From 5782e2a8c8a6511fce75365b9a9d6363600783eb Mon Sep 17 00:00:00 2001 From: Alec Merdler Date: Wed, 14 Feb 2024 10:50:17 -0500 Subject: [PATCH] Promote BulkCheckPermission to v1 The 'BulkCheckPermission' API is stable and can be promoted into the v1 'PermissionsService'. --- authzed/api/v1/experimental_service.proto | 13 +++--- authzed/api/v1/permission_service.proto | 55 +++++++++++++++++++++++ 2 files changed, 61 insertions(+), 7 deletions(-) diff --git a/authzed/api/v1/experimental_service.proto b/authzed/api/v1/experimental_service.proto index efa6b32..d24e1c8 100644 --- a/authzed/api/v1/experimental_service.proto +++ b/authzed/api/v1/experimental_service.proto @@ -45,12 +45,12 @@ service ExperimentalService { } rpc BulkCheckPermission(BulkCheckPermissionRequest) - returns (BulkCheckPermissionResponse) { - option (google.api.http) = { - post: "/v1/experimental/permissions/bulkcheckpermission" - body: "*" - }; - } + returns (BulkCheckPermissionResponse) { + option (google.api.http) = { + post: "/v1/experimental/permissions/bulkcheckpermission" + body: "*" + }; + } } message BulkCheckPermissionRequest { @@ -87,7 +87,6 @@ message BulkCheckPermissionPair { } message BulkCheckPermissionResponseItem { - CheckPermissionResponse.Permissionship permissionship = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ]; PartialCaveatInfo partial_caveat_info = 2 [ (validate.rules).message.required = false ]; diff --git a/authzed/api/v1/permission_service.proto b/authzed/api/v1/permission_service.proto index e28b73e..391b6c7 100644 --- a/authzed/api/v1/permission_service.proto +++ b/authzed/api/v1/permission_service.proto @@ -6,6 +6,7 @@ option java_package = "com.authzed.api.v1"; import "google/protobuf/struct.proto"; import "google/api/annotations.proto"; +import "google/rpc/status.proto"; import "validate/validate.proto"; import "authzed/api/v1/core.proto"; @@ -56,6 +57,16 @@ service PermissionsService { }; } + // CheckBulkPermissions evaluates the given list of permission checks + // and returns the list of results. + rpc CheckBulkPermissions(CheckBulkPermissionsRequest) + returns (CheckBulkPermissionsResponse) { + option (google.api.http) = { + post: "/v1/permissions/checkbulk" + body: "*" + }; + } + // ExpandPermissionTree reveals the graph structure for a resource's // permission or relation. This RPC does not recurse infinitely deep and may // require multiple calls to fully unnest a deeply nested graph. @@ -349,6 +360,50 @@ message CheckPermissionResponse { PartialCaveatInfo partial_caveat_info = 3 [ (validate.rules).message.required = false ]; } +// CheckBulkPermissionsRequest issues a check on whether a subject has permission +// or is a member of a relation on a specific resource for each item in the list. +// +// The ordering of the items in the response is maintained in the response. +// Checks with the same subject/permission will automatically be batched for performance optimization. +message CheckBulkPermissionsRequest { + Consistency consistency = 1; + + repeated CheckBulkPermissionsRequestItem items = 2 [ (validate.rules).repeated .items.message.required = true ]; +} + +message CheckBulkPermissionsRequestItem { + ObjectReference resource = 1 [ (validate.rules).message.required = true ]; + + string permission = 2 [ (validate.rules).string = { + pattern : "^([a-z][a-z0-9_]{1,62}[a-z0-9])?$", + max_bytes : 64, + } ]; + + SubjectReference subject = 3 [ (validate.rules).message.required = true ]; + + google.protobuf.Struct context = 4 [ (validate.rules).message.required = false ]; +} + +message CheckBulkPermissionsResponse { + ZedToken checked_at = 1 [ (validate.rules).message.required = false ]; + + repeated CheckBulkPermissionsPair pairs = 2 [ (validate.rules).repeated .items.message.required = true ]; +} + +message CheckBulkPermissionsPair { + CheckBulkPermissionsRequestItem request = 1; + oneof response { + CheckBulkPermissionsResponseItem item = 2; + google.rpc.Status error = 3; + } +} + +message CheckBulkPermissionsResponseItem { + CheckPermissionResponse.Permissionship permissionship = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ]; + + PartialCaveatInfo partial_caveat_info = 2 [ (validate.rules).message.required = false ]; +} + // ExpandPermissionTreeRequest returns a tree representing the expansion of all // relationships found accessible from a permission or relation on a particular // resource.