From 024e5ffe8b6cf7369a6f92572f678e2473df717b Mon Sep 17 00:00:00 2001 From: Alec Merdler Date: Wed, 14 Feb 2024 10:50:17 -0500 Subject: [PATCH] Promote BulkCheckPermission to v1 The 'BulkCheckPermission' API is stable and can be promoted into the v1 'PermissionsService'. --- authzed/api/v1/experimental_service.proto | 43 ------------------- authzed/api/v1/permission_service.proto | 51 +++++++++++++++++++++++ buf.yaml | 5 +++ 3 files changed, 56 insertions(+), 43 deletions(-) diff --git a/authzed/api/v1/experimental_service.proto b/authzed/api/v1/experimental_service.proto index efa6b32..27d5302 100644 --- a/authzed/api/v1/experimental_service.proto +++ b/authzed/api/v1/experimental_service.proto @@ -6,8 +6,6 @@ option java_package = "com.authzed.api.v1"; import "google/api/annotations.proto"; import "validate/validate.proto"; -import "google/protobuf/struct.proto"; -import "google/rpc/status.proto"; import "authzed/api/v1/core.proto"; import "authzed/api/v1/permission_service.proto"; @@ -15,7 +13,6 @@ import "authzed/api/v1/permission_service.proto"; // ExperimentalService exposes a number of APIs that are currently being // prototyped and tested for future inclusion in the stable API. service ExperimentalService { - // BulkImportRelationships is a faster path to writing a large number of // relationships at once. It is both batched and streaming. For maximum // performance, the caller should attempt to write relationships in as close @@ -53,46 +50,6 @@ service ExperimentalService { } } -message BulkCheckPermissionRequest { - Consistency consistency = 1; - - repeated BulkCheckPermissionRequestItem items = 2 [ (validate.rules).repeated .items.message.required = true ]; -} - -message BulkCheckPermissionRequestItem { - ObjectReference resource = 1 [ (validate.rules).message.required = true ]; - - string permission = 2 [ (validate.rules).string = { - pattern : "^([a-z][a-z0-9_]{1,62}[a-z0-9])?$", - max_bytes : 64, - } ]; - - SubjectReference subject = 3 [ (validate.rules).message.required = true ]; - - google.protobuf.Struct context = 4 [ (validate.rules).message.required = false ]; -} - -message BulkCheckPermissionResponse { - ZedToken checked_at = 1 [ (validate.rules).message.required = false ]; - - repeated BulkCheckPermissionPair pairs = 2 [ (validate.rules).repeated .items.message.required = true ]; -} - -message BulkCheckPermissionPair { - BulkCheckPermissionRequestItem request = 1; - oneof response { - BulkCheckPermissionResponseItem item = 2; - google.rpc.Status error = 3; - } -} - -message BulkCheckPermissionResponseItem { - - CheckPermissionResponse.Permissionship permissionship = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ]; - - PartialCaveatInfo partial_caveat_info = 2 [ (validate.rules).message.required = false ]; -} - // BulkImportRelationshipsRequest represents one batch of the streaming // BulkImportRelationships API. The maximum size is only limited by the backing // datastore, and optimal size should be determined by the calling client diff --git a/authzed/api/v1/permission_service.proto b/authzed/api/v1/permission_service.proto index e28b73e..100a22f 100644 --- a/authzed/api/v1/permission_service.proto +++ b/authzed/api/v1/permission_service.proto @@ -6,6 +6,7 @@ option java_package = "com.authzed.api.v1"; import "google/protobuf/struct.proto"; import "google/api/annotations.proto"; +import "google/rpc/status.proto"; import "validate/validate.proto"; import "authzed/api/v1/core.proto"; @@ -56,6 +57,16 @@ service PermissionsService { }; } + // BulkCheckPermission accepts a list of permission checks and returns + // the results of those checks in a single response. + rpc BulkCheckPermission(BulkCheckPermissionRequest) + returns (BulkCheckPermissionResponse) { + option (google.api.http) = { + post: "/v1/permissions/bulkcheckpermission" + body: "*" + }; + } + // ExpandPermissionTree reveals the graph structure for a resource's // permission or relation. This RPC does not recurse infinitely deep and may // require multiple calls to fully unnest a deeply nested graph. @@ -349,6 +360,46 @@ message CheckPermissionResponse { PartialCaveatInfo partial_caveat_info = 3 [ (validate.rules).message.required = false ]; } +message BulkCheckPermissionRequest { + Consistency consistency = 1; + + repeated BulkCheckPermissionRequestItem items = 2 [ (validate.rules).repeated .items.message.required = true ]; +} + +message BulkCheckPermissionRequestItem { + ObjectReference resource = 1 [ (validate.rules).message.required = true ]; + + string permission = 2 [ (validate.rules).string = { + pattern : "^([a-z][a-z0-9_]{1,62}[a-z0-9])?$", + max_bytes : 64, + } ]; + + SubjectReference subject = 3 [ (validate.rules).message.required = true ]; + + google.protobuf.Struct context = 4 [ (validate.rules).message.required = false ]; +} + +message BulkCheckPermissionResponse { + ZedToken checked_at = 1 [ (validate.rules).message.required = false ]; + + repeated BulkCheckPermissionPair pairs = 2 [ (validate.rules).repeated .items.message.required = true ]; +} + +message BulkCheckPermissionPair { + BulkCheckPermissionRequestItem request = 1; + + oneof response { + BulkCheckPermissionResponseItem item = 2; + google.rpc.Status error = 3; + } +} + +message BulkCheckPermissionResponseItem { + CheckPermissionResponse.Permissionship permissionship = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ]; + + PartialCaveatInfo partial_caveat_info = 2 [ (validate.rules).message.required = false ]; +} + // ExpandPermissionTreeRequest returns a tree representing the expansion of all // relationships found accessible from a permission or relation on a particular // resource. diff --git a/buf.yaml b/buf.yaml index ba500ff..be4b688 100644 --- a/buf.yaml +++ b/buf.yaml @@ -8,3 +8,8 @@ deps: lint: ignore: - "authzed/api/v0" # legacy from before we used buf + ignore_only: + # BulkCheckPermission exists in both experimental and v1 + RPC_REQUEST_RESPONSE_UNIQUE: + - "authzed/api/v1/experimental_service.proto" + - "authzed/api/v1/permission_service.proto"