Perform LDAP group sync on sign in only for new users
What does this MR do?
Changes the LDAP Group Sync on sign in so it is only executed for new users. Other than reducing number of sync jobs in Sidekiq, customers should not notice the change because other sync mechanisms will ensure user's group membership always stays up to date. We have the hourly (by default) group sync which will ensure all groups are updated and group owners can trigger an on-demand sync at any time. The primary reason this feature was introduced in the first place was so new users didn't have to wait until the top of the next hour to get access to their groups/projects. See https://gitlab.com/gitlab-org/gitlab-ee/issues/906 where this was originally discussed and solved. In this regard this change does not modify the intention.
The specific problem we saw with customers is that they're getting way too many LdapGroupSyncWorkers piling up in Sidekiq. The syncs in question are triggered from EE::Gitlab::Auth::LDAP::Access#update_memberships
. Note that the worker isn't triggered on absolutely every git push via SSH. It's only once every LDAP sync_time
(default of 1 hour).
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
Tests added for this feature/bug -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the database guides -
EE specific content should be in the top level /ee
folder -
For a paid feature, have we considered GitLab.com plans, how it works for groups, and is there a design for promoting it to users who aren't on the correct plan?
Closes #7352 (closed)