Skip to content

[CLOUD-78] authz: re-enable user-centric perms syncing for user code host conns

Warren Gifford requested to merge revert-26636-revert-25884-jc/CLOUD-78 into main

Created by: unknwon

This is a reworked implementation of #25884 since the original implementation was reverted due to #INC-32: CloudKMS rate limit exceeded.

For small orgs EA, we need to (re-)enable user-centric permissions syncing based on user code host connections because login connections does not have repo scope granted (which is required to access GitHub repo APIs).

This implies that:

  1. Users need to connect personal code host connection in order to see private repositories added to their organizations on Sourcegraph.
  2. When users go through OAuth flow, they need to grant access from the GitHub organization they're intended to add repositories to Sourcegraph.

This PR adds back the code that is functionally equivalent to https://github.com/sourcegraph/sourcegraph/pull/23018.

What's changed compare to #25884

Instead of listing all code host connections that includes over 3k every 5 seconds, we only list site and org-level code host connections, which for EA should only be around 20.

Then, for user-centric permissions syncing, we expect around "number of user per minute" KMS API calls, e.g. 100 users being members of organization has connected code host connection, 100 KMS API calls per minute.

Follow up

This reworked implementation is only good enough for EA, and how to solve/reduce KMS API usage is beyond the purpose of this PR and should be addressed as an independent task with a holistic solution. I will create Jira ticket for it.


Jira: CLOUD-78

Merge request reports

Loading