Include scheduled when deduplicating ProcessScanResultPolicyWorker
What does this MR do and why?
This change adds including_scheduled
option to deduplication strategy for Security::ProcessScanResultPolicyWorker
as it can be executed in scheduled manner too.
The worker is called whenever a row in project_authorizations is created/destroyed. This is done through ProjectAuthorizations::AuthorizationsChangedEvent
event and it is published from ProjectAuthorizations::Changes
with a delay of 1 minute. Security::RefreshProjectPoliciesWorker
calls Security::ScanResultPolicies::SyncProjectWorker
inline which calls Security::ProcessScanResultPolicyWorker
with a delay of 30 seconds. One major flaw in this sequence is that since Security::ProcessScanResultPolicyWorker
is scheduled to execute in future, it will not be deduplicated until it starts executing because we don't have including_scheduled: true
So if there are a huge number of ProjectAuthorizations::AuthorizationsChangedEvent
events published continuously over a period of time, Security::ProcessScanResultPolicyWorker
would be executed multiple times without enough deduplication
This is corrective action of incident: gitlab-com/gl-infra/production#17168 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.