fix: server perf affected by sentry + fix permission issues caused by carriers permission update

danh91 · danh91 · commit 72cef16c31a8 · 2025-12-01T18:32:44.000-08:00
diff --git a/apps/api/karrio/server/settings/apm.py b/apps/api/karrio/server/settings/apm.py
@@ -64,8 +64,9 @@
 SENTRY_DSN = config("SENTRY_DSN", default=None)
 SENTRY_ENVIRONMENT = config("SENTRY_ENVIRONMENT", default=config("ENV", default="production"))
 SENTRY_RELEASE = config("SENTRY_RELEASE", default=config("VERSION", default=None))
-SENTRY_TRACES_SAMPLE_RATE = config("SENTRY_TRACES_SAMPLE_RATE", default=1.0, cast=float)
-SENTRY_PROFILES_SAMPLE_RATE = config("SENTRY_PROFILES_SAMPLE_RATE", default=1.0, cast=float)
+# Lower default sample rates for better performance (was 1.0/100%)
+SENTRY_TRACES_SAMPLE_RATE = config("SENTRY_TRACES_SAMPLE_RATE", default=0.1, cast=float)  # 10% of transactions
+SENTRY_PROFILES_SAMPLE_RATE = config("SENTRY_PROFILES_SAMPLE_RATE", default=0.0, cast=float)  # Disabled by default
 SENTRY_SEND_PII = config("SENTRY_SEND_PII", default=True, cast=bool)
 SENTRY_DEBUG = config("SENTRY_DEBUG", default=False, cast=bool)
 
@@ -136,8 +137,8 @@ def _sentry_before_send_transaction(event, hint):
     integrations = [
         DjangoIntegration(
             transaction_style="url",  # Use URL patterns for transaction names
-            middleware_spans=True,    # Create spans for middleware
-            signals_spans=True,       # Create spans for Django signals
+            middleware_spans=False,   # Disabled for performance (was True)
+            signals_spans=False,      # Disabled for performance (was True)
         ),
     ]
 
@@ -182,10 +183,10 @@ def _sentry_before_send_transaction(event, hint):
         environment=SENTRY_ENVIRONMENT,
         release=SENTRY_RELEASE,
 
-        # Performance monitoring
+        # Performance monitoring (lower sample rates for better performance)
         traces_sample_rate=SENTRY_TRACES_SAMPLE_RATE,
-        profile_session_sample_rate=SENTRY_PROFILES_SAMPLE_RATE,
-        profile_lifecycle="trace",
+        # Only enable profiling if explicitly configured (disabled by default)
+        **({"profile_session_sample_rate": SENTRY_PROFILES_SAMPLE_RATE, "profile_lifecycle": "trace"} if SENTRY_PROFILES_SAMPLE_RATE > 0 else {}),
 
         # Privacy settings
         send_default_pii=SENTRY_SEND_PII,
@@ -200,16 +201,11 @@ def _sentry_before_send_transaction(event, hint):
         before_send=_sentry_before_send,
         before_send_transaction=_sentry_before_send_transaction,
 
-        # Additional options
-        max_breadcrumbs=50,  # Keep last 50 breadcrumbs for context
+        # Additional options (reduced for performance)
+        max_breadcrumbs=25,  # Reduced from 50 for lower memory usage
         attach_stacktrace=True,  # Attach stack traces to messages
-        include_source_context=True,  # Include source code in stack traces
-        include_local_variables=True,  # Include local variables in stack traces
-
-        # Set custom tags
-        _experiments={
-            "record_sql_params": True,  # Record SQL query parameters
-        },
+        include_source_context=False,  # Disabled for performance (was True)
+        include_local_variables=False,  # Disabled for performance (was True)
     )
 
     # Set default tags that will be applied to all events
diff --git a/modules/core/karrio/server/iam/migrations/0002_setup_carrier_permission_groups.py b/modules/core/karrio/server/iam/migrations/0002_setup_carrier_permission_groups.py
@@ -0,0 +1,103 @@
+# Generated by Django migration for carrier permission groups
+
+from django.db import migrations
+
+
+def setup_carrier_groups(apps, schema_editor):
+    """
+    Create read_carriers and write_carriers permission groups and update
+    existing organization user permissions to include read_carriers.
+
+    This migration addresses the permission regression where:
+    1. read_carriers and write_carriers groups were added to ROLES_GROUPS
+    2. But existing user ContextPermissions weren't updated with these groups
+    """
+    Group = apps.get_model('user', 'Group')
+    Permission = apps.get_model('auth', 'Permission')
+    ContentType = apps.get_model('contenttypes', 'ContentType')
+    ContextPermission = apps.get_model('iam', 'ContextPermission')
+
+    # Create the new permission groups if they don't exist
+    read_carriers_group, _ = Group.objects.get_or_create(name='read_carriers')
+    write_carriers_group, _ = Group.objects.get_or_create(name='write_carriers')
+
+    # Get providers content types for permissions
+    try:
+        providers_ct = ContentType.objects.filter(app_label='providers')
+
+        # Set up read_carriers with view permissions
+        view_perms = Permission.objects.filter(
+            content_type__in=providers_ct,
+            codename__icontains='view'
+        )
+        if view_perms.exists():
+            read_carriers_group.permissions.set(view_perms)
+
+        # Set up write_carriers with all providers permissions
+        all_provider_perms = Permission.objects.filter(content_type__in=providers_ct)
+        if all_provider_perms.exists():
+            write_carriers_group.permissions.set(all_provider_perms)
+    except Exception:
+        # Providers app may not be installed yet
+        pass
+
+    # Update all existing ContextPermissions that have manage_carriers to also include read_carriers
+    manage_carriers_group = Group.objects.filter(name='manage_carriers').first()
+
+    if manage_carriers_group:
+        # Find all context permissions that have manage_carriers
+        context_perms_with_manage = ContextPermission.objects.filter(
+            groups=manage_carriers_group
+        )
+
+        # Add read_carriers and write_carriers to these context permissions
+        for ctx_perm in context_perms_with_manage:
+            ctx_perm.groups.add(read_carriers_group)
+            ctx_perm.groups.add(write_carriers_group)
+
+    # Also update any OrganizationUser context permissions based on their roles
+    # This ensures all users who should have read_carriers get it
+    try:
+        OrganizationUser = apps.get_model('orgs', 'OrganizationUser')
+        org_user_ct = ContentType.objects.get_for_model(OrganizationUser)
+
+        # Roles that should have read_carriers (all roles)
+        org_user_context_perms = ContextPermission.objects.filter(
+            content_type=org_user_ct
+        )
+
+        for ctx_perm in org_user_context_perms:
+            # All organization users should have read_carriers by default
+            ctx_perm.groups.add(read_carriers_group)
+    except Exception:
+        # Orgs app may not be installed
+        pass
+
+
+def reverse_migration(apps, schema_editor):
+    """Reverse migration - remove the new groups from context permissions."""
+    Group = apps.get_model('user', 'Group')
+    ContextPermission = apps.get_model('iam', 'ContextPermission')
+
+    read_carriers_group = Group.objects.filter(name='read_carriers').first()
+    write_carriers_group = Group.objects.filter(name='write_carriers').first()
+
+    if read_carriers_group:
+        for ctx_perm in ContextPermission.objects.filter(groups=read_carriers_group):
+            ctx_perm.groups.remove(read_carriers_group)
+
+    if write_carriers_group:
+        for ctx_perm in ContextPermission.objects.filter(groups=write_carriers_group):
+            ctx_perm.groups.remove(write_carriers_group)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('iam', '0001_initial'),
+        ('user', '0004_group'),
+    ]
+
+    operations = [
+        migrations.RunPython(setup_carrier_groups, reverse_migration),
+    ]
diff --git a/modules/graph/karrio/server/graph/schemas/base/types.py b/modules/graph/karrio/server/graph/schemas/base/types.py
@@ -1369,7 +1369,6 @@ def resolve_list_legacy(
     @staticmethod
     @utils.utils.error_wrapper
     @utils.authentication_required
-    @utils.authorization_required(["read_carriers"])
     def resolve(
         info,
         id: str,
@@ -1382,7 +1381,6 @@ def resolve(
     @staticmethod
     @utils.utils.error_wrapper
     @utils.authentication_required
-    @utils.authorization_required(["read_carriers"])
     def resolve_list(
         info,
         filter: typing.Optional[inputs.CarrierFilter] = strawberry.UNSET,
diff --git a/modules/sdk/karrio/core/utils/tracing.py b/modules/sdk/karrio/core/utils/tracing.py
@@ -21,6 +21,24 @@
 
 Trace = typing.Callable[[typing.Any, str], typing.Any]
 
+# Shared thread pool executor for trace recording
+# Using a single executor avoids the overhead of creating new thread pools per trace
+_trace_executor: typing.Optional[futures.ThreadPoolExecutor] = None
+_trace_executor_lock = __import__("threading").Lock()
+
+
+def _get_trace_executor() -> futures.ThreadPoolExecutor:
+    """Get or create the shared trace executor (lazy initialization, thread-safe)."""
+    global _trace_executor
+    if _trace_executor is None:
+        with _trace_executor_lock:
+            if _trace_executor is None:
+                _trace_executor = futures.ThreadPoolExecutor(
+                    max_workers=4,
+                    thread_name_prefix="karrio_trace",
+                )
+    return _trace_executor
+
 
 # =============================================================================
 # Telemetry Abstraction Layer
@@ -380,8 +398,9 @@ def _save():
                 metadata=metadata,
             )
 
-        promise = futures.ThreadPoolExecutor(max_workers=1)
-        self.inner_recordings.update({promise.submit(_save): data})
+        # Use shared executor to avoid creating new thread pools per trace
+        executor = _get_trace_executor()
+        self.inner_recordings.update({executor.submit(_save): data})
 
         # Add telemetry breadcrumb for APM context
         self._telemetry.add_breadcrumb(
