[Integration][Gitlab] Added support for gitlab member ingestion

[mk-armah]

Description

Added support for GitLab member ingestion.

This PR introduces two new kinds: PROJECTWITHMEMBERS and GROUPWITHMEMBERS. These are enhanced versions of the original PROJECT and GROUP kinds, now including member data.

• Public Email Visibility:

  • GitLab group and project members do not include users' emails by default, especially for free plans. To enable users on free plans to view user emails, we have added a flag includePublicEmail to the member selector.
  • Usage: If set to true, members are enriched with the public_email field from the /users endpoint. This is dependent on whether the user has allowed public email visibility in their GitLab account settings. Learn more.
  • Note: It was necessary to call the /users endpoint because the members API does not include public_email.
  • Default Value: The default value for includePublicEmail is false.

• Bot Members Filtering:

  • GitLab returns all members, including bots and tokens created as members. To filter out bots from actual members, we have added a flag includeBotMembers to the MemberSelector.
  • Usage: If set to false, bot members are excluded from the synchronization process.
  • Default Value: The default value for includeBotMembers is true, meaning bots are included by default.
  • Reasoning: Bot filtering is necessary when syncing members to ensure only actual user accounts are considered.

• Inherited Members Inclusion:

  • GitLab allows inclusion of inherited members from parent groups. To control this behavior, we have added a flag includeInheritedMembers.
  • Usage: If set to true, members inherited from parent groups are included during synchronization.
  • Default Value: The default value for includeInheritedMembers is false, so inherited members are excluded by default.
  • Note: Including inherited members can provide a more comprehensive view of all members who have access to a project or group through group hierarchies.

Type of change

Please leave one option from the following and delete the rest:

• New feature (non-breaking change which adds functionality)

Screenshots

[Tankilevitch]

in what case the user will have a public email? I think we might want to remove it by default

[Tankilevitch]

in the blueprint relation you only have gitlabGroup, while in your mapping you have both createdBy and gitlabGroup. I am not sure it is of interest for users who created the user, lets remove it. Let me know if you think otherwise

[Tankilevitch]

this feels very insufficient, eventually for all the if I have 1 member, and 1000 groups, I'll have to query this api 1000 times to find out what groups he related to? isn't there any other way to get that data?

[Tankilevitch]

I am not sure this should be the default behavior when quering members.

[Tankilevitch]

maybe this should be something that is part of group members kind? that will query the list of members of each group.
and instead of having a relation of user -> groups, we will have relation between group -> users

[Tankilevitch]

Suggested change

	async def get_all_group_members(
	self, group: Group
	) -> typing.AsyncIterator[List[GroupMemberAll]]:
	logger.info(f"Fetching all members of group {group.name}")
	async for users_batch in AsyncFetcher.fetch_batch(
	fetch_func=group.members_all.list,
	validation_func=self.should_run_for_member,
	pagination="offset",
	order_by="id",
	sort="asc",
	):
	members: List[GroupMemberAll] = typing.cast(
	List[GroupMemberAll], users_batch
	)
	logger.info(
	f"Queried {len(members)} members {[user.username for user in members]} from {group.name}"
	)
	yield members
	async def get_all_group_members(
	self, group: Group
	) -> typing.AsyncIterator[List[GroupMemberAll]]:
	logger.info(f"Fetching all members of group {group.name}")
	async for users_batch in AsyncFetcher.fetch_batch(
	fetch_func=group.members_all.list,
	validation_func=self.should_run_for_member,
	pagination="offset",
	order_by="id",
	sort="asc",
	):
	members: List[GroupMemberAll] = typing.cast(
	List[GroupMemberAll], users_batch
	)
	logger.info(
	f"Queried {len(members)} members {[user.username for user in members]} from {group.name}"
	)
	members_enriched_with_group = [ {...member, group: group} for member in members ]
	yield members

[Tankilevitch]

feature flag in the selector mapping, and defined in docs.

[Tankilevitch]

Suggested change

	@ocean.on_resync(ObjectKind.MEMBER)
	async def resync_members(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
	for service in get_cached_all_services():
	for group in service.get_root_groups():
	async for members_batch in service.get_all_group_members(group):
	tasks = [
	service.enrich_member_with_groups_and_public_email(member)
	for member in members_batch
	]
	members = await asyncio.gather(*tasks)
	yield members
	@ocean.on_resync(ObjectKind.GROUP_MEMBERS)
	async def resync_members(kind: str) -> ASYNC_GENERATOR_RESYNC_TYPE:
	for service in get_cached_all_services():
	for group in service.get_root_groups():
	group_members = []
	async for members_batch in service.get_all_group_members(group):
	group_memebers.append(members_batch)
	yield { group: group, group_members: group_members }

stream_async_iterators_tasks

[Tankilevitch]

missing group

[Tankilevitch]

how is this locked?

[Tankilevitch]

we are talking about member not gitlab item, please make sure its readable and straight forward for the users

[Tankilevitch]

add description

[Tankilevitch]

what is createdBy we don't have that kind of relation please remove

[Tankilevitch]

lets remove by default

[Tankilevitch]

shouldn't be here

[mk-armah]

relationship is group -> member

[Tankilevitch]

which one?

[mk-armah]

both, depends on the context

[Tankilevitch]

initialize the class outside of GitlabMembersResourceConfig that way we would be able to re-use it

[Tankilevitch]

lets not use this cache, we already have a prebuilt one in ocean core

[Tankilevitch]

enrich_with_public_email

[Tankilevitch]

this should be part of the group selector and not of all resources

[mk-armah]

Both Members and Groups depend on this parameter. Removing from top level means I have to include it in integration for groups and members. Please confirm this

[mk-armah]

Also, I placed it at the top level to keep a consistent behavior in this system since groups are related to user. I strictly expect the value of filterBots to be consistent for groups and members. What could go wrong is that a user might specify this parameter as false for groups kind and true for member kind. Due to the relationship between members and groups, the catalog will be populated with extra inconsistent data.

[Tankilevitch]

I would add a comment above the filter_bots so other developers will understand your motivation.
Also I would rename it to include_member_bots and default should be false

[Tankilevitch]

why? how can we actually validate and handle it? we want to be able to handle the rate limits most of third parties return headers, but we don't use gitlab api straightforward but rather through the client.

• https://docs.gitlab.com/ee/administration/settings/rate_limit_on_projects_api.html
• https://docs.gitlab.com/ee/administration/settings/rate_limit_on_members_api.html
• https://forum.gitlab.com/t/ratelimit-headers/93078

Here are some notes on the rate limits

[Tankilevitch]

Actually just found this one - https://python-gitlab.readthedocs.io/en/stable/api-usage-advanced.html#rate-limits which means that gitlab client handles this one for us, so we are good 👍

[Tankilevitch]

redundant line

[Tankilevitch]

why group.member.list and not group.member_all.list ?
https://python-gitlab.readthedocs.io/en/stable/gl_objects/groups.html#id10
what do you think about adding this as an option to query all rather than only in one hierarchy?

[Tankilevitch]

what happens when I have the same user in multiple groups? how would that behave? will I have to perform repeated upserts?

maybe in this method ^ we should use members = group.members_all.list(get_all=True) which will return all and reduce the amount of extra requests that we will have to perform?

[mk-armah]

my reason for using members as opposed to member_all was because the members_all request returns not the the user in that group but also all inherited and invited members.

Thereby resulting in all groups the same members since the members most commonly belong to the parent group - details

aside this, the behavior and how we will retrieve members does not differ from member and members_all

[Tankilevitch]

ok i understand what you are saying, so if we use the members_all only for the members kind wouldn't it reduce the amount of requests by a lot? as we will only have to bring the members for the root groups rather than the subgroups as well.

also just making sure that you have tested subgroups as well. please confirm

[mk-armah]

calling /members on root groups returns the same results as /members/all, calling /members on subgroups comes with less data than members/all, due to the exclusion of invited and inherited members, for root groups, concept of inherited members does not apply, all members of the root groups are returned regardless how we choose to call them.

I believe the optimization here was getting members from root groups instead of all groups (including subgroups), which would have taken more time.

[Tankilevitch]

Also missing webhook handling for new members.

[Tankilevitch]

I think adding members should be optional for groups, so customers will be able to decide whether they want to have it or no

[Tankilevitch]

and need to check that creating a new group, will sync the members correctly

[mk-armah]

fair, how about project -> group, same ?

[Tankilevitch]

Nice job @mk-armah , added a few comments

[Tankilevitch]

is there more information that can be added to a member other than public email ?

[mk-armah]

Here is a sample ==> User

{
  "id": 15339857,
  "username": "tompo",
  "name": "Tom Kofi Tankilevitch",
  "state": "active",
  "locked": false,
  "avatar_url": "https://secure.gravatar.com/avatar/81e644d6312fa802fa1a11d605104ba745732a7054be8d3579d3024ff6168bcc?s=80&d=identicon",
  "web_url": "https://gitlab.com/tompo",
  "created_at": "2023-08-27T13:39:29.744Z",
  "bio": "",
  "location": "",
  "public_email": null,
  "skype": "",
  "linkedin": "",
  "twitter": "",
  "discord": "",
  "website_url": "",
  "organization": "",
  "job_title": "",
  "pronouns": null,
  "bot": false,
  "work_information": null,
  "followers": 0,
  "following": 0,
  "is_followed": false,
  "local_time": null
}

[mk-armah]

Member

{
  "id": 15339857,
  "username": "tompo",
  "name": "Tom Kofi Tankilevitch",
  "state": "active",
  "locked": false,
  "avatar_url": "https://secure.gravatar.com/avatar/81e644d6312fa802fa1a11d605104ba745732a7054be8d3579d3024ff6168bcc?s=80&d=identicon",
  "web_url": "https://gitlab.com/tompo",
  "access_level": 50,
  "created_at": "2023-08-27T13:39:29.744Z",
  "created_by": {
    "id": 13921399,
    "username": "matanlevi",
    "name": "Matan Levi",
    "state": "active",
    "locked": false,
    "avatar_url": "https://secure.gravatar.com/avatar/814e5edbb657a70c5c9bd09a4171768c245d18cabec5f3b440d43dbc26d36f88?s=80&d=identicon",
    "web_url": "https://gitlab.com/matanlevi"
  },
  "expires_at": null,
  "email": null,
  "membership_state": "active"
}

[mk-armah]

just the socials, if its relevant

[Tankilevitch]

we are not consistent in the way that we are returning the enriched objects, in enrich_project you are returning objects while here you are returning dict, can you elaborate on why?

[mk-armah]

In ProjectWithMembers, we call enrich_project_with_extras after which the results are passed down to enrich_object_with_members, for enrich_object_with_members to get an object, enrich_project_with_extras needed to return an object.

Would you like me to make enrich_object_with_members to also manipulate the object directly and return a dict as well ?

[Tankilevitch]

what is making sure we are not experiencing rate limits here?

we get 20 projects, and then spawn 20 tasks and in each project it might have multiple members and then for each member batch you are performing another request.

[Tankilevitch]

doesn't seems used anymore

[Tankilevitch]

this isn't consistent, on one hand you are using @cache_iterator_result() and for users you are specifically creating cache. Ideally lets use cache_iterator_result if possible

[mk-armah]

cache_iterator_results works with generators, not coroutines...
I wrote one for coroutines here, I'll push to ocean core utils so we use it from there

[mk-armah]

Here

[Tankilevitch]

LGTM

[Tankilevitch]

LGTM