Story #18693
closed
Deduplicate permission links
100%
Description
It's confusing and potentially error prone to have multiple identical permission links, e.g. three link records all granting "can_read" going from the same user to the same project. For example, there's 50 users with read access to a project, but one user is listed 3 times. Someone goes it to remove that user's access, but only deletes one or two of the links, not all three.
Proposed change:
conflicting: permission link between the same head/tail where both permissions are either (can_read, can_write, can_login) or (can_login)
should take a row lock on the permission link when doing these operations.
- "create" command
- if there is a conflicting permission link and the existing link has lower permission, update the existing permission link and return that
- if there is a conflicting permission link and the existing link has same or higher permission, do nothing and return the existing link
- "update" command
- if a link is updated so it conflicts with another permission link, delete the other conflicting link (this shouldn't happen because there shouldn't be more than one link)
- "delete" command
- delete doesn't change because there shouldn't be multiple conflicting links, but if there are, they should all get deleted
- perform a data migration to remove any duplicated links
Related issues
Updated by Peter Amstutz about 1 year ago
- Status changed from New to In Progress
Updated by Peter Amstutz about 1 year ago
- Status changed from In Progress to New
- Tracker changed from Bug to Story
Updated by Ward Vandewege 11 months ago
- Related to Bug #19057: [controller] should not allow adding the same user+login to a VM more than one time added
Updated by Peter Amstutz 10 months ago
- Target version changed from 2022-06-08 sprint to 2022-06-22 Sprint
Updated by Peter Amstutz 10 months ago
- Target version changed from 2022-06-22 Sprint to 2022-07-06
Updated by Peter Amstutz 9 months ago
- Target version changed from 2022-07-06 to 2022-07-20
Updated by Peter Amstutz 9 months ago
- Target version changed from 2022-07-20 to 2022-08-03 Sprint
Updated by Peter Amstutz 8 months ago
- Target version changed from 2022-08-03 Sprint to 2022-08-17 sprint
Updated by Peter Amstutz 8 months ago
- Target version changed from 2022-08-17 sprint to 2022-08-31 sprint
Updated by Peter Amstutz 8 months ago
- Target version changed from 2022-08-31 sprint to 2022-09-14 sprint
Updated by Peter Amstutz 7 months ago
- Target version changed from 2022-09-14 sprint to 2022-09-28 sprint
Updated by Peter Amstutz 6 months ago
- Target version changed from 2022-09-28 sprint to 2022-10-12 sprint
Updated by Peter Amstutz 6 months ago
- Target version changed from 2022-10-12 sprint to 2022-10-26 sprint
Updated by Peter Amstutz 6 months ago
- Target version changed from 2022-10-26 sprint to 2022-11-09 sprint
Updated by Peter Amstutz 5 months ago
- Target version changed from 2022-11-09 sprint to 2022-11-23 sprint
Updated by Peter Amstutz 5 months ago
- Target version changed from 2022-11-23 sprint to 2022-12-07 Sprint
Updated by Peter Amstutz 5 months ago
- Target version changed from 2022-12-07 Sprint to 2022-12-21 Sprint
Updated by Peter Amstutz 4 months ago
- Target version changed from 2022-12-21 Sprint to 2023-01-18 sprint
Updated by Peter Amstutz 4 months ago
- Target version changed from 2023-01-18 sprint to 2022-12-07 Sprint
Updated by Tom Clegg 3 months ago
18693-dedup-permissions @ 6241cccaeba4413883699c360bde08e0e544a10e -- developer-run-tests: #3431
Updated by Brett Smith 3 months ago
Tom Clegg wrote in #note-33:
18693-dedup-permissions @ 6241cccaeba4413883699c360bde08e0e544a10e -- developer-run-tests: #3431
The code all seems good. I was going to ask for a handful of tests, but then I kept realizing those situations were already covered, so thanks for that.
I feel bad asking this, but I also feel like I have to: introducing row-level locking to every API update request seems like it could have significant performance implications on a busy API server. Do we have any sense at all of what the cost is likely to look like? Does it add noticeable CPU/RAM/disk requirements to the database generally? Are users or administrators likely to see slowdown when the API server handles multiple simultaneous update requests? How much? Like, even if you just have experience adding row-level locking to some other application in the past, I would be interested to hear about that. (I admit part of my worry here is that I have no personal experience with row locking at all, so I'm just facing this giant expanse of things I know I don't know.) I realize these are huge questions, but I feel like it behooves us to have some idea of what we're getting into if we're going to make such a fundamental change.
Why was test "job readable after updating other attributes" removed from nodes_controller_test.rb?
The each block in apply_max_overlapping_permissions doesn't seem indented as I would expect.
Thanks.
Updated by Tom Clegg 3 months ago
Brett Smith wrote in #note-36:
row-level locking to every API update request seems like it could have significant performance implications on a busy API server
Agree with all this. Maybe we should add a config knob (API.LockBeforeUpdate?) with default false, enable it on our own clusters first, then change the default to true when we're satisfied?
Why was test "job readable after updating other attributes" removed from
nodes_controller_test.rb?
It relied on the job_readable attribute set by NodesController.find_objects_for_index, which now disappears when Rails reloads the row in @object.lock. It wouldn't be too hard to fix, but I didn't bother, because it's not actually used any more (nothing uses the nodes controller, and in particular, jobs don't get assigned to nodes because there's no crunch1 dispatcher).
The
eachblock inapply_max_overlapping_permissionsdoesn't seem indented as I would expect.
I agree it's awkward, but that's the way emacs does it (the N>1th line of the "if" condition is indented by 2, and so is the inner block) ... so I figure it's better to be standard/consistent than make up something better.
Updated by Brett Smith 3 months ago
Tom Clegg wrote in #note-37:
Brett Smith wrote in #note-36:
row-level locking to every API update request seems like it could have significant performance implications on a busy API server
Agree with all this. Maybe we should add a config knob (API.LockBeforeUpdate?) with default false, enable it on our own clusters first, then change the default to true when we're satisfied?
That does sound like a nice plan to me, although now we're rescoping the story and I'm not sure that's my call. I also think if we should do this, we should make at least some kind of dedicated effort to stress the server before we do a release with the feature turned on. I don't think the traffic patterns we usually get on our own clusters reach the same levels as some of our busier users.
If we go this route, I wonder if we should intentionally leave the configuration option undocumented? Basically, treat it more like a feature flag than a configuration setting we actually expect admins to change, that just happens to be implemented through the configuration system because that's easiest. I don't think we need or want to commit ourselves to a situation where admins can turn this off in the future.
Your other comments make sense to me, no further questions there.
Updated by Tom Clegg 2 months ago
18693-dedup-permissions @ 91550c635ed37c0a79c17f276823b48433247c8a -- developer-run-tests: #3446
wb1 retry developer-run-tests-apps-workbench-integration: #3708
Updated by Brett Smith 2 months ago
Tom Clegg wrote in #note-39:
18693-dedup-permissions @ 91550c635ed37c0a79c17f276823b48433247c8a -- developer-run-tests: #3446
Retry #2 - developer-run-tests: #3448
Looks good to me, thanks.
Updated by Tom Clegg 2 months ago
- Status changed from In Progress to Resolved
Applied in changeset arvados|b5dfc8fb22ef85e09e7034b7899f54dfe5adb6cd.
Updated by Tom Clegg 2 months ago
- Related to Story #19954: Update API documentation re permission link deduplication added