Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Skip query references in Rbac when not needed
Makes calling `.references` on the Rbac scope more conservative, since
it has the possibility of causing some nasty join bombs.
The change to the CloudTenancyMixin was made so that it can be in charge
of it's own specific references instead of relying on a quirk of
`ActiveRecord`, in which `references(nil)` will call references for all
of the `includes` values.
This is a bandage for for the following issue:
* * *
Given roughly these kind of table counts
container_images: 700
containers: 2500
openscap_results: 100
openscap_rule_results: 70000
custom_attributes: 20000
Where half of the custom_attributes are associated with
container_images. If the following MiqReport is run:
cols:
- name
- virtual_custom_attribute_build-date:SECTION:docker_labels
- virtual_custom_attribute_io.openshift.build.name:SECTION:docker_labels
- virtual_custom_attribute_io.openshift.build.namespace:SECTION:docker_labels
include:
openscap_rule_results:
columns:
- severity
containers:
columns:
- state
(`:custom_attributes => {}` is also part of the resulting `include`, but
pretty sure that gets tacked on in the `MiqReport#generate` call)
Without needing a report, the query that gets executed can be replicated
by doing the following:
irb> includes_for_find = {
:openscap_rule_results => {},
:containers => {},
:custom_attributes => {}
}
irb> ContainerImages.includes(includes_for_find)
.references(includes_for_find)
.to_sql
There would be a "LEFT JOIN" bomb that would end up causing about 40GB
of data being returned from the database. In this case as well, there
is nothing that is making use of the references for the result, but the
extra table data would be returned from the query prior to this commit
in a very inefficient manner with loads of duplicate data.- Loading branch information
1 parent
f766292
commit d24937c