Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/changes
History
Victor Lyuboslavsky 2ddc2ae90a
Optimized PolicyQueriesForHost and ListPoliciesForHost SQL queries (#43035) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #43034

## Before (correlated subqueries):

The old query scans the policies table and for each policy row, MySQL
executes up to 3 separate subqueries against policy_labels +
label_membership:

```sql
  -- For EACH policy row p:

  -- Subquery 1: Does this policy have any include labels?
  NOT EXISTS (
      SELECT 1 FROM policy_labels pl
      WHERE pl.policy_id = p.id AND pl.exclude = 0
  )

  -- Subquery 2: Is the host in at least one include label?
  OR EXISTS (
      SELECT 1 FROM policy_labels pl
      INNER JOIN label_membership lm ON (lm.host_id = ? AND lm.label_id = pl.label_id)
      WHERE pl.policy_id = p.id AND pl.exclude = 0
  )

  -- Subquery 3: Is the host in any exclude label?
  AND NOT EXISTS (
      SELECT 1 FROM policy_labels pl
      INNER JOIN label_membership lm ON (lm.host_id = ? AND lm.label_id = pl.label_id)
      WHERE pl.policy_id = p.id AND pl.exclude = 1
  )
  ```

  With 200 policies, MySQL executes up to 600 subquery probes into policy_labels and label_membership.

## After (single aggregated LEFT JOIN):

The new query first builds one aggregated result set from policy_labels + label_membership for this host, grouped by policy_id, then joins it once:

```sql
  LEFT JOIN (
      SELECT pl.policy_id,
MAX(CASE WHEN pl.exclude = 0 THEN 1 ELSE 0 END) AS has_include_labels,
MAX(CASE WHEN pl.exclude = 0 AND lm.host_id IS NOT NULL THEN 1 ELSE 0
END) AS host_in_include,
MAX(CASE WHEN pl.exclude = 1 AND lm.host_id IS NOT NULL THEN 1 ELSE 0
END) AS host_in_exclude
      FROM policy_labels pl
LEFT JOIN label_membership lm ON lm.label_id = pl.label_id AND
lm.host_id = ?
      GROUP BY pl.policy_id
  ) pl_agg ON pl_agg.policy_id = p.id
```

  The subquery scans policy_labels once, LEFT JOINs to label_membership for the specific host, and aggregates per policy. Each policy gets three booleans:
  - has_include_labels: 1 if any policy_labels row with exclude=0 exists
  - host_in_include: 1 if any include label row matched a label_membership row for this host
  - host_in_exclude: 1 if any exclude label row matched a label_membership row for this host

  Then the WHERE clause uses these:
```sql
(COALESCE(pl_agg.has_include_labels, 0) = 0 OR pl_agg.host_in_include =
1)
  AND COALESCE(pl_agg.host_in_exclude, 0) = 0
```

The COALESCE handles policies with no policy_labels rows at all (the LEFT JOIN produces NULL).

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] QA'd all new/changed functionality manually


<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

## Release Notes

* **Refactor**
  * Optimized database query efficiency for policy operations, delivering approximately 77% faster query execution at scale while improving support for label-based policy scoping.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-04-06 08:50:18 -05:00
..
.keep Issue 1009 calculate diff software (#1305) 2021-07-08 13:57:43 -03:00
14827-prevent-TOCTOU-last-admin Fix TOCTOU race in last global admin protection (#42172) 2026-04-01 15:00:08 -03:00
29657-custom-settings-configuration-profiles Rename custom settings to configuration profiles (#41250) 2026-03-25 10:07:53 +01:00
31289-acme-for-mdm-protocol ACME MDM -> main (#42926) 2026-04-02 15:56:31 -05:00
32126-macos-fleetd-reinstall Fix fleetd in-band upgrade on macOS hosts (#42187) 2026-03-27 09:04:14 -03:00
32662-include-correct-cpe Generate correct CPE from malformed ipswitch whatsup CPE, ensure matches relevant CVEs (#41704) 2026-03-16 16:17:47 -05:00
32773-preview-windows-mdm Fix: Missing guide: How to try Windows MDM (fleetctl preview) (#42451) 2026-03-27 12:15:35 -03:00
33106-fix-generate-gitops-vpp Fix fleetctl generate-gitops failing to include VPP fleet assignments (#42429) 2026-03-26 19:06:51 -05:00
33418-windows-mdm-profile-deletion SyncML <Delete> Windows profiles (#42206) 2026-03-26 18:25:54 -05:00
34433-speedup-macos-profile-delivery speed up macOS profile delivery for initial enrollments (#41960) 2026-03-19 14:58:10 -05:00
34667-scim-user-host-emails-association Fix SCIM user association with host when IdP user is set before being provisioned (#42889) 2026-04-02 13:35:07 -03:00
34950-nano-tables-cleanup #34950 Cleanup nano refetch commands in the background (#42472) 2026-04-02 06:16:55 -04:00
35067-windows-pro-missing-vulnerabilities Fixed bug where Windows hosts would get 0 CVEs. (#42021) 2026-03-19 22:01:59 -05:00
35467-detail-query-config-preload Reduced redundant database calls in the osquery distributed query results hot path (#42157) 2026-03-23 10:31:12 -05:00
35484-improve-policy_membership-contention Improve contention around policy_membership table (35484) (#40853) 2026-03-16 15:12:25 -04:00
36312-trim-spaces-from-fleets-names Trim spaces on Fleet's names (36312) 2026-03-18 12:20:23 -04:00
36751-add-fmas-to-policy-automation Implement FMA software policy automation (#42533) 2026-03-30 11:25:46 -05:00
36799-macos-disk-space-purgeable Add disk_space fleetd table for accurate macOS disk space reporting (#41575) 2026-03-17 12:59:17 -03:00
37323-jetbrains-cve Updated ingestion/CVE logic to support Jetbrains software with 2 version numbers (#42003) 2026-03-19 11:14:14 -05:00
37546-android-certificate-install-activity Added automatic Android cert retry (#42734) 2026-04-01 13:49:24 -05:00
37556-resend-android-certs Resend android cert to host - frontend, update profile API (#42297) 2026-03-26 13:06:29 -07:00
38002-throttle-ca-certificate-profiles Throttle CA access through MDM (#42114) 2026-03-23 09:04:55 -05:00
38036-gitops-ca-delete-order Fixed GitOps failing to delete a certificate authority (#41693) 2026-03-16 15:51:28 -05:00
38041-entra-windows-conditional-access Windows conditional access: Ingest device_id from Windows devices (#41822) 2026-03-17 12:33:39 -03:00
38793-python-scripts Add Python script support for macOS and Linux (#38562) 2026-03-24 10:01:54 -04:00
38929-reports-tab Fleet UI: Hide host details reports when not supported (#42746) 2026-04-02 16:42:51 -04:00
39066-vpp-timeout-install-details Improve VPP errors for large install failures (#41997) 2026-03-20 15:37:42 -04:00
39082-setup-logo-light-background Save logo URL for dark and light backgrounds during setup (#41823) 2026-03-17 12:35:36 -03:00
39190-display-sw-version-filter Return light software metadata when listing hosts filtered by software present only on a different team (#42519) 2026-03-30 21:33:21 -07:00
39308-team-ca-read-access Fixed team maintainers, admins, and GitOps users being unable to add certificate templates (#41740) 2026-03-16 12:24:31 -05:00
39316-winoffice-vulnerability-detection Add Windows Office vulnerability detection runtime (3/3) (#42872) 2026-04-03 09:44:55 -06:00
39842-generate-gitops-bug Use list FMA endpoint in generate-gitops to match FMAs by ID (#42483) 2026-03-26 15:52:28 -04:00
39899-deterministic-cpe-matching Fixed nondeterministic CPE matching when multiple CPE candidates share the same product name (#41649) 2026-03-17 07:22:23 -05:00
39968-sso-validity-increase-default Update SSO session validity from 5 to 15 min by default (#41456) 2026-03-20 10:56:54 +01:00
40050-server-core-msrc-differentiation Differentiate between Windows Server Core and full desktop installations (#42034) 2026-03-21 10:03:57 -05:00
40057-osv-vulns Use OSV for ubuntu vulnerability scanning (#42063) 2026-04-03 15:59:32 -05:00
40117-fix-sql-table-alias-platform-detection The fix skips nodes where type === "column_ref", since those aren't table references (#42821) 2026-04-01 14:22:10 -05:00
40137-update-default-fleet Update default fleet selected on dashboard and controls (#42688) 2026-03-31 09:11:51 -05:00
40581-os-versions-vuln-details Fix OS versions not populated in vulnerability details (#42759) 2026-04-01 17:09:20 -06:00
40715-allow-whitespace-end-users-form Allow typing whitespaces on Settings > Integrations > SSO > End users form (#41817) 2026-03-17 12:35:25 -03:00
40751-google-drive-brew-version Update how google drive fma version is created (#42270) 2026-03-27 16:54:22 -04:00
40785-fix-gitops-vpp-token-assignment Defer all VPP apps when there are missing teams (#42862) 2026-04-02 15:38:58 -04:00
40841-gitops-sw-upload-error Fix GitOps policy-software resolution to fall back to hash when URL lookup fails (#42816) 2026-04-02 17:22:14 -04:00
40910-correct-request-certificate-pem Update PEM header type per hydrant spec (#42052) 2026-03-19 15:37:22 -04:00
40972-policy-description Fleet UI: Add description to add/edit policies (#42692) 2026-03-31 09:35:37 -04:00
41324-support-labels-include-all-for-installers Backend: Support labels_include_all for installers/apps (#41324) 2026-03-18 13:27:53 -04:00
41409-use-fleetctl-new-templates-as-starter-lib Use fleetctl new templates for new instances (#42768) 2026-04-03 09:58:03 -05:00
41484-fix-windows-mdm-profile-upload-panic Fix panic message for Windows MDM profile upload (#42913) 2026-04-02 13:29:00 -05:00
41500-validate-scripts add missing validation for scripts, tests (#42424) 2026-03-30 10:13:03 -04:00
41534-host-details-reports-api-end-point New API endpoint for host reports (41534) 2026-03-18 11:03:48 -04:00
41540-host-details-reports-db-optimizations Performance improvements for Host Reports (41540) 2026-03-26 07:04:18 -04:00
41542-android-cert-resend-backend 41542 android cert resend backend (#42099) 2026-03-23 17:01:52 -04:00
41586-admin-by-request-false-positive Fixed Admin By Request false positive CVEs (#42095) 2026-03-20 10:35:56 -05:00
41601-use-multiplatform-names-in-front-end Use new multiplatform keys on the front end (#41763) 2026-03-30 08:56:21 -05:00
41603-fix-query-responses Fix get/create/update query response (#41966) 2026-03-20 10:30:52 -05:00
41631-not-installed fix usage of query params in host software endpoint (#42302) 2026-03-24 17:53:19 -04:00
41636-typo-in-msrc-json Fix "vulnerabilities" key in MSRC json (#42706) 2026-04-01 12:25:23 -06:00
41644-improve-cpe-matching Improved cpe deterministic matching (#42325) 2026-03-24 17:48:02 -05:00
41670-auto-rotate-recovery-lock Backend: Auto rotate recovery lock passwords (#42084) 2026-03-26 12:12:41 -06:00
41672-allow-omitting-manual-hosts-label Allow hosts key to be empty for manual labels (#42022) 2026-03-20 10:36:14 -05:00
41710-overwrite-software-title Update software title names on FMA sync and upload (#42647) 2026-03-30 15:59:19 -04:00
41742-fix-my-device-500-fleet-free Fixed 500 and 402 on My Device page. (#41748) 2026-03-16 16:09:43 -05:00
41778-fix-enqueue-setup-experience-items-for-arch-linux Bugfix: properly enqueue compatible setup experience items for arch/omarchy linux (#41778) 2026-03-17 15:04:33 -04:00
41815-override-patch-policy-query Override patch policy query (#42322) 2026-03-25 10:32:41 -04:00
41888-otel-service-name Allow OTEL service name to be overridden (#41890) 2026-03-18 13:59:28 -05:00
42017-host-details-reports-tab [Host details > Reports] Frontend changes (#42017) 2026-03-24 10:45:34 -03:00
42047-android-web-app-banner Add warning banner for Android web apps requiring Google Chrome (#42598) 2026-03-28 15:35:45 -05:00
42185-add-flatcar-coreos-linux-platforms Add Flatcar Container Linux and CoreOS to recognized Linux platforms (#42186) 2026-03-23 10:33:48 -03:00
42327-apple-profile-retries Increased Apple retry from 1 to 3. (#42331) 2026-03-26 11:29:20 -05:00
42383-android-display-name Use display name when applicable for Android config change updates (#42626) 2026-03-30 09:51:12 -05:00
42399-support-vpp-policy-automations-in-generate-gitops fix policy software vpp automations (#42400) 2026-03-25 15:10:40 -05:00
42443-fix-show-disk-encryption-key-modal Fix disk encryption key modal to not show stale key when switching between hosts (#42444) 2026-03-27 10:13:59 -03:00
42572-fix-duplicate-text Filter errors that start with Couldn't add (#42764) 2026-03-31 16:33:55 -04:00
42600-android-cert-templates-cleared-on-reenroll Clear Android cert records on unenroll. (#42920) 2026-04-02 14:59:09 -05:00
42751-r2-fma Switch FMA manifest retrieval to use Cloudflare R2 bucket (#43012) 2026-04-03 19:08:45 -05:00
42799-option-to-unlock-not-available-afler-lock Do not clear MDM lock state on "idle" after lock (#42799) (#42825) 2026-04-02 11:02:50 -04:00
42808-rwmutex-jitter-shouldupdate Improved performance of distributed read endpoint (#42810) 2026-04-03 07:13:56 -05:00
42814-sso-learn-more-link Fleet UI: Add "Learn more" link to End-user Authentication docs on SSO settings page (#42814) 2026-04-01 16:25:57 -05:00
43034-optimize-policy-queries-for-host Optimized PolicyQueriesForHost and ListPoliciesForHost SQL queries (#43035) 2026-04-06 08:50:18 -05:00
allow-clearing-windows-update-settings Allowed clearing Windows OS update deadline (#42272) 2026-03-25 16:02:54 -05:00
bump-mysql-8.0.42 Bump MySQL test version from 8.0.39 to 8.0.42 (#42122) 2026-03-20 14:24:29 -05:00
refactor-named-functions-nil-checks Refactored to improve NilAway coverage (#42106) 2026-03-19 22:01:44 -05:00
up-default-software-batch up default limit for software batch (#41827) 2026-03-17 10:20:09 -05:00
update-go-1.26.1 Updated go to 1.26.1 (#42027) 2026-03-19 07:01:00 -05:00