[go: up one dir, main page]
Skip to content

Update project authorization priority during saml group sync

Matthew MacRae-Bovellrequested to merge
mmacrae-bovell/lower-priority-during-saml-group-sync into master

What does this MR do and why?

NOTE: We should not merge this without first identifying and or adding any warnings for any customer facing impact.

This MR lowers the UserProjectAccessChangedService priority when executing the saml group sync so we can reduce pressure on AuthorizedProjectsWorker and the authorization team's SLA.

The GroupSamlGroupSyncWorker which is evoked by Groups::OmniauthCallbacksController#group_saml accounts for the 2nd highest number of AuthorizedProjectsWorker runs that exceed 10 seconds (dashboard):

image

References

#541445

How to set up and validate locally

Here is a script I've created to fire the Groups::SyncService.

If you run this script with a binding.pry in app/models/member.rb#refresh_member_authorized_projects_and_determine_priority

You should be able to see the following

From: /Users/matthewmacrae-bovell/gdk/gitlab/app/models/member.rb:723 Member#refresh_member_authorized_projects_and_determine_priority:

    721: def refresh_member_authorized_projects_and_determine_priority
    722:   binding.pry
 => 723:   priority = saml_group_sync_active ? ::UserProjectAccessChangedService::MEDIUM_PRIORITY : ::UserProjectAccessChangedService::HIGH_PRIORITY
    724:   refresh_member_authorized_projects(priority: priority)
    725: end

[1] pry(#<GroupMember>)> saml_group_sync_active
=> true

Here is the script to put in rails c

suffix = Time.now.to_i

# Step 1: Create Organization
org = Organizations::Organization.create!(
  name: "SAML Sync Org #{suffix}",
  path: "saml-sync-org-#{suffix}"
)

# Step 2: Build the User
user = User.new(
  name: "SAML Sync User #{suffix}",
  username: "saml_sync_user_#{suffix}",
  email: "saml_sync_user_#{suffix}@example.com",
  password: '9aL!vEw3bR#z7Yq',
  password_confirmation: '9aL!vEw3bR#z7Yq'
)
user.skip_confirmation!

# Step 3: Create personal namespace
namespace = Namespace.new(
  name: user.name,
  path: user.username,
  type: 'User',
  owner: user,
  organization: org
)
user.namespace = namespace

# Step 4: Save user and namespace
ActiveRecord::Base.transaction do
  namespace.save!
  user.save!
end
puts "✅ Created user #{user.username} with org-backed namespace"

# Step 5: Create group with matching visibility level
group = Group.create!(
  name: "SAML Sync Group #{suffix}",
  path: "saml-sync-group-#{suffix}",
  organization: org,
  visibility_level: Gitlab::VisibilityLevel::PRIVATE
)
puts "✅ Created group #{group.full_path}"

# Step 6: Create SAML group link with a valid group name
saml_group_link = SamlGroupLink.create!(
  group: group,
  access_level: Gitlab::Access::DEVELOPER,
  saml_group_name: "GitLab Developers"
)
puts "✅ Created SAML group link"

# Step 7: Run sync
service = Groups::SyncService.new(
  group,
  user,
  group_links: [saml_group_link],
  manage_group_ids: [group.id]
)
result = service.execute
puts "✅ Sync success? #{result.success?}"
puts "📦 Payload: #{result.payload.inspect}"

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Matthew MacRae-Bovell

Merge request reports