X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/6f514b3e6aa21afddaa527bf852cff3a5801aa19..c2aceca339ec3a6f3d853865cebd0efe348ff518:/services/api/lib/update_permissions.rb diff --git a/services/api/lib/update_permissions.rb b/services/api/lib/update_permissions.rb index 1d9c1006b8..23e60c8ed9 100644 --- a/services/api/lib/update_permissions.rb +++ b/services/api/lib/update_permissions.rb @@ -7,7 +7,9 @@ require '20200501150153_permission_table_constants' REVOKE_PERM = 0 CAN_MANAGE_PERM = 3 -def update_permissions perm_origin_uuid, starting_uuid, perm_level +def update_permissions perm_origin_uuid, starting_uuid, perm_level, edge_id=nil + return if Thread.current[:suppress_update_permissions] + # # Update a subset of the permission table affected by adding or # removing a particular permission relationship (ownership or a @@ -49,12 +51,23 @@ def update_permissions perm_origin_uuid, starting_uuid, perm_level # see db/migrate/20200501150153_permission_table.rb for details on # how the permissions are computed. + if edge_id.nil? + # For changes of ownership, edge_id is starting_uuid. In turns + # out most invocations of update_permissions are for changes of + # ownership, so make this parameter optional to reduce + # clutter. + # For permission links, the uuid of the link object will be passed in for edge_id. + edge_id = starting_uuid + end + ActiveRecord::Base.transaction do - # "Conflicts with the ROW EXCLUSIVE, SHARE UPDATE EXCLUSIVE, SHARE - # ROW EXCLUSIVE, EXCLUSIVE, and ACCESS EXCLUSIVE lock modes. This - # mode protects a table against concurrent data changes." - ActiveRecord::Base.connection.execute "LOCK TABLE #{PERMISSION_VIEW} in SHARE MODE" + # "Conflicts with the ROW SHARE, ROW EXCLUSIVE, SHARE UPDATE + # EXCLUSIVE, SHARE, SHARE ROW EXCLUSIVE, EXCLUSIVE, and ACCESS + # EXCLUSIVE lock modes. This mode allows only concurrent ACCESS + # SHARE locks, i.e., only reads from the table can proceed in + # parallel with a transaction holding this lock mode." + ActiveRecord::Base.connection.execute "LOCK TABLE #{PERMISSION_VIEW} in EXCLUSIVE MODE" # Workaround for # BUG #15160: planner overestimates number of rows in join when there are more than 200 rows coming from CTE @@ -95,12 +108,13 @@ def update_permissions perm_origin_uuid, starting_uuid, perm_level temptable_perms = "temp_perms_#{rand(2**64).to_s(10)}" ActiveRecord::Base.connection.exec_query %{ create temporary table #{temptable_perms} on commit drop -as select * from compute_permission_subgraph($1, $2, $3) +as select * from compute_permission_subgraph($1, $2, $3, $4) }, 'update_permissions.select', [[nil, perm_origin_uuid], [nil, starting_uuid], - [nil, perm_level]] + [nil, perm_level], + [nil, edge_id]] ActiveRecord::Base.connection.exec_query "SET LOCAL enable_mergejoin to true;" @@ -130,7 +144,7 @@ end def check_permissions_against_full_refresh # No-op except when running tests - return unless Rails.env == 'test' and !Thread.current[:no_check_permissions_against_full_refresh] + return unless Rails.env == 'test' and !Thread.current[:no_check_permissions_against_full_refresh] and !Thread.current[:suppress_update_permissions] # For checking correctness of the incremental permission updates. # Check contents of the current 'materialized_permission' table @@ -146,7 +160,7 @@ order by user_uuid, target_uuid #{PERM_QUERY_TEMPLATE % {:base_case => %{ select uuid, uuid, 3, true, true from users }, -:override => '' +:edge_perm => 'edges.val' } }) as pq order by origin_uuid, target_uuid }, "check_permissions_against_full_refresh.full_recompute" @@ -181,6 +195,17 @@ def skip_check_permissions_against_full_refresh end end +def batch_update_permissions + check_perm_was = Thread.current[:suppress_update_permissions] + Thread.current[:suppress_update_permissions] = true + begin + yield + ensure + Thread.current[:suppress_update_permissions] = check_perm_was + refresh_permissions + end +end + # Used to account for permissions that a user gains by having # can_manage on another user. #