Admin mode in sidekiq jobs
What does this MR do?
Add two new middlewares to Sidekiq client & server to support the admin-mode feature and extend CurrentUserMode
with class methods that use the SafeRequestStore
to:
- support bypassing the session in nested Sidekiq jobs, if the original job had admin mode enabled
- make the
current_user
of a request available as a class method to avoid querying the DB in the Sidekiq client middleware
The client middleware injects a new Sidekiq job field admin_mode_user_id
on any job created by an admin in one of two cases:
- If the admin user has enabled admin mode in one of their active sessions
- Or if the job is triggered by another parent job (nested job), by using a
RequestStore
flag with class methodCurrentUserMode.bypass_session!(user_id)
The server middleware uses the job admin_mode_user_id
field set previously:
- If the field is found it will use the class method
CurrentUserMode.bypass_session!(user_id)
to bypass the session to set admin mode for this user, by setting the admin user id in the request thread - While the job is executed, the policies that invoke
CurrentUserMode
will only have to checkUser#admin?
to determine if admin mode is enabled, effectively ignoring the user sessions
Considerations
The are two main reasons for introducing the user in the request store and the bypass session method:
- Avoid the need to unconditionally query the database on each sidekiq client middleware to determine if the user is an admin. This is delegated to the policies, only called when actually needed.
- Determine which admin user actually triggered the job that (potentially) requires admin mode, and be able to prevent jobs from succeeding if the user lost admin rights in the period between when the job is scheduled and it is executed.
Closes #35717 (closed)
Screenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Bob Van Landuyt