CheckBulkPermissions

Adds the 'PermissionsService/CheckBulkPermissions' API method.
This promotes the existing 'ExperimentalService/BulkCheckPermission'
API out of the experimental service, but does not remove the old
method to ensure backwards compatibility.

To reduce code duplication, this refactors the bulk permission
checking logic into a shared component that can be used by both
the old and new methods. The old method performs protobuf message
conversion on the input, passes the inputs to the shared method,
and then converts the output.

Author: alecmerdler

e2e/go.mod

@@ -5,7 +5,7 @@ go 1.21
 toolchain go1.21.1
 
 require (
-	github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c
+	github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d
 	github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1
 	github.com/authzed/spicedb v1.29.1
 	github.com/brianvoe/gofakeit/v6 v6.23.2

e2e/go.sum

@@ -20,8 +20,8 @@ github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8
 github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 h1:goHVqTbFX3AIo0tzGr14pgfAW2ZfPChKO21Z9MGf/gk=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
-github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c h1:w71KppS/+mCDkNXR8vmwXGVt/1dLt+axcIq+qK7f7To=
-github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c/go.mod h1:bS4eeTw/ZpCunZHePrt1MAcvOggAwL8Djh8cx+CR33g=
+github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d h1:hzo0UIaYtLyJsEdCrM05k1k2YZHqPAyMpHL7rq37j5Q=
+github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d/go.mod h1:2cnND+OBSxz1DpVfaQBKtdobTiaX2qAlj7k9eNr/pM4=
 github.com/authzed/cel-go v0.17.5 h1:lfpkNrR99B5QRHg5qdG9oLu/kguVlZC68VJuMk8tH9Y=
 github.com/authzed/cel-go v0.17.5/go.mod h1:XL/zEq5hKGVF8aOdMbG7w+BQPihLjY2W8N+UIygDA2I=
 github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1 h1:zBfQzia6Hz45pJBeURTrv1b6HezmejB6UmiGuBilHZM=

go.mod

@@ -8,7 +8,7 @@ require (
 	contrib.go.opencensus.io/exporter/prometheus v0.4.2
 	github.com/IBM/pgxpoolprometheus v1.1.1
 	github.com/Masterminds/squirrel v1.5.4
-	github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c
+	github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d
 	github.com/authzed/cel-go v0.17.5
 	github.com/authzed/consistent v0.1.0
 	github.com/authzed/grpcutil v0.0.0-20240123092924-129dc0a6a6e1

go.sum

@@ -116,8 +116,8 @@ github.com/ashanbrown/forbidigo v1.6.0 h1:D3aewfM37Yb3pxHujIPSpTf6oQk9sc9WZi8ger
 github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1MUyfOKL+AjcU=
 github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s=
 github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI=
-github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c h1:w71KppS/+mCDkNXR8vmwXGVt/1dLt+axcIq+qK7f7To=
-github.com/authzed/authzed-go v0.10.2-0.20240206183056-781a5f5d1b3c/go.mod h1:bS4eeTw/ZpCunZHePrt1MAcvOggAwL8Djh8cx+CR33g=
+github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d h1:hzo0UIaYtLyJsEdCrM05k1k2YZHqPAyMpHL7rq37j5Q=
+github.com/authzed/authzed-go v0.10.2-0.20240312180602-9b3947de5a3d/go.mod h1:2cnND+OBSxz1DpVfaQBKtdobTiaX2qAlj7k9eNr/pM4=
 github.com/authzed/cel-go v0.17.5 h1:lfpkNrR99B5QRHg5qdG9oLu/kguVlZC68VJuMk8tH9Y=
 github.com/authzed/cel-go v0.17.5/go.mod h1:XL/zEq5hKGVF8aOdMbG7w+BQPihLjY2W8N+UIygDA2I=
 github.com/authzed/consistent v0.1.0 h1:tlh1wvKoRbjRhMm2P+X5WQQyR54SRoS4MyjLOg17Mp8=

internal/services/integrationtesting/consistency_test.go

@@ -385,7 +385,7 @@ func validateLookupResources(t *testing.T, vctx validationContext) {
 							requireSameSets(t, maps.Keys(accessibleResources), maps.Keys(resolvedResources))
 
 							// Ensure that every returned concrete object Checks directly.
-							bulkCheckItems := make([]*v1.BulkCheckPermissionRequestItem, 0, len(resolvedResources))
+							checkBulkItems := make([]*v1.CheckBulkPermissionsRequestItem, 0, len(resolvedResources))
 							expectedBulkPermissions := map[string]v1.CheckPermissionResponse_Permissionship{}
 
 							for _, resolvedResource := range resolvedResources {
@@ -420,7 +420,7 @@ func validateLookupResources(t *testing.T, vctx validationContext) {
 									permissionship,
 								)
 
-								bulkCheckItems = append(bulkCheckItems, &v1.BulkCheckPermissionRequestItem{
+								checkBulkItems = append(checkBulkItems, &v1.CheckBulkPermissionsRequestItem{
 									Resource: &v1.ObjectReference{
 										ObjectType: resourceRelation.Namespace,
 										ObjectId:   resolvedResource.ResourceObjectId,
@@ -437,8 +437,8 @@ func validateLookupResources(t *testing.T, vctx validationContext) {
 							}
 
 							// Ensure they are all found via bulk check as well.
-							results, err := vctx.serviceTester.BulkCheck(context.Background(),
-								bulkCheckItems,
+							results, err := vctx.serviceTester.CheckBulk(context.Background(),
+								checkBulkItems,
 								vctx.revision,
 							)
 							require.NoError(t, err)

internal/services/integrationtesting/consistencytestutil/servicetester.go

@@ -30,7 +30,9 @@ type ServiceTester interface {
 	Read(ctx context.Context, namespaceName string, atRevision datastore.Revision) ([]*core.RelationTuple, error)
 	LookupResources(ctx context.Context, resourceRelation *core.RelationReference, subject *core.ObjectAndRelation, atRevision datastore.Revision, cursor *v1.Cursor, limit uint32) ([]*v1.LookupResourcesResponse, *v1.Cursor, error)
 	LookupSubjects(ctx context.Context, resource *core.ObjectAndRelation, subjectRelation *core.RelationReference, atRevision datastore.Revision, caveatContext map[string]any) (map[string]*v1.LookupSubjectsResponse, error)
+	// NOTE: ExperimentalService/BulkCheckPermission has been promoted to PermissionsService/CheckBulkPermissions
 	BulkCheck(ctx context.Context, items []*v1.BulkCheckPermissionRequestItem, atRevision datastore.Revision) ([]*v1.BulkCheckPermissionPair, error)
+	CheckBulk(ctx context.Context, items []*v1.CheckBulkPermissionsRequestItem, atRevision datastore.Revision) ([]*v1.CheckBulkPermissionsPair, error)
 }
 
 func optionalizeRelation(relation string) string {
@@ -252,3 +254,19 @@ func (v1st v1ServiceTester) BulkCheck(ctx context.Context, items []*v1.BulkCheck
 
 	return result.Pairs, nil
 }
+
+func (v1st v1ServiceTester) CheckBulk(ctx context.Context, items []*v1.CheckBulkPermissionsRequestItem, atRevision datastore.Revision) ([]*v1.CheckBulkPermissionsPair, error) {
+	result, err := v1st.permClient.CheckBulkPermissions(ctx, &v1.CheckBulkPermissionsRequest{
+		Items: items,
+		Consistency: &v1.Consistency{
+			Requirement: &v1.Consistency_AtLeastAsFresh{
+				AtLeastAsFresh: zedtoken.MustNewFromRevision(atRevision),
+			},
+		},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return result.Pairs, nil
+}

internal/services/v1/bulkcheck.go

@@ -0,0 +1,251 @@
+package v1
+
+import (
+	"context"
+	"sync"
+
+	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
+	"github.com/jzelinskie/stringz"
+	"google.golang.org/grpc/status"
+
+	"github.com/authzed/spicedb/internal/dispatch"
+	"github.com/authzed/spicedb/internal/graph"
+	"github.com/authzed/spicedb/internal/graph/computed"
+	datastoremw "github.com/authzed/spicedb/internal/middleware/datastore"
+	"github.com/authzed/spicedb/internal/middleware/usagemetrics"
+	"github.com/authzed/spicedb/internal/namespace"
+	"github.com/authzed/spicedb/internal/services/shared"
+	"github.com/authzed/spicedb/internal/taskrunner"
+	"github.com/authzed/spicedb/pkg/genutil"
+	"github.com/authzed/spicedb/pkg/genutil/mapz"
+	"github.com/authzed/spicedb/pkg/genutil/slicez"
+	"github.com/authzed/spicedb/pkg/middleware/consistency"
+	dispatchv1 "github.com/authzed/spicedb/pkg/proto/dispatch/v1"
+	"github.com/authzed/spicedb/pkg/spiceerrors"
+)
+
+// bulkChecker contains the logic to allow ExperimentalService/BulkCheckPermission and
+// PermissionsService/CheckBulkPermissions to share the same implementation.
+type bulkChecker struct {
+	maxAPIDepth          uint32
+	maxCaveatContextSize int
+	maxConcurrency       uint16
+
+	dispatch dispatch.Dispatcher
+}
+
+func (bc *bulkChecker) checkBulkPermissions(ctx context.Context, req *v1.CheckBulkPermissionsRequest) (*v1.CheckBulkPermissionsResponse, error) {
+	atRevision, checkedAt, err := consistency.RevisionFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(req.Items) > maxBulkCheckCount {
+		return nil, NewExceedsMaximumChecksErr(uint64(len(req.Items)), maxBulkCheckCount)
+	}
+
+	// Compute a hash for each requested item and record its index(es) for the items, to be used for sorting of results.
+	itemCount, err := genutil.EnsureUInt32(len(req.Items))
+	if err != nil {
+		return nil, err
+	}
+
+	itemIndexByHash := mapz.NewMultiMapWithCap[string, int](itemCount)
+	for index, item := range req.Items {
+		itemHash, err := computeCheckBulkPermissionsItemHash(item)
+		if err != nil {
+			return nil, err
+		}
+
+		itemIndexByHash.Add(itemHash, index)
+	}
+
+	// Identify checks with same permission+subject over different resources and group them. This is doable because
+	// the dispatching system already internally supports this kind of batching for performance.
+	groupedItems, err := groupItems(ctx, groupingParameters{
+		atRevision:           atRevision,
+		maxCaveatContextSize: bc.maxCaveatContextSize,
+		maximumAPIDepth:      bc.maxAPIDepth,
+	}, req.Items)
+	if err != nil {
+		return nil, err
+	}
+
+	bulkResponseMutex := sync.Mutex{}
+
+	tr := taskrunner.NewPreloadedTaskRunner(ctx, bc.maxConcurrency, len(groupedItems))
+
+	respMetadata := &dispatchv1.ResponseMeta{
+		DispatchCount:       1,
+		CachedDispatchCount: 0,
+		DepthRequired:       1,
+		DebugInfo:           nil,
+	}
+	usagemetrics.SetInContext(ctx, respMetadata)
+
+	orderedPairs := make([]*v1.CheckBulkPermissionsPair, len(req.Items))
+
+	addPair := func(pair *v1.CheckBulkPermissionsPair) error {
+		pairItemHash, err := computeCheckBulkPermissionsItemHash(pair.Request)
+		if err != nil {
+			return err
+		}
+
+		found, ok := itemIndexByHash.Get(pairItemHash)
+		if !ok {
+			return spiceerrors.MustBugf("missing expected item hash")
+		}
+
+		for _, index := range found {
+			orderedPairs[index] = pair
+		}
+
+		return nil
+	}
+
+	appendResultsForError := func(params *computed.CheckParameters, resourceIDs []string, err error) error {
+		rewritten := shared.RewriteError(ctx, err, &shared.ConfigForErrors{
+			MaximumAPIDepth: bc.maxAPIDepth,
+		})
+		statusResp, ok := status.FromError(rewritten)
+		if !ok {
+			// If error is not a gRPC Status, fail the entire bulk check request.
+			return err
+		}
+
+		bulkResponseMutex.Lock()
+		defer bulkResponseMutex.Unlock()
+
+		for _, resourceID := range resourceIDs {
+			reqItem, err := requestItemFromResourceAndParameters(params, resourceID)
+			if err != nil {
+				return err
+			}
+
+			if err := addPair(&v1.CheckBulkPermissionsPair{
+				Request: reqItem,
+				Response: &v1.CheckBulkPermissionsPair_Error{
+					Error: statusResp.Proto(),
+				},
+			}); err != nil {
+				return err
+			}
+		}
+
+		return nil
+	}
+
+	appendResultsForCheck := func(params *computed.CheckParameters, resourceIDs []string, metadata *dispatchv1.ResponseMeta, results map[string]*dispatchv1.ResourceCheckResult) error {
+		bulkResponseMutex.Lock()
+		defer bulkResponseMutex.Unlock()
+
+		for _, resourceID := range resourceIDs {
+			reqItem, err := requestItemFromResourceAndParameters(params, resourceID)
+			if err != nil {
+				return err
+			}
+
+			if err := addPair(&v1.CheckBulkPermissionsPair{
+				Request:  reqItem,
+				Response: pairItemFromCheckResult(results[resourceID]),
+			}); err != nil {
+				return err
+			}
+		}
+
+		respMetadata.DispatchCount += metadata.DispatchCount
+		respMetadata.CachedDispatchCount += metadata.CachedDispatchCount
+		return nil
+	}
+
+	for _, group := range groupedItems {
+		group := group
+
+		slicez.ForEachChunk(group.resourceIDs, MaxBulkCheckDispatchChunkSize, func(resourceIDs []string) {
+			tr.Add(func(ctx context.Context) error {
+				ds := datastoremw.MustFromContext(ctx).SnapshotReader(atRevision)
+
+				// Ensure the check namespaces and relations are valid.
+				err := namespace.CheckNamespaceAndRelations(ctx,
+					[]namespace.TypeAndRelationToCheck{
+						{
+							NamespaceName: group.params.ResourceType.Namespace,
+							RelationName:  group.params.ResourceType.Relation,
+							AllowEllipsis: false,
+						},
+						{
+							NamespaceName: group.params.Subject.Namespace,
+							RelationName:  stringz.DefaultEmpty(group.params.Subject.Relation, graph.Ellipsis),
+							AllowEllipsis: true,
+						},
+					}, ds)
+				if err != nil {
+					return appendResultsForError(group.params, resourceIDs, err)
+				}
+
+				// Call bulk check to compute the check result(s) for the resource ID(s).
+				rcr, metadata, err := computed.ComputeBulkCheck(ctx, bc.dispatch, *group.params, resourceIDs)
+				if err != nil {
+					return appendResultsForError(group.params, resourceIDs, err)
+				}
+
+				return appendResultsForCheck(group.params, resourceIDs, metadata, rcr)
+			})
+		})
+	}
+
+	// Run the checks in parallel.
+	if err := tr.StartAndWait(); err != nil {
+		return nil, err
+	}
+
+	return &v1.CheckBulkPermissionsResponse{CheckedAt: checkedAt, Pairs: orderedPairs}, nil
+}
+
+func toCheckBulkPermissionsRequest(req *v1.BulkCheckPermissionRequest) *v1.CheckBulkPermissionsRequest {
+	items := make([]*v1.CheckBulkPermissionsRequestItem, len(req.Items))
+	for i, item := range req.Items {
+		items[i] = &v1.CheckBulkPermissionsRequestItem{
+			Resource:   item.Resource,
+			Permission: item.Permission,
+			Subject:    item.Subject,
+			Context:    item.Context,
+		}
+	}
+
+	return &v1.CheckBulkPermissionsRequest{Items: items}
+}
+
+func toBulkCheckPermissionResponse(resp *v1.CheckBulkPermissionsResponse) *v1.BulkCheckPermissionResponse {
+	pairs := make([]*v1.BulkCheckPermissionPair, len(resp.Pairs))
+	for i, pair := range resp.Pairs {
+		pairs[i] = &v1.BulkCheckPermissionPair{}
+		pairs[i].Request = &v1.BulkCheckPermissionRequestItem{
+			Resource:   pair.Request.Resource,
+			Permission: pair.Request.Permission,
+			Subject:    pair.Request.Subject,
+			Context:    pair.Request.Context,
+		}
+
+		switch t := pair.Response.(type) {
+		case *v1.CheckBulkPermissionsPair_Item:
+			pairs[i].Response = &v1.BulkCheckPermissionPair_Item{
+				Item: &v1.BulkCheckPermissionResponseItem{
+					Permissionship:    t.Item.Permissionship,
+					PartialCaveatInfo: t.Item.PartialCaveatInfo,
+				},
+			}
+		case *v1.CheckBulkPermissionsPair_Error:
+			pairs[i].Response = &v1.BulkCheckPermissionPair_Error{
+				Error: t.Error,
+			}
+		default:
+			panic("unknown CheckBulkPermissionResponse pair response type")
+		}
+	}
+
+	return &v1.BulkCheckPermissionResponse{
+		CheckedAt: resp.CheckedAt,
+		Pairs:     pairs,
+	}
+}