key: namespaces.traversal_ids[array_length(namespaces.traversal_ids, 1)]
Buffers: shared hit=1 read=209 dirtied=1
I/O Timings: read=295.834 write=0.000
-> Bitmap Heap Scan on public.namespaces (cost=210.04..266.60 rows=37 width=28) (actual time=171.641..301.412 rows=78 loops=1)
Buffers: shared hit=1 read=209 dirtied=1
I/O Timings: read=295.834 write=0.000
-> Bitmap Index Scan using index_namespaces_on_traversal_ids_for_groups (cost=0.00..210.03 rows=37 width=0) (actual time=168.787..168.788 rows=78 loops=1)
Index Cond: (namespaces.traversal_ids @> '{64024513}'::integer[])
Buffers: shared hit=1 read=137
I/O Timings: read=164.538 write=0.000
-> Index Scan using partial_index_sop_configs_on_namespace_id on public.security_orchestration_policy_configurations (cost=0.28..2.00 rows=1 width=56) (actual time=0.247..0.247 rows=0 loops=78)
Index Cond: (security_orchestration_policy_configurations.namespace_id = (namespaces.traversal_ids)[array_length(namespaces.traversal_ids, 1)])
Buffers: shared hit=157 read=25 dirtied=4
I/O Timings: read=18.835 write=0.000
Time: 325.940 ms
- planning: 4.548 ms
- execution: 321.392 ms
- I/O read: 314.669 ms
- I/O write: 0.000 ms
Shared buffers:
- hits: 158 (~1.20 MiB) from the buffer pool
- reads: 234 (~1.80 MiB) from the OS file cache, including disk I/O
- dirtied: 5 (~40.00 KiB)
- writes: 0
Screenshots or screen recordings
How to set up and validate locally
- Create a hierarchy of groups with security policies in each of the group
- Create a project within the groups and create security policy for the project
- Go to
/-/graphql-explorer
and run the query:
query{
group(fullPath:"gitlab-org") {
scanExecutionPolicies(relationship:DESCENDANT) {
nodes {
name
}
}
}
}
Addresses #431915 (closed)