Skip to content

authz: Remove in-memory cache from Bitbucket Server permissions store

Administrator requested to merge core/global-perms-caching-invalidation into master

Created by: tsenart

This commit removes the in-memory caching layer from the permissions store used by the Bitbucket Server authz provider.

This reduces performance of authzFilter slightly. As indicated by the existing benchmarks, we go from single digit microseconds to single digit milliseconds, since now all authorization requests must incur the cost of a network roundtrip to Postgres and the correspondent serialization and deserialization.

However, this allows us to easily invalidate any user's cached permissions by simply deleting a row in the user_permissions table, which is an operational requirement surfaced by one of our customers.

Eventually, such cache invalidation ought to be more easily triggered via our UI, but for now, we enable admins to do so with a simple playbook:

WITH batch AS (
  SELECT id FROM users
  WHERE username IN (
    'foo',
    'bar',
    'baz'
  )
)

DELETE FROM user_permissions USING batch
WHERE user_permissions.user_id = batch.id;

Part of #4812

Merge request reports

Loading