fix(groot): do not upsert groot for all namespaces on restart (#8561)

Earlier, whenever the alpha starts(or restarts), we were upserting
guardian and groot for all the namespaces. This is not actually needed.
The change was made in the PR #7759 to fix a bulk loader edge case. This
PR fixes that by generating the required RDFs in the bulk loader itself.
Essentially, it inserts the ACL RDFs when force loading into non-Galaxy
namespace.

(cherry picked from commit 6730f10)

Co-authored-by: Naman Jain <[email protected]>

Author: mangalaman93

dgraph/cmd/bulk/mapper.go

@@ -35,6 +35,7 @@ import (
 	"github.com/dgraph-io/dgo/v210/protos/api"
 	"github.com/dgraph-io/dgraph/chunker"
 	"github.com/dgraph-io/dgraph/dql"
+	"github.com/dgraph-io/dgraph/ee/acl"
 	"github.com/dgraph-io/dgraph/posting"
 	"github.com/dgraph-io/dgraph/protos/pb"
 	"github.com/dgraph-io/dgraph/tok"
@@ -44,6 +45,10 @@ import (
 	"github.com/dgraph-io/ristretto/z"
 )
 
+var (
+	aclOnce sync.Once
+)
+
 type mapper struct {
 	*state
 	shards []shardState // shard is based on predicate
@@ -228,6 +233,20 @@ func (m *mapper) run(inputFormat chunker.InputFormat) {
 				}
 			}
 		}
+		aclOnce.Do(func() {
+			if m.opt.Namespace != math.MaxUint64 && m.opt.Namespace != x.GalaxyNamespace {
+				// Insert ACL related RDFs force uploading the data into non-galaxy namespace.
+				aclNquads := make([]*api.NQuad, 0)
+				aclNquads = append(aclNquads, acl.CreateGroupNQuads(x.GuardiansId)...)
+				aclNquads = append(aclNquads, acl.CreateUserNQuads(x.GrootId, "password")...)
+				aclNquads = append(aclNquads, &api.NQuad{
+					Subject:   "_:newuser",
+					Predicate: "dgraph.user.group",
+					ObjectId:  "_:newgroup",
+				})
+				nquads.Push(aclNquads...)
+			}
+		})
 		nquads.Flush()
 	}()
 

dgraph/cmd/bulk/run.go

@@ -118,7 +118,9 @@ func init() {
 	flag.Bool("new_uids", false,
 		"Ignore UIDs in load files and assign new ones.")
 	flag.Uint64("force-namespace", math.MaxUint64,
-		"Namespace onto which to load the data. If not set, will preserve the namespace.")
+		"Namespace onto which to load the data. If not set, will preserve the namespace."+
+			" When using this flag to load data into specific namespace, make sure that the "+
+			"load data do not have ACL data.")
 
 	flag.String("badger", BulkBadgerDefaults, z.NewSuperFlagHelp(BulkBadgerDefaults).
 		Head("Badger options (Refer to badger documentation for all possible options)").

edgraph/access_ee.go

@@ -434,10 +434,7 @@ func InitializeAcl(closer *z.Closer) {
 		// The acl feature is not turned on.
 		return
 	}
-
-	for ns := range schema.State().Namespaces() {
-		upsertGuardianAndGroot(closer, ns)
-	}
+	upsertGuardianAndGroot(closer, x.GalaxyNamespace)
 }
 
 // Note: The handling of closer should be done by caller.

ee/acl/run.go

@@ -32,6 +32,6 @@ func init() {
 		Use:         "acl",
 		Short:       "Enterprise feature. Not supported in oss version",
 		Annotations: map[string]string{"group": "security"},
-	},
-		Acl.Cmd.SetHelpTemplate(x.NonRootTemplate)
+	}
+	CmdAcl.Cmd.SetHelpTemplate(x.NonRootTemplate)
 }