Merge pull request authzed#1792 from alecmerdler/check-bulk-permissions-v1

CheckBulkPermissions

Author: alecmerdler

e2e/go.mod

@@ -5,7 +5,7 @@ go 1.21
 toolchain go1.21.1
 
 require (
-	github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c
+	github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d
 	github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1
 	github.com/authzed/spicedb v1.29.1
 	github.com/brianvoe/gofakeit/v6 v6.23.2

e2e/go.sum

@@ -20,8 +20,8 @@ github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8
 github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 h1:goHVqTbFX3AIo0tzGr14pgfAW2ZfPChKO21Z9MGf/gk=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
-github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c h1:w71KppS/+mCDkNXR8vmwXGVt/1dLt+axcIq+qK7f7To=
-github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c/go.mod h1:bS4eeTw/ZpCunZHePrt1MAcvOggAwL8Djh8cx+CR33g=
+github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d h1:hzo0UIaYtLyJsEdCrM05k1k2YZHqPAyMpHL7rq37j5Q=
+github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d/go.mod h1:2cnND+OBSxz1DpVfaQBKtdobTiaX2qAlj7k9eNr/pM4=
 github.com/authzed/cel-go v0.17.5 h1:lfpkNrR99B5QRHg5qdG9oLu/kguVlZC68VJuMk8tH9Y=
 github.com/authzed/cel-go v0.17.5/go.mod h1:XL/zEq5hKGVF8aOdMbG7w+BQPihLjY2W8N+UIygDA2I=
 github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1 h1:zBfQzia6Hz45pJBeURTrv1b6HezmejB6UmiGuBilHZM=

go.mod

@@ -8,7 +8,7 @@ require (
 	contrib.go.opencensus.io/exporter/prometheus v0.4.2
 	github.com/IBM/pgxpoolprometheus v1.1.1
 	github.com/Masterminds/squirrel v1.5.4
-	github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c
+	github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d
 	github.com/authzed/cel-go v0.17.5
 	github.com/authzed/consistent v0.1.0
 	github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1

go.sum

@@ -116,8 +116,8 @@ github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8ger
 github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
 github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s=
 github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI=
-github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c h1:w71KppS/+mCDkNXR8vmwXGVt/1dLt+axcIq+qK7f7To=
-github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c/go.mod h1:bS4eeTw/ZpCunZHePrt1MAcvOggAwL8Djh8cx+CR33g=
+github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d h1:hzo0UIaYtLyJsEdCrM05k1k2YZHqPAyMpHL7rq37j5Q=
+github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d/go.mod h1:2cnND+OBSxz1DpVfaQBKtdobTiaX2qAlj7k9eNr/pM4=
 github.com/authzed/cel-go v0.17.5 h1:lfpkNrR99B5QRHg5qdG9oLu/kguVlZC68VJuMk8tH9Y=
 github.com/authzed/cel-go v0.17.5/go.mod h1:XL/zEq5hKGVF8aOdMbG7w+BQPihLjY2W8N+UIygDA2I=
 github.com/authzed/consistent v0.1.0 h1:tlh1wvKoRbjRhMm2P+X5WQQyR54SRoS4MyjLOg17Mp8=

internal/services/integrationtesting/consistency_test.go

@@ -385,7 +385,7 @@ func validateLookupResources(t *testing.T, vctx validationContext) {
 							requireSameSets(t, maps.Keys(accessibleResources), maps.Keys(resolvedResources))
 
 							// Ensure that every returned concrete object Checks directly.
-							bulkCheckItems := make([]*v1.BulkCheckPermissionRequestItem, 0, len(resolvedResources))
+							checkBulkItems := make([]*v1.CheckBulkPermissionsRequestItem, 0, len(resolvedResources))
 							expectedBulkPermissions := map[string]v1.CheckPermissionResponse_Permissionship{}
 
 							for _, resolvedResource := range resolvedResources {
@@ -420,7 +420,7 @@ func validateLookupResources(t *testing.T, vctx validationContext) {
 									permissionship,
 								)
 
-								bulkCheckItems = append(bulkCheckItems, &v1.BulkCheckPermissionRequestItem{
+								checkBulkItems = append(checkBulkItems, &v1.CheckBulkPermissionsRequestItem{
 									Resource: &v1.ObjectReference{
 										ObjectType: resourceRelation.Namespace,
 										ObjectId:   resolvedResource.ResourceObjectId,
@@ -437,8 +437,8 @@ func validateLookupResources(t *testing.T, vctx validationContext) {
 							}
 
 							// Ensure they are all found via bulk check as well.
-							results, err := vctx.serviceTester.BulkCheck(context.Background(),
-								bulkCheckItems,
+							results, err := vctx.serviceTester.CheckBulk(context.Background(),
+								checkBulkItems,
 								vctx.revision,
 							)
 							require.NoError(t, err)

internal/services/integrationtesting/consistencytestutil/servicetester.go

@@ -30,7 +30,9 @@ type ServiceTester interface {
 	Read(ctx context.Context, namespaceName string, atRevision datastore.Revision) ([]*core.RelationTuple, error)
 	LookupResources(ctx context.Context, resourceRelation *core.RelationReference, subject *core.ObjectAndRelation, atRevision datastore.Revision, cursor *v1.Cursor, limit uint32) ([]*v1.LookupResourcesResponse, *v1.Cursor, error)
 	LookupSubjects(ctx context.Context, resource *core.ObjectAndRelation, subjectRelation *core.RelationReference, atRevision datastore.Revision, caveatContext map[string]any) (map[string]*v1.LookupSubjectsResponse, error)
+	// NOTE: ExperimentalService/BulkCheckPermission has been promoted to PermissionsService/CheckBulkPermissions
 	BulkCheck(ctx context.Context, items []*v1.BulkCheckPermissionRequestItem, atRevision datastore.Revision) ([]*v1.BulkCheckPermissionPair, error)
+	CheckBulk(ctx context.Context, items []*v1.CheckBulkPermissionsRequestItem, atRevision datastore.Revision) ([]*v1.CheckBulkPermissionsPair, error)
 }
 
 func optionalizeRelation(relation string) string {
@@ -252,3 +254,19 @@ func (v1st v1ServiceTester) BulkCheck(ctx context.Context, items []*v1.BulkCheck
 
 	return result.Pairs, nil
 }
+
+func (v1st v1ServiceTester) CheckBulk(ctx context.Context, items []*v1.CheckBulkPermissionsRequestItem, atRevision datastore.Revision) ([]*v1.CheckBulkPermissionsPair, error) {
+	result, err := v1st.permClient.CheckBulkPermissions(ctx, &v1.CheckBulkPermissionsRequest{
+		Items: items,
+		Consistency: &v1.Consistency{
+			Requirement: &v1.Consistency_AtLeastAsFresh{
+				AtLeastAsFresh: zedtoken.MustNewFromRevision(atRevision),
+			},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return result.Pairs, nil
+}

internal/services/v1/bulkcheck.go

@@ -0,0 +1,251 @@
+package v1
+
+import (
+	"context"
+	"sync"
+
+	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
+	"github.com/jzelinskie/stringz"
+	"google.golang.org/grpc/status"
+
+	"github.com/authzed/spicedb/internal/dispatch"
+	"github.com/authzed/spicedb/internal/graph"
+	"github.com/authzed/spicedb/internal/graph/computed"
+	datastoremw "github.com/authzed/spicedb/internal/middleware/datastore"
+	"github.com/authzed/spicedb/internal/middleware/usagemetrics"
+	"github.com/authzed/spicedb/internal/namespace"
+	"github.com/authzed/spicedb/internal/services/shared"
+	"github.com/authzed/spicedb/internal/taskrunner"
+	"github.com/authzed/spicedb/pkg/genutil"
+	"github.com/authzed/spicedb/pkg/genutil/mapz"
+	"github.com/authzed/spicedb/pkg/genutil/slicez"
+	"github.com/authzed/spicedb/pkg/middleware/consistency"
+	dispatchv1 "github.com/authzed/spicedb/pkg/proto/dispatch/v1"
+	"github.com/authzed/spicedb/pkg/spiceerrors"
+)
+
+// bulkChecker contains the logic to allow ExperimentalService/BulkCheckPermission and
+// PermissionsService/CheckBulkPermissions to share the same implementation.
+type bulkChecker struct {
+	maxAPIDepth          uint32
+	maxCaveatContextSize int
+	maxConcurrency       uint16
+
+	dispatch dispatch.Dispatcher
+}
+
+func (bc *bulkChecker) checkBulkPermissions(ctx context.Context, req *v1.CheckBulkPermissionsRequest) (*v1.CheckBulkPermissionsResponse, error) {
+	atRevision, checkedAt, err := consistency.RevisionFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(req.Items) > maxBulkCheckCount {
+		return nil, NewExceedsMaximumChecksErr(uint64(len(req.Items)), maxBulkCheckCount)
+	}
+
+	// Compute a hash for each requested item and record its index(es) for the items, to be used for sorting of results.
+	itemCount, err := genutil.EnsureUInt32(len(req.Items))
+	if err != nil {
+		return nil, err
+	}
+
+	itemIndexByHash := mapz.NewMultiMapWithCap[string, int](itemCount)
+	for index, item := range req.Items {
+		itemHash, err := computeCheckBulkPermissionsItemHash(item)
+		if err != nil {
+			return nil, err
+		}
+
+		itemIndexByHash.Add(itemHash, index)
+	}
+
+	// Identify checks with same permission+subject over different resources and group them. This is doable because
+	// the dispatching system already internally supports this kind of batching for performance.
+	groupedItems, err := groupItems(ctx, groupingParameters{
+		atRevision:           atRevision,
+		maxCaveatContextSize: bc.maxCaveatContextSize,
+		maximumAPIDepth:      bc.maxAPIDepth,
+	}, req.Items)
+	if err != nil {
+		return nil, err
+	}
+
+	bulkResponseMutex := sync.Mutex{}
+
+	tr := taskrunner.NewPreloadedTaskRunner(ctx, bc.maxConcurrency, len(groupedItems))
+
+	respMetadata := &dispatchv1.ResponseMeta{
+		DispatchCount:       1,
+		CachedDispatchCount: 0,
+		DepthRequired:       1,
+		DebugInfo:           nil,
+	}
+	usagemetrics.SetInContext(ctx, respMetadata)
+
+	orderedPairs := make([]*v1.CheckBulkPermissionsPair, len(req.Items))
+
+	addPair := func(pair *v1.CheckBulkPermissionsPair) error {
+		pairItemHash, err := computeCheckBulkPermissionsItemHash(pair.Request)
+		if err != nil {
+			return err
+		}
+
+		found, ok := itemIndexByHash.Get(pairItemHash)
+		if !ok {
+			return spiceerrors.MustBugf("missing expected item hash")
+		}
+
+		for _, index := range found {
+			orderedPairs[index] = pair
+		}
+
+		return nil
+	}
+
+	appendResultsForError := func(params *computed.CheckParameters, resourceIDs []string, err error) error {
+		rewritten := shared.RewriteError(ctx, err, &shared.ConfigForErrors{
+			MaximumAPIDepth: bc.maxAPIDepth,
+		})
+		statusResp, ok := status.FromError(rewritten)
+		if !ok {
+			// If error is not a gRPC Status, fail the entire bulk check request.
+			return err
+		}
+
+		bulkResponseMutex.Lock()
+		defer bulkResponseMutex.Unlock()
+
+		for _, resourceID := range resourceIDs {
+			reqItem, err := requestItemFromResourceAndParameters(params, resourceID)
+			if err != nil {
+				return err
+			}
+
+			if err := addPair(&v1.CheckBulkPermissionsPair{
+				Request: reqItem,
+				Response: &v1.CheckBulkPermissionsPair_Error{
+					Error: statusResp.Proto(),
+				},
+			}); err != nil {
+				return err
+			}
+		}
+
+		return nil
+	}
+
+	appendResultsForCheck := func(params *computed.CheckParameters, resourceIDs []string, metadata *dispatchv1.ResponseMeta, results map[string]*dispatchv1.ResourceCheckResult) error {
+		bulkResponseMutex.Lock()
+		defer bulkResponseMutex.Unlock()
+
+		for _, resourceID := range resourceIDs {
+			reqItem, err := requestItemFromResourceAndParameters(params, resourceID)
+			if err != nil {
+				return err
+			}
+
+			if err := addPair(&v1.CheckBulkPermissionsPair{
+				Request:  reqItem,
+				Response: pairItemFromCheckResult(results[resourceID]),
+			}); err != nil {
+				return err
+			}
+		}
+
+		respMetadata.DispatchCount += metadata.DispatchCount
+		respMetadata.CachedDispatchCount += metadata.CachedDispatchCount
+		return nil
+	}
+
+	for _, group := range groupedItems {
+		group := group
+
+		slicez.ForEachChunk(group.resourceIDs, MaxBulkCheckDispatchChunkSize, func(resourceIDs []string) {
+			tr.Add(func(ctx context.Context) error {
+				ds := datastoremw.MustFromContext(ctx).SnapshotReader(atRevision)
+
+				// Ensure the check namespaces and relations are valid.
+				err := namespace.CheckNamespaceAndRelations(ctx,
+					[]namespace.TypeAndRelationToCheck{
+						{
+							NamespaceName: group.params.ResourceType.Namespace,
+							RelationName:  group.params.ResourceType.Relation,
+							AllowEllipsis: false,
+						},
+						{
+							NamespaceName: group.params.Subject.Namespace,
+							RelationName:  stringz.DefaultEmpty(group.params.Subject.Relation, graph.Ellipsis),
+							AllowEllipsis: true,
+						},
+					}, ds)
+				if err != nil {
+					return appendResultsForError(group.params, resourceIDs, err)
+				}
+
+				// Call bulk check to compute the check result(s) for the resource ID(s).
+				rcr, metadata, err := computed.ComputeBulkCheck(ctx, bc.dispatch, *group.params, resourceIDs)
+				if err != nil {
+					return appendResultsForError(group.params, resourceIDs, err)
+				}
+
+				return appendResultsForCheck(group.params, resourceIDs, metadata, rcr)
+			})
+		})
+	}
+
+	// Run the checks in parallel.
+	if err := tr.StartAndWait(); err != nil {
+		return nil, err
+	}
+
+	return &v1.CheckBulkPermissionsResponse{CheckedAt: checkedAt, Pairs: orderedPairs}, nil
+}
+
+func toCheckBulkPermissionsRequest(req *v1.BulkCheckPermissionRequest) *v1.CheckBulkPermissionsRequest {
+	items := make([]*v1.CheckBulkPermissionsRequestItem, len(req.Items))
+	for i, item := range req.Items {
+		items[i] = &v1.CheckBulkPermissionsRequestItem{
+			Resource:   item.Resource,
+			Permission: item.Permission,
+			Subject:    item.Subject,
+			Context:    item.Context,
+		}
+	}
+
+	return &v1.CheckBulkPermissionsRequest{Items: items}
+}
+
+func toBulkCheckPermissionResponse(resp *v1.CheckBulkPermissionsResponse) *v1.BulkCheckPermissionResponse {
+	pairs := make([]*v1.BulkCheckPermissionPair, len(resp.Pairs))
+	for i, pair := range resp.Pairs {
+		pairs[i] = &v1.BulkCheckPermissionPair{}
+		pairs[i].Request = &v1.BulkCheckPermissionRequestItem{
+			Resource:   pair.Request.Resource,
+			Permission: pair.Request.Permission,
+			Subject:    pair.Request.Subject,
+			Context:    pair.Request.Context,
+		}
+
+		switch t := pair.Response.(type) {
+		case *v1.CheckBulkPermissionsPair_Item:
+			pairs[i].Response = &v1.BulkCheckPermissionPair_Item{
+				Item: &v1.BulkCheckPermissionResponseItem{
+					Permissionship:    t.Item.Permissionship,
+					PartialCaveatInfo: t.Item.PartialCaveatInfo,
+				},
+			}
+		case *v1.CheckBulkPermissionsPair_Error:
+			pairs[i].Response = &v1.BulkCheckPermissionPair_Error{
+				Error: t.Error,
+			}
+		default:
+			panic("unknown CheckBulkPermissionResponse pair response type")
+		}
+	}
+
+	return &v1.BulkCheckPermissionResponse{
+		CheckedAt: resp.CheckedAt,
+		Pairs:     pairs,
+	}
+}