Skip to content

Allow group maintainers to list provisioned users for a group

Serena Fang requested to merge list-group-provisioned-users into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/351581

Summary: Allow group maintainers to list provisioned users for a given group.

Technical implementation proposal: https://gitlab.com/gitlab-org/gitlab/-/issues/351581#technical-implementation-proposal

This MR adds EE::Auth::ProvisionedUsersFinder , which returns a list of users in a group who are provisioned by a SCIM identity or managed by a SAML group. ProvisionedUsersFinder is then exposed by a new API endpoint, GET /groups/:id/provisioned_users. Group maintainers can use this endpoint to list provisioned users for a given group.

There are a lot of useful comments in the old MR that this current MR replaced, please see https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2180 for some potentially helpful context.

Database

== 20220201173212 AddUserDetailsProvisioningIndex: reverting ==================
-- transaction_open?()
   -> 0.0001s
-- index_exists?(:user_details, :provisioned_by_group_id, {:name=>"index_user_details_on_provisioned_by_group_id", :algorithm=>:concurrently})
   -> 0.0122s
-- add_index(:user_details, :provisioned_by_group_id, {:name=>"index_user_details_on_provisioned_by_group_id", :algorithm=>:concurrently})
   -> 0.0065s
-- transaction_open?()
   -> 0.0000s
-- indexes(:user_details)
   -> 0.0097s
-- remove_index(:user_details, {:algorithm=>:concurrently, :name=>"idx_user_details_on_provisioned_by_group_id_user_id"})
   -> 0.0053s
== 20220201173212 AddUserDetailsProvisioningIndex: reverted (0.0466s) =========

== 20220201173212 AddUserDetailsProvisioningIndex: migrating ==================
-- transaction_open?()
   -> 0.0000s
-- index_exists?(:user_details, [:provisioned_by_group_id, :user_id], {:name=>"idx_user_details_on_provisioned_by_group_id_user_id", :algorithm=>:concurrently})
   -> 0.0124s
-- add_index(:user_details, [:provisioned_by_group_id, :user_id], {:name=>"idx_user_details_on_provisioned_by_group_id_user_id", :algorithm=>:concurrently})
   -> 0.0095s
-- transaction_open?()
   -> 0.0000s
-- indexes(:user_details)
   -> 0.0090s
-- remove_index(:user_details, {:algorithm=>:concurrently, :name=>"index_user_details_on_provisioned_by_group_id"})
   -> 0.0033s
== 20220201173212 AddUserDetailsProvisioningIndex: migrated (0.0437s) =========

Migration finishes in around 30 seconds in DB lab.

Query plan: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/8339/commands/29481#visualize-depesz

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Pavel Shutsin

Merge request reports