[BREAKING] ACL schema change #4725
Conversation
There was a problem hiding this comment.
Reviewed 1 of 11 files at r1.
Reviewable status: 1 of 11 files reviewed, 12 unresolved discussions (waiting on @animesh2049)
dgraph/cmd/bulk/systest/test-bulk-schema.sh, line 195 at r1 (raw file):
LC_ALL=C sort all_dbs.out | uniq -c diff <(LC_ALL=C sort all_dbs.out | uniq -c) - <<EOF 1 dgraph.acl.permission
Should these be dgraph.rule.permission and dgraph.rule.predicate?
edgraph/access_ee.go, line 350 at r1 (raw file):
allAcls(func: type(Group)) { dgraph.xid dgraph.group.acl
Why do we still query this?
ee/acl/acl.go, line 420 at r1 (raw file):
defer cancel() ctx, ctxCancel := context.WithTimeout(context.Background(), 10*time.Minute)
Wow, why is this 10 Minute?
ee/acl/acl.go, line 429 at r1 (raw file):
}() ruleQuery := fmt.Sprintf(`
Also have a test for when group doesn't exist, then that should be an error. You'll have to fetch the guid in another query block to check that.
ee/acl/acl.go, line 437 at r1 (raw file):
}`, groupId, predicate) ruleUpsert := &api.Mutation{
Add comments about the 4 cases possible here.
ee/acl/acl.go, line 437 at r1 (raw file):
}`, groupId, predicate) ruleUpsert := &api.Mutation{
updateRule
ee/acl/acl.go, line 445 at r1 (raw file):
}, }, Cond: "@if(gt(len(rUID), 0) AND eq(len(gUID), 1))",
This condition should be eq(len(rUID), 1)
ee/acl/acl.go, line 448 at r1 (raw file):
} ruleMutation := &api.Mutation{
createRule
ee/acl/acl.go, line 453 at r1 (raw file):
} } newAcls, updated := updateAcl(currentAcls, newAcl)
TestUpdateAcl can be removed from groups_test.go and please ensure we have integration tests for all the scenarios tested for it.
ee/acl/acl.go, line 466 at r1 (raw file):
}, }, Cond: "@if(eq(len(rUID), 0) AND eq(len(gUID), 1))",
Also, according to updateAcl if perm is <0 then the rule is deleted, please ensure we do that here as well and have a test for that.
ee/acl/acl.go, line 475 at r1 (raw file):
}) if err != nil {
return err
schema/schema.go, line 514 at r1 (raw file):
ValueType: pb.Posting_STRING, Directive: pb.SchemaUpdate_INDEX, Tokenizer: []string{"exact"}, // Should we have upsert directive for this ?
Should have upsert directive here, yes.
There was a problem hiding this comment.
Reviewable status: 0 of 11 files reviewed, 12 unresolved discussions (waiting on @animesh2049 and @pawanrawal)
dgraph/cmd/bulk/systest/test-bulk-schema.sh, line 195 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Should these be
dgraph.rule.permissionanddgraph.rule.predicate?
Done.
edgraph/access_ee.go, line 350 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Why do we still query this?
Done.
ee/acl/acl.go, line 420 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Wow, why is this 10 Minute?
Done.
ee/acl/acl.go, line 437 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
updateRule
Done.
ee/acl/acl.go, line 445 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
This condition should be
eq(len(rUID), 1)
Done.
ee/acl/acl.go, line 448 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
createRule
Done.
schema/schema.go, line 514 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Should have upsert directive here, yes.
I think upsert directive should be there for dgraph.acl.rule ... ??
| {"predicate":"dgraph.group.acl","type":"string"} | ||
| {"predicate":"dgraph.user.group","list":true, "reverse":true, "type":"uid"}, | ||
| {"predicate":"dgraph.acl.rule","type":"uid","list":true}, | ||
| {"predicate":"dgraph.rule.predicate","type":"string","index":true,"tokenizer":["exact"],"upsert":true}, |
There was a problem hiding this comment.
Mostly LGTM now apart from failing CI tests.
Reviewable status: 0 of 12 files reviewed, 5 unresolved discussions (waiting on @animesh2049 and @pawanrawal)
ee/acl/acl.go, line 437 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Add comments about the 4 cases possible here.
This still needs to be done.
ee/acl/acl.go, line 489 at r2 (raw file):
} resp, err := txn.Do(ctx, upsertRequest) fmt.Println(string(resp.GetJson()))
Should be removed
schema/schema.go, line 514 at r1 (raw file):
Previously, animesh2049 (Animesh Chandra Pathak) wrote…
I think upsert directive should be there for
dgraph.acl.rule... ??
Upsert directive makes sense on scalar predicates where we compare value and then add it. If you try and add a rule for the same predicate twice for the same dgraph.acl.rule concurrently, one of them would fail.
There was a problem hiding this comment.
Reviewable status: 0 of 12 files reviewed, 5 unresolved discussions (waiting on @animesh2049, @manishrjain, and @pawanrawal)
ee/acl/acl.go, line 453 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
TestUpdateAcl can be removed from
groups_test.goand please ensure we have integration tests for all the scenarios tested for it.
Done.
ee/acl/acl.go, line 475 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
return err
Done.
schema/schema.go, line 514 at r1 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Upsert directive makes sense on scalar predicates where we compare value and then add it. If you try and add a rule for the same predicate twice for the same
dgraph.acl.ruleconcurrently, one of them would fail.
Putting upsert directive on dgraph.rule.predicate will ensure that we can't insert 2 rules concurrently (even to different groups) with the same predicate.
There was a problem hiding this comment.
Reviewable status: 0 of 12 files reviewed, 5 unresolved discussions (waiting on @animesh2049, @manishrjain, and @pawanrawal)
ee/acl/acl.go, line 489 at r2 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Should be removed
Done.
There was a problem hiding this comment.
Dismissed @golangcibot from a discussion.
Reviewable status: 0 of 12 files reviewed, 4 unresolved discussions (waiting on @manishrjain and @pawanrawal)
There was a problem hiding this comment.
Reviewed 2 of 11 files at r1, 8 of 10 files at r2, 2 of 2 files at r3.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @manishrjain)
There was a problem hiding this comment.
Reviewed 2 of 11 files at r1, 8 of 10 files at r2, 1 of 2 files at r3, 1 of 1 files at r4.
Reviewable status:
This change is