Improve performance of release hash
Problem to solve
While we were investigating the security issue #121610 (closed) and #34402 (closed), we realized that there are some problems on the current summary
structure:
- Performance of including issues within evidence
Evidence dumps all of the issues under each associated milestone, this could be performance concern as it serializes enormous data, particularly persisting such a huge data in PostgreSQL is not preferable from performance perspective. e.g. 1665 of issues could be dumped into one column for 12.7 milestone in gitlab-org/gitlab project.
- Capacity for the JSONb column field is undefined
Intended users
- Rachel (Release Manager)
- Devon (DevOps Engineer)
- Delaney (Development Team Lead)
- Sasha (Software Developer)
Further details
See https://gitlab.com/gitlab-org/gitlab/issues/121930 for context and additional details around discovery of release hash issues
Proposal
-
Only include the ID of issues in JSON with a link to the issue -
Add the Merge Request ID in JSON -
Define the capacity for the JSONb column field and determine what limit should be set. What happens if that limit is reached and create error message
Permissions and Security
- Auditor role has access to the JSON object for release evidence
- Permissions inherited by data access granted to user
- Secrets should not be included and if confidential information is included it should be encrypted
Documentation
- Auditor - https://docs.gitlab.com/ee/administration/auditor_users.html
- Release evidence - https://docs.gitlab.com/ee/user/project/releases/index.html#release-evidence
Testing
- Confirm when using the API that release evidence is not accessible without auditor role
- Release evidence should not cause a performance issue
What does success look like, and how can we measure that?
- No other users and roles can access release evidence
- Confidential issue data other than ID are not exposed in evidence
What is the type of buyer?
- Starter, premium, ultimate
Links / references
Edited by Jackie Porter