When enabled, allows Sourcebot to automatically register/login from a successful GCP IAP redirect
| | `AUTH_EE_GCP_IAP_AUDIENCE` | - |The GCP IAP audience to use when verifying JWT tokens. Must be set to enable GCP IAP JIT provisioning
| | `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` | `false` |Enables [permission syncing](/docs/features/permission-syncing).
| +| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` |Enables/disables [repo-driven permission syncing](/docs/features/permission-syncing#how-it-works). Only applies when `EXPERIMENT_EE_PERMISSION_SYNC_ENABLED` is `true`.
| | `AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING` | `true` |When enabled, different SSO accounts with the same email address will automatically be linked.
| diff --git a/docs/docs/features/permission-syncing.mdx b/docs/docs/features/permission-syncing.mdx index 0ed365f59..0c35aac65 100644 --- a/docs/docs/features/permission-syncing.mdx +++ b/docs/docs/features/permission-syncing.mdx @@ -41,6 +41,8 @@ We are actively working on supporting more code hosts. If you'd like to see a sp | [GitLab (Self-managed & Cloud)](/docs/features/permission-syncing#gitlab) | ✅ | | [Bitbucket Cloud](/docs/features/permission-syncing#bitbucket-cloud) | 🟠 Partial | | [Bitbucket Data Center](/docs/features/permission-syncing#bitbucket-data-center) | 🟠 Partial | +| Azure DevOps Cloud | 🛑 | +| Azure DevOps Server | 🛑 | | Gitea | 🛑 | | Gerrit | 🛑 | | Generic git host | 🛑 | @@ -134,7 +136,14 @@ Permission syncing works by periodically syncing ACLs from the code host(s) to S - **User driven** : fetches the list of all repositories that a given user has access to. - **Repo driven** : fetches the list of all users that have access to a given repository. -User driven and repo driven syncing occurs every 24 hours by default. These intervals can be configured using the following settings in the [config file](/docs/configuration/config-file): +User driven and repo driven syncing occurs every 24 hours by default. Repo-driven syncing can be disabled independently using the following environment variable: + +| Environment variable | Default | Description | +|---|---|---| +| `PERMISSION_SYNC_REPO_DRIVEN_ENABLED` | `true` | Enables/disables repo-driven syncing. | + +The sync intervals can be configured using the following settings in the [config file](/docs/configuration/config-file): + | Setting | Type | Default | Minimum | |-------------------------------------------------|---------|------------|---------| | `experiment_repoDrivenPermissionSyncIntervalMs` | number | 24 hours | 1 | diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index db3ceaef0..1dd79f381 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -76,7 +76,9 @@ if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && !hasEntitlement('per process.exit(1); } else if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing')) { - repoPermissionSyncer.startScheduler(); + if (env.PERMISSION_SYNC_REPO_DRIVEN_ENABLED === 'true') { + repoPermissionSyncer.startScheduler(); + } accountPermissionSyncer.startScheduler(); } diff --git a/packages/shared/src/env.server.ts b/packages/shared/src/env.server.ts index 2b762113f..0c9e692c7 100644 --- a/packages/shared/src/env.server.ts +++ b/packages/shared/src/env.server.ts @@ -247,6 +247,7 @@ export const env = createEnv({ // @NOTE: Take care to update actions.ts when changing the name of this. EXPERIMENT_SELF_SERVE_REPO_INDEXING_GITHUB_TOKEN: z.string().optional(), EXPERIMENT_EE_PERMISSION_SYNC_ENABLED: booleanSchema.default('false'), + PERMISSION_SYNC_REPO_DRIVEN_ENABLED: booleanSchema.default('true'), EXPERIMENT_ASK_GH_ENABLED: booleanSchema.default('false'), SOURCEBOT_ENCRYPTION_KEY: z.string(),