[#10805] Support bulk access control operations#11906
Conversation
|
@lasdf1234 Could u help me review this pull request? |
No problem. |
|
Could you add some content to the doc document to explain the usage scenarios of these APIs? |
|
Is the bulk interface better when processing data one by one or in batches? Could you please share your research findings? |
Thanks for the review. @lasdf1234 For the first question: I added a new section named "Bulk Access Control Operations" in The new documentation explains:
For the second question: I did some research on common batch/bulk API designs. There does not seem to be a single universal rule, but there are several common patterns.
For Gravitino access control APIs, I think the current design is closer to the first pattern and fits this feature better:
This design avoids partial execution for malformed or unauthorized requests, while still allowing clients to make progress and retry only failed items for business-level failures, such as removing a non-existent user. The current implementation batches at the API contract level and reuses existing per-item access-control managers internally. This keeps the behavior consistent with existing single-item APIs, including existing authorization checks, events, and cache invalidation behavior. Internal storage-level batching can still be optimized later without changing the public API response contract. |
Code Coverage Report
Files
|
|
@jarredhj0214 can you split into several small PRs? The current PR is too large to review. |
|
@roryqi Should the "bulk" scenario also consider the scenario where "externalId" is used as the association key? |
I think yes. |
@jarredhj0214 Coluld you split PR? In addition, the implementation of the externalID scenario needs to be considered. |
Currently, the existing single user/group/role access-control APIs are name-based and do not support If we want to support |
I have split the original large PR into smaller PRs. The first split PR will include bulk user operations and the common bulk infrastructure. The bulk group and bulk role operations will be submitted as follow-up PRs after the first one is reviewed/merged, so each PR remains easier to review. For the |
You can update the code. The externalId method has already been implemented. |
|
The first split PR has been created: It includes bulk user operations and the common bulk infrastructure. I will submit the bulk group and bulk role operations as follow-up PRs after this one is reviewed/merged. |
I have updated this PR based on the latest The bulk remove API remains name-based, aligned with the existing single delete user API. The latest changes have been pushed. |
What changes were proposed in this pull request?
This PR adds bulk access control APIs for users, groups, and roles under a metalake:
POST /api/bulk/metalakes/{metalake}/users/addPOST /api/bulk/metalakes/{metalake}/users/removePOST /api/bulk/metalakes/{metalake}/groups/addPOST /api/bulk/metalakes/{metalake}/groups/removePOST /api/bulk/metalakes/{metalake}/roles/addPOST /api/bulk/metalakes/{metalake}/roles/removeThe implementation includes:
succeededandfailedresults.Why are the changes needed?
Currently, users need to call single-resource APIs repeatedly to add or remove multiple users, groups, or roles. These new APIs provide a batch operation interface for access control management and reduce repeated client-side API calls.
This PR follows the behavior discussed in #10805:
succeededand per-item business failures infailed.Closes #10805.
Does this PR introduce any user-facing change?
Yes. This PR introduces new REST APIs for bulk access control operations.
How was this patch tested?