RBAC: Split non-empty scopes into kind, attribute and identifier fields for better search performance (#71933)

* add a feature toggle * add the fields for attribute, kind and identifier to permission Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * set the new fields when new permissions are stored * add migrations Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * remove comments * Update pkg/services/accesscontrol/migrator/migrator.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split * PR feedback: add a comment and revert an accidentally changed file * PR feedback: handle the case with : in resource identifier * switch from checking feature toggle through cfg to checking it through featuremgmt * don't put the column migrations behind a feature toggle after all - this breaks permission queries from db --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2023-07-21 15:23:01 +01:00
parent 59eb2f68b7
commit cfa1a2c55f
23 changed files with 179 additions and 37 deletions
--- a/pkg/services/accesscontrol/migrator/migrator.go
+++ b/pkg/services/accesscontrol/migrator/migrator.go
@@ -0,0 +1,44 @@
+package migrator
+
+import (
+	"context"
+	"time"
+
+	"github.com/grafana/grafana/pkg/infra/db"
+	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/sqlstore"
+)
+
+func MigrateScopeSplit(db db.DB, log log.Logger) error {
+	t := time.Now()
+	var count = 0
+	err := db.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
+		var permissions []accesscontrol.Permission
+
+		err := sess.SQL("SELECT * FROM permission WHERE NOT scope = '' AND identifier = ''").Find(&permissions)
+		if err != nil {
+			return err
+		}
+
+		for i, p := range permissions {
+			count++
+			kind, attribute, identifier := p.SplitScope()
+
+			permissions[i].Kind = kind
+			permissions[i].Attribute = attribute
+			permissions[i].Identifier = identifier
+
+			_, err := sess.Exec("UPDATE permission SET kind = ?, attribute = ?, identifier = ? WHERE id = ?", permissions[i].Kind, permissions[i].Attribute, permissions[i].Identifier, permissions[i].ID)
+			if err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+
+	log.Debug("Migrated permissions ", "count", count, "in", time.Since(t))
+
+	return err
+}