Skip to content

Commit 4286d7d

Browse files
alecmerdleralecmerdler
authored
Merge pull request #93 from authzed/bulk-check-permissions-v1
Promote `BulkCheckPermission` to v1
2 parents 1485497 + be92f95 commit 4286d7d

3 files changed

Lines changed: 75 additions & 7 deletions

File tree

authzed/api/v1/error_reason.proto

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -299,4 +299,18 @@ enum ErrorReason {
299299
// "metadata": {}
300300
// }
301301
ERROR_REASON_SERIALIZATION_FAILURE = 20;
302+
303+
// The request contained more check items than the maximum configured.
304+
//
305+
// Example of an ErrorInfo:
306+
//
307+
// {
308+
// "reason": "ERROR_REASON_TOO_MANY_CHECKS_IN_REQUEST",
309+
// "domain": "authzed.com",
310+
// "metadata": {
311+
// "check_count": "525",
312+
// "maximum_checks_allowed": "500",
313+
// }
314+
// }
315+
ERROR_REASON_TOO_MANY_CHECKS_IN_REQUEST = 21;
302316
}

authzed/api/v1/experimental_service.proto

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -45,12 +45,12 @@ service ExperimentalService {
4545
}
4646

4747
rpc BulkCheckPermission(BulkCheckPermissionRequest)
48-
returns (BulkCheckPermissionResponse) {
49-
option (google.api.http) = {
50-
post: "/v1/experimental/permissions/bulkcheckpermission"
51-
body: "*"
52-
};
53-
}
48+
returns (BulkCheckPermissionResponse) {
49+
option (google.api.http) = {
50+
post: "/v1/experimental/permissions/bulkcheckpermission"
51+
body: "*"
52+
};
53+
}
5454
}
5555

5656
message BulkCheckPermissionRequest {
@@ -87,7 +87,6 @@ message BulkCheckPermissionPair {
8787
}
8888

8989
message BulkCheckPermissionResponseItem {
90-
9190
CheckPermissionResponse.Permissionship permissionship = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ];
9291

9392
PartialCaveatInfo partial_caveat_info = 2 [ (validate.rules).message.required = false ];

authzed/api/v1/permission_service.proto

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ option java_package = "com.authzed.api.v1";
66

77
import "google/protobuf/struct.proto";
88
import "google/api/annotations.proto";
9+
import "google/rpc/status.proto";
910
import "validate/validate.proto";
1011

1112
import "authzed/api/v1/core.proto";
@@ -56,6 +57,16 @@ service PermissionsService {
5657
};
5758
}
5859

60+
// CheckBulkPermissions evaluates the given list of permission checks
61+
// and returns the list of results.
62+
rpc CheckBulkPermissions(CheckBulkPermissionsRequest)
63+
returns (CheckBulkPermissionsResponse) {
64+
option (google.api.http) = {
65+
post: "/v1/permissions/checkbulk"
66+
body: "*"
67+
};
68+
}
69+
5970
// ExpandPermissionTree reveals the graph structure for a resource's
6071
// permission or relation. This RPC does not recurse infinitely deep and may
6172
// require multiple calls to fully unnest a deeply nested graph.
@@ -349,6 +360,50 @@ message CheckPermissionResponse {
349360
PartialCaveatInfo partial_caveat_info = 3 [ (validate.rules).message.required = false ];
350361
}
351362

363+
// CheckBulkPermissionsRequest issues a check on whether a subject has permission
364+
// or is a member of a relation on a specific resource for each item in the list.
365+
//
366+
// The ordering of the items in the response is maintained in the response.
367+
// Checks with the same subject/permission will automatically be batched for performance optimization.
368+
message CheckBulkPermissionsRequest {
369+
Consistency consistency = 1;
370+
371+
repeated CheckBulkPermissionsRequestItem items = 2 [ (validate.rules).repeated .items.message.required = true ];
372+
}
373+
374+
message CheckBulkPermissionsRequestItem {
375+
ObjectReference resource = 1 [ (validate.rules).message.required = true ];
376+
377+
string permission = 2 [ (validate.rules).string = {
378+
pattern : "^([a-z][a-z0-9_]{1,62}[a-z0-9])?$",
379+
max_bytes : 64,
380+
} ];
381+
382+
SubjectReference subject = 3 [ (validate.rules).message.required = true ];
383+
384+
google.protobuf.Struct context = 4 [ (validate.rules).message.required = false ];
385+
}
386+
387+
message CheckBulkPermissionsResponse {
388+
ZedToken checked_at = 1 [ (validate.rules).message.required = false ];
389+
390+
repeated CheckBulkPermissionsPair pairs = 2 [ (validate.rules).repeated .items.message.required = true ];
391+
}
392+
393+
message CheckBulkPermissionsPair {
394+
CheckBulkPermissionsRequestItem request = 1;
395+
oneof response {
396+
CheckBulkPermissionsResponseItem item = 2;
397+
google.rpc.Status error = 3;
398+
}
399+
}
400+
401+
message CheckBulkPermissionsResponseItem {
402+
CheckPermissionResponse.Permissionship permissionship = 1 [ (validate.rules).enum = {defined_only: true, not_in: [0]} ];
403+
404+
PartialCaveatInfo partial_caveat_info = 2 [ (validate.rules).message.required = false ];
405+
}
406+
352407
// ExpandPermissionTreeRequest returns a tree representing the expansion of all
353408
// relationships found accessible from a permission or relation on a particular
354409
// resource.

0 commit comments

Comments
 (0)