Draft: Exclude projects or groups from CI Job Token authorizations compaction
What does this MR do and why?
A new requirement has been added as part of [BE] Provide mechanism to migrate authenticatio... (#478540) that any existing, user generated, entries in the allowlist should be factored in to the compaction process. To accomplish this, this MR proposes a new parameter to the Ci::JobToken::AuthorizationsCompactor called excluded_namespace_paths, which will contain an array of traversal_ids of the existing projects or groups in the allowlist.
Then, in the process of generating the origin_project_traversal_ids, any project that is part of an excluded path will be removed from the list (because that authorization is already provided as part of an existing entry). This check is performed in namespace_path_excluded?.
The filtered origin_project_traversal_ids is then passed to Gitlab::Utils::TraversalIdCompactor. The limit should also be decreased by the total number of existing entries in order to ensure the compacted allowlist remains within the required limit.
References
Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.