Separate credentials inventory users methods into human and bots

Drew Blessingrequested to merge
dblessing_cred_inv_split_user_types into master

What does this MR do and why?

Part of Credentials inventory project and group access ... (#498333 - closed)

For self-managed credentials inventory, it's fine to use a single users method, which is actually just set to nil so all users are included within the Finder. However, for Group Credentials Inventory we need to scope users to both human or project bots owned by that group hierarchy. Splitting these methods gives us more flexibility to only query for the type of users we need. Querying project bots within a group hierarchy is more intensive so there's no reason to query those users when we only need human users.

This merge request does not change behavior for self-managed. For GitLab.com, it will re-enable the ability to view project and group access tokens in the credentials inventory.

I will update documentation in a separate merge request since this one is already so big. I didn't feel like this one would benefit all that much from splitting up further as it would make verification much more difficult for reviewers.

If something goes wrong, this feature can be disabled with an existing feature flag: [Feature flag] Rollout of `group_credentials_in... (#485659 - closed)

Database

The following is the entire query including the nested select called from the group credentials controller.

Database Lab: https://postgres.ai/console/gitlab/gitlab-production-main/sessions/33844/commands/104059

SQL:

SELECT
    *
FROM
    users
    JOIN user_details AS user_detail ON user_detail.user_id = users.id
WHERE
    users.user_type = 6 AND
    user_detail.bot_namespace_id IN (
        SELECT
            namespaces.traversal_ids[array_length(
                namespaces.traversal_ids,
                1
            )] AS id
        FROM
            namespaces
        WHERE
            traversal_ids @> '{9970}'
    );

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
govern_credentialsinventory Screenshot_2024-11-21_at_1.22.49_PM

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Simulate SaaS, including setting a premium or ultimate plan for a test group.
  2. Enable the feature 
    Feature.enable(:group_credentials_inventory)
  3. Navigate to the group. Find the credentials inventory - Secure > Credentials.
  4. You will now see the enterprise user's personal access tokens, SSH Keys, and project/group access tokens in each respective tab. If none are present, go create either a PAT or SSH key for the enterprise user, or create a group/project access token in the hierarchy.
  5. To create a group access token, navigate to a group you are an owner of, then Settings > Access Tokens and create one or more tokens.
  6. Return to the top-level group credentials inventory to verify the token is present.
Edited by Drew Blessing

Merge request reports