[Integration][Gitlab] Added support for gitlab member ingestion

[mk-armah]

Description

Added support for gitlab member ingestion

• Gitlab group members endpoint does not contain users emails by default or for free plan, to get emails, an account is required to be either an enterprise or self hosted.
• To enable free plan users to view the user emails as well, we add a flag publicEmailVisibility to the member kind. If set to true, members are enriched with public_email from the /user endpoint, but this is highly dependent on whether the user being query has allowed public email visibility on the gitlab account. learn more
  Also note that it was necessary that we call the /users endpoint because members do not contain public_email. Default value for publicEmailVisibility filter is false.
• Lastly, gitlab returns all members and tokens created as members, to enable filtering out bots from actual members we add a flag filterBots to the port-app-config (top level) to filter out bots if set to true, default is true. bots filtering is needed when syncing groups and group members, hence the need for putting filterBots on top-level of the port-app-config

Type of change

Please leave one option from the following and delete the rest:

• New feature (non-breaking change which adds functionality)

Screenshots

[Tankilevitch]

in what case the user will have a public email? I think we might want to remove it by default

[Tankilevitch]

in the blueprint relation you only have gitlabGroup, while in your mapping you have both createdBy and gitlabGroup. I am not sure it is of interest for users who created the user, lets remove it. Let me know if you think otherwise

[Tankilevitch]

this feels very insufficient, eventually for all the if I have 1 member, and 1000 groups, I'll have to query this api 1000 times to find out what groups he related to? isn't there any other way to get that data?

[Tankilevitch]

I am not sure this should be the default behavior when quering members.

[Tankilevitch]

maybe this should be something that is part of group members kind? that will query the list of members of each group.
and instead of having a relation of user -> groups, we will have relation between group -> users

[Tankilevitch]

Suggested change

	async def get_all_group_members(
	self, group: Group
	) -> typing.AsyncIterator[List[GroupMemberAll]]:
	logger.info(f"Fetching all members of group {group.name}")
	async for users_batch in AsyncFetcher.fetch_batch(
	fetch_func=group.members_all.list,
	validation_func=self.should_run_for_member,
	pagination="offset",
	order_by="id",
	sort="asc",
	):
	members: List[GroupMemberAll] = typing.cast(
	List[GroupMemberAll], users_batch
	)
	logger.info(
	f"Queried {len(members)} members {[user.username for user in members]} from {group.name}"
	)
	yield members
	async def get_all_group_members(
	self, group: Group
	) -> typing.AsyncIterator[List[GroupMemberAll]]:
	logger.info(f"Fetching all members of group {group.name}")
	async for users_batch in AsyncFetcher.fetch_batch(
	fetch_func=group.members_all.list,
	validation_func=self.should_run_for_member,
	pagination="offset",
	order_by="id",
	sort="asc",
	):
	members: List[GroupMemberAll] = typing.cast(
	List[GroupMemberAll], users_batch
	)
	logger.info(
	f"Queried {len(members)} members {[user.username for user in members]} from {group.name}"
	)
	members_enriched_with_group = [ {...member, group: group} for member in members ]
	yield members

[Tankilevitch]

feature flag in the selector mapping, and defined in docs.

[Tankilevitch]

Suggested change

	@ocean.on_resync(ObjectKind.MEMBER)
	async def resync_members(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
	for service in get_cached_all_services():
	for group in service.get_root_groups():
	async for members_batch in service.get_all_group_members(group):
	tasks = [
	service.enrich_member_with_groups_and_public_email(member)
	for member in members_batch
	]
	members = await asyncio.gather(*tasks)
	yield members
	@ocean.on_resync(ObjectKind.GROUP_MEMBERS)
	async def resync_members(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
	for service in get_cached_all_services():
	for group in service.get_root_groups():
	group_members = []
	async for members_batch in service.get_all_group_members(group):
	group_memebers.append(members_batch)
	yield { group: group, group_members: group_members }

stream_async_iterators_tasks

[Tankilevitch]

missing group

[Tankilevitch]

how is this locked?

[Tankilevitch]

we are talking about member not gitlab item, please make sure its readable and straight forward for the users

[Tankilevitch]

add description

[Tankilevitch]

what is createdBy we don't have that kind of relation please remove

[Tankilevitch]

lets remove by default

[Tankilevitch]

shouldn't be here

[mk-armah]

relationship is group -> member

[Tankilevitch]

which one?

[mk-armah]

both, depends on the context

[Tankilevitch]

initialize the class outside of GitlabMembersResourceConfig that way we would be able to re-use it

[Tankilevitch]

lets not use this cache, we already have a prebuilt one in ocean core

[Tankilevitch]

enrich_with_public_email

[Tankilevitch]

this should be part of the group selector and not of all resources

[mk-armah]

Both Members and Groups depend on this parameter. Removing from top level means I have to include it in integration for groups and members. Please confirm this

[mk-armah]

Also, I placed it at the top level to keep a consistent behavior in this system since groups are related to user. I strictly expect the value of filterBots to be consistent for groups and members. What could go wrong is that a user might specify this parameter as false for groups kind and true for member kind. Due to the relationship between members and groups, the catalog will be populated with extra inconsistent data.

[Tankilevitch]

I would add a comment above the filter_bots so other developers will understand your motivation.
Also I would rename it to include_member_bots and default should be false

[Tankilevitch]

why? how can we actually validate and handle it? we want to be able to handle the rate limits most of third parties return headers, but we don't use gitlab api straightforward but rather through the client.

• https://docs.gitlab.com/ee/administration/settings/rate_limit_on_projects_api.html
• https://docs.gitlab.com/ee/administration/settings/rate_limit_on_members_api.html
• https://forum.gitlab.com/t/ratelimit-headers/93078

Here are some notes on the rate limits

[Tankilevitch]

Actually just found this one - https://python-gitlab.readthedocs.io/en/stable/api-usage-advanced.html#rate-limits which means that gitlab client handles this one for us, so we are good 👍

[Tankilevitch]

redundant line

[Tankilevitch]

why group.member.list and not group.member_all.list ?
https://python-gitlab.readthedocs.io/en/stable/gl_objects/groups.html#id10
what do you think about adding this as an option to query all rather than only in one hierarchy?

[Tankilevitch]

what happens when I have the same user in multiple groups? how would that behave? will I have to perform repeated upserts?

maybe in this method ^ we should use members = group.members_all.list(get_all=True) which will return all and reduce the amount of extra requests that we will have to perform?

[mk-armah]

my reason for using members as opposed to member_all was because the members_all request returns not the the user in that group but also all inherited and invited members.

Thereby resulting in all groups the same members since the members most commonly belong to the parent group - details

aside this, the behavior and how we will retrieve members does not differ from member and members_all

[Tankilevitch]

ok i understand what you are saying, so if we use the members_all only for the members kind wouldn't it reduce the amount of requests by a lot? as we will only have to bring the members for the root groups rather than the subgroups as well.

also just making sure that you have tested subgroups as well. please confirm

[mk-armah]

calling /members on root groups returns the same results as /members/all, calling /members on subgroups comes with less data than members/all, due to the exclusion of invited and inherited members, for root groups, concept of inherited members does not apply, all members of the root groups are returned regardless how we choose to call them.

I believe the optimization here was getting members from root groups instead of all groups (including subgroups), which would have taken more time.

[Tankilevitch]

Also missing webhook handling for new members.

[Tankilevitch]

I think adding members should be optional for groups, so customers will be able to decide whether they want to have it or no

[Tankilevitch]

and need to check that creating a new group, will sync the members correctly

[mk-armah]

fair, how about project -> group, same ?

[Tankilevitch]

why not using the get_all_group_members once and then if enrich_with_public_email spawn requests for the members

[mk-armah]

Great, the code will look like this then

`members = [
member
async for members_batch in service.get_all_group_members(group)
for member in members_batch
]

if selector.enrich_with_public_email:
enriched_member_tasks = [
service.enrich_member_with_public_email(member)
for member in members
]
enriched_members = await asyncio.gather(*enriched_member_tasks)
result = enriched_members
else:
result = [member.asdict() for member in members]

return result`

[mk-armah]

I'll refactor

[mk-armah]

This is better for readability, thanks

[Tankilevitch]

I am confused which is one is the right one? you both return members_dics and the group_members in the same resync method? how should it work?

[mk-armah]

Members dict is returned by the fetch_group_members function which is responsible for making the decision as to whether to enrich or not enrich a group member #

[mk-armah]

at group_tasks = [fetch_group_members(service, group) for group in groups], we leverage fetch_group_members to fetch all members of the each group and process them as completed.

[Tankilevitch]

when we do such things, we should add it under a feature flag, as we wouldn't want to just do all those extra requests to get the members if it wasn't actually intended by the user.

Therefor I suggest leaving the group kind as it was.
And add the following kinds.

groupMembers - which will do this exact logic that you have implemented in resync_groups - this kind will allow users to decide whether they want to export the group with or without members.

member / user - which will bring the information about a user. such as the email etc..

[Tankilevitch]

what will happen when a member is in multiple groups? will it get overwritten in port with the latest group that was fetched?

[mk-armah]

Yes it would, a function to cache members and return only unsynced / uncached members can solve this. So we don't have to hit port with members that have been synced already