[AAP-72504] Add configurable page_size and jwt_expiration for resource sync

Allow operators to tune RESOURCE_SYNC_PAGE_SIZE and
RESOURCE_SYNC_JWT_EXPIRATION via Django settings. These are read
automatically by SyncExecutor and create_api_client(), so consuming
services (tower, hub, EDA) pick up new values without code changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: huffmanca

ansible_base/lib/dynamic_config/settings_logic.py

@@ -268,6 +268,10 @@ def get_mergeable_dab_settings(settings: dict) -> dict:  # NOSONAR
         'RESOURCE_SERVICE_PATH': "/api/gateway/v1/service-index/",
         # Disable legacy SSO by default
         'ENABLE_SERVICE_BACKED_SSO': False,
+        # Page size for assignment pagination during resource sync (capped server-side by MAX_PAGE_SIZE)
+        'RESOURCE_SYNC_PAGE_SIZE': 50,
+        # JWT service token lifetime in seconds for resource sync API calls
+        'RESOURCE_SYNC_JWT_EXPIRATION': 60,
     }
     if 'ansible_base.resource_registry' in installed_apps:
         for key, value in resource_registry_defaults.items():

ansible_base/resource_registry/management/commands/resource_sync.py

@@ -62,10 +62,20 @@ def add_arguments(self, parser):
             required=False,
         )
         parser.add_argument("--asyncio", action="store_true", default=False, help="Enable asyncio executor")
+        parser.add_argument(
+            "--page-size",
+            type=int,
+            default=None,
+            dest="page_size",
+            help="Page size for pagination when fetching assignments (default: from settings, capped server-side by MAX_PAGE_SIZE)",
+            required=False,
+        )
 
     def handle(self, *args, **options):
         """Handle RESOURCE_PROVIDER sync"""
-        arguments = ["resource_type_names", "retries", "retrysleep", "asyncio"]
+        if options.get("page_size") is not None and options["page_size"] < 1:
+            raise CommandError("--page-size must be at least 1")
+        arguments = ["resource_type_names", "retries", "retrysleep", "asyncio", "page_size"]
         options = {k: v for k, v in options.items() if k in arguments}
         try:
             executor = SyncExecutor(**options, stdout=self.stdout)

ansible_base/resource_registry/tasks/sync.py

@@ -109,6 +109,7 @@ def create_api_client() -> ResourceAPIClient:
     if not service_path:
         raise ValueError("RESOURCE_SERVICE_PATH is not set.")
     params["service_path"] = service_path
+    params["jwt_expiration"] = getattr(settings, "RESOURCE_SYNC_JWT_EXPIRATION", 60)
 
     client = get_resource_server_client(**params)
     return client
@@ -190,9 +191,10 @@ class RemoteAssignmentFetcher:
     incomplete so the caller can skip deletions safely.
     """
 
-    def __init__(self, api_client: ResourceAPIClient):
+    def __init__(self, api_client: ResourceAPIClient, page_size: int | None = None):
         self.api_client = api_client
         self.assignments: set[AssignmentTuple] = set()
+        self.page_size = page_size if page_size is not None else getattr(settings, 'RESOURCE_SYNC_PAGE_SIZE', 50)
 
     def fetch(self) -> RemoteAssignmentResult:
         """Paginate user then team assignments and return the result.
@@ -219,7 +221,7 @@ def _paginate(self, list_fn, actor_id_key: str, assignment_type: str) -> bool:
         page = 1
         try:
             while True:
-                resp = list_fn(filters={'page': page})
+                resp = list_fn(filters={'page': page, 'page_size': self.page_size})
                 if resp.status_code != 200:
                     logger.warning(f"Failed to fetch {assignment_type} assignments page {page}: HTTP {resp.status_code}")
                     return False
@@ -250,14 +252,14 @@ def _paginate(self, list_fn, actor_id_key: str, assignment_type: str) -> bool:
             return False
 
 
-def get_remote_assignments(api_client: ResourceAPIClient) -> RemoteAssignmentResult:
+def get_remote_assignments(api_client: ResourceAPIClient, page_size: int | None = None) -> RemoteAssignmentResult:
     """Fetch remote assignments from the resource server and convert to tuples.
 
     Returns a ``RemoteAssignmentResult`` so the caller can distinguish a
     complete fetch from a partial one (e.g. due to HTTP errors or
     timeouts mid-pagination).
     """
-    return RemoteAssignmentFetcher(api_client).fetch()
+    return RemoteAssignmentFetcher(api_client, page_size=page_size).fetch()
 
 
 def get_local_assignments() -> set[AssignmentTuple]:
@@ -617,6 +619,7 @@ class SyncExecutor:
     asyncio: bool = False
     results: dict = field(default_factory=lambda: defaultdict(list))
     sync_assignments: bool = True
+    page_size: int | None = None
 
     def write(self, text: str = ""):
         """Write to assigned IO or simply ignores the text."""
@@ -763,7 +766,7 @@ def _sync_assignments(self):
         self.write(">>> Syncing role assignments")
 
         try:
-            remote_result = get_remote_assignments(self.api_client)
+            remote_result = get_remote_assignments(self.api_client, page_size=self.page_size)
             local_assignments = get_local_assignments()
 
             # Deletions are only safe when the remote fetch was complete.

test_app/tests/resource_registry/test_resource_sync.py

@@ -4,6 +4,7 @@
 
 import pytest
 from django.db.utils import Error
+from django.test import override_settings
 
 from ansible_base.lib.testing.util import StaticResourceAPIClient
 from ansible_base.lib.utils.response import get_relative_url
@@ -13,11 +14,13 @@
 from ansible_base.resource_registry.tasks.sync import (
     AssignmentTuple,
     ManifestItem,
+    RemoteAssignmentFetcher,
     RemoteAssignmentResult,
     ResourceSyncHTTPError,
     SyncExecutor,
     _attempt_create_resource,
     _attempt_update_resource,
+    create_api_client,
     get_remote_assignments,
 )
 
@@ -543,3 +546,58 @@ def test_get_remote_assignments_filters_unknown_roles(static_api_client):
     assert len(result.assignments) == 1
     assignment = next(iter(result.assignments))
     assert assignment.role_definition_name == local_role.name
+
+
+@pytest.mark.django_db
+def test_remote_assignment_fetcher_passes_page_size():
+    """page_size should be included in the pagination filters."""
+    api_client = mock.Mock(spec=["list_user_assignments", "list_team_assignments"])
+    ok = _mock_response()
+    api_client.list_user_assignments.return_value = ok
+    api_client.list_team_assignments.return_value = ok
+
+    RemoteAssignmentFetcher(api_client, page_size=100).fetch()
+
+    api_client.list_user_assignments.assert_called_with(filters={'page': 1, 'page_size': 100})
+    api_client.list_team_assignments.assert_called_with(filters={'page': 1, 'page_size': 100})
+
+
+@pytest.mark.django_db
+def test_remote_assignment_fetcher_reads_page_size_from_settings():
+    """When page_size is not provided, it should be read from settings."""
+    api_client = mock.Mock(spec=["list_user_assignments", "list_team_assignments"])
+    ok = _mock_response()
+    api_client.list_user_assignments.return_value = ok
+    api_client.list_team_assignments.return_value = ok
+
+    with override_settings(RESOURCE_SYNC_PAGE_SIZE=200):
+        fetcher = RemoteAssignmentFetcher(api_client)
+        assert fetcher.page_size == 200
+        fetcher.fetch()
+
+    api_client.list_user_assignments.assert_called_with(filters={'page': 1, 'page_size': 200})
+
+
+@mock.patch('ansible_base.resource_registry.tasks.sync.get_remote_assignments')
+@mock.patch('ansible_base.resource_registry.tasks.sync.get_local_assignments', return_value=set())
+@pytest.mark.django_db
+def test_sync_executor_passes_page_size(mock_local, mock_remote, static_api_client, stdout):
+    """SyncExecutor should forward page_size to get_remote_assignments."""
+    mock_remote.return_value = RemoteAssignmentResult(assignments=set(), is_complete=True)
+    executor = SyncExecutor(api_client=static_api_client, stdout=stdout, page_size=75)
+    executor._sync_assignments()
+    mock_remote.assert_called_once_with(static_api_client, page_size=75)
+
+
+@mock.patch("ansible_base.resource_registry.tasks.sync.get_resource_server_client")
+def test_create_api_client_reads_jwt_expiration(mock_get_client):
+    """create_api_client should read RESOURCE_SYNC_JWT_EXPIRATION from settings."""
+    mock_get_client.return_value = mock.Mock()
+
+    with override_settings(
+        RESOURCE_SERVICE_PATH="/api/gateway/v1/service-index/",
+        RESOURCE_SYNC_JWT_EXPIRATION=120,
+    ):
+        create_api_client()
+
+    assert mock_get_client.call_args.kwargs["jwt_expiration"] == 120