Restrictive selective synchronisation
Problem to solve
Geo replication can already be restricted to projects within a specific group or storage shard. This allows Geo users to control on some level what is replicated to a secondary. The database, however, is always fully replicated. This means that a large amount of data is transferred to the secondary that is not necessary to work on a subset of projects and that all metadata that is stored in the database is transferred to a secondary location.
This may be undesirable for several reasons:
- The geo location of the secondary is not fully trusted. Customers may want to protect their IP and want to transfer as little as possible. --> Metadata problem
- Users access the geo node may not be members of the same entity e.g. contractors and a local geo node should only be made available with data that is absolutely required. Those users should not have any access to the primary node. --> Permissions problem
Intended users
- Customers that don't want to share their IP in specific locations
- Customers that work a lot with contractors and outsource certain software development processes.
Further details
Proposal
As a systems administrator setting up a Geo node, I want to restrict what data is transferred. If only certain groups/projects are synchronised, then no other unassociated data should be copied in addition.
Permissions and Security
https://docs.gitlab.com/ee/administration/geo/replication/configuration.html#selective-synchronization will need to be amended
Documentation
https://docs.gitlab.com/ee/administration/geo/replication/configuration.html#selective-synchronization will need to be amended
Testing
This has security implications because it will affect permissions.
What does success look like, and how can we measure that?
- A systems administrator can see and control exactly what will be copied over to a secondary node.
- Only metadata specific to the needed projects is copied
- Permissions are correctly restricted.
What is the type of buyer?
- Premium
- Ultimate