[A2-798] split partial result update calls for v2 and v2.1

[srenatus]

🔩 Description

authz-service uses OPA's partial eval feature to save time when authorizing requests by "pre-calculating" everything it can figure out without knowing the (variable) input data. However, that process itself takes time, any change to the relevant data (policies, roles, projects) requires a rebuild of that entire state.

When introducing IAM v2.1, we've taken a bit of a shortcut, and have rebuilt both the v2 and the v2.1 queries' partial eval state. This PR is about fixing that.

The need to fix it arises from the rebuild time, which is dependent on the data it's built with, increasing when the data increases (linearly? haven't checked) -- and it's become noticable, and annoying.

ℹ️ Notes

• This PR also expands the current upgrade-to-v2-and-reset-to-v1 tests by going some extra loops through v2.1 as well, see integration/tests/upgrade_reset_iam_v2.sh
• If you look at the commits, you'll find that I had to revert some of the cleanups I thought necessary. The need here was ingest-service, it seems to query the v2.1-related projects-rules stuff on ingest, regardless of whether A2 is using IAM v1, v2 or v2.1.

👍 Definition of Done

When using IAM v2.1, only the v2.1 partial eval result is rebuilt on updated data, and when using v2, only the v2 state is.

👟 Demo Script / Repro Steps

• rebuild components/authz-service
• upgrade to IAM v2.1 (chef-automate iam upgrade-to-v2 --beta2.1)
• create two projects and 30 policies, measuring the time it takes:
  • projects foo and bar: curl -kH "api-token: $TOK" https://localhost/apis/iam/v2beta/projects -d "$(jq -n '{ id: "foo", name: "my foo project" }')" and curl -kH "api-token: $TOK" https://localhost/apis/iam/v2beta/projects -d "$(jq -n '{ id: "bar", name: "my bar project" }')"

[118][default:/src:0]# time for i in $(seq 1 30); do curl -kH "api-token: $TOK" https://localhost/apis/iam/v2beta/policies -d "$(sed "s/ID/$i/" pol.json)"; done
real    0m5.211s
user    0m0.252s
sys     0m0.060s

this is with pol.json containing

{
  "name": "testpolicy",
  "id": "testpolicy-id-ID",
  "members": [
    "team:local:viewers"
  ],
  "statements": [
    {
      "effect": "ALLOW",
      "actions": [],
      "role": "viewer",
      "projects": [
        "*"
      ]
    }
  ],
  "projects": [ "foo", "bar" ]
}

• delete those policies,

[119][default:/src:2]# chef-automate dev psql chef_authz_service -- -c "delete from iam_policies where id ilike 'testpolicy-id-%'"
DELETE 30

• downgrade to v2, redo timing the 30 inserts:

[121][default:/src:130]# chef-automate iam upgrade-to-v2

Upgrading to IAM v2
Migrating v1 policies...
Creating default teams Editors and Viewers...
Skipped: Editors team already exists
Skipped: Viewers team already exists

Migrating existing teams...

Success: Enabled IAM v2
[122][default:/src:0]# time for i in $(seq 1 30); do curl -kH "api-token: $TOK" https://localhost/apis/iam/v2beta/policies -d "$(sed "s/ID/$i/" _dump/pol.json)"; done
[output omitted]
real    8m41.688s
user    0m0.300s
sys     0m0.112s

⚠️ This is odd, isn't it? So, this doesn't solve the issue for IAM v2 customers; but it does promise us a bright and fast future in IAM v2.1. Now I don't really understand (yet) why v2.1 is so much faster to rebuild, but at least we don't drag v2 around 😅. Also, not updating v2.1 when updating v2 takes some of the work away; combined with not updating the engine store twice, this hopefully helps a little.

⛓️ Related Resources

• A2-798 👈 this is about the perceivable delay 🐛 this hopes to improve.

✅ Checklist

• Necessary tests added/updated?
• Necessary docs added/updated?
• Code actually executed?
• Vetting performed (unit tests, lint, etc.)?

[srenatus]

Some reviewer notes inside

[srenatus]

🐛 drive-by bug fix

[srenatus]

ℹ️ this needs to happen after setVersion, so the proper store will be updated in the process (v2 vs v2.1). (v1 is done per-call in its corresponding handlers)

[srenatus]

Let's fix that when we get there? 😉

[srenatus]

E_IMANIDIOT

[tylercloke]

Helpful comment!

[tylercloke]

[msorens]

...and the world is just a little bit better now.

[msorens]

Suggest delete this comment, as well as L194-195; otherwise, make them more parallel to each other (on the same relative line, etc.).

[msorens]

Suggest move dumpData below DumpDataV2p1 so DumpData* are all contiguous.

[msorens]

Could you add a further comment mentioning where you might inject any of the DumpData* calls?

[msorens]

s/v2/v2p1/

[msorens]

Why move the store outside the loop?

[srenatus]

The intention was to only benchmark the relevant bits, not what happens in s.New. Setting the s.v2Store is not relevant, either, but also likely not a thing that influences measurements too much.

[msorens]

I infer it is better to updateEngineStore after ApplyV2DataMigrations...? If so, consider adding a brief in-code comment mentioning why.

[msorens]

Not from your PR, but please rename curPolicyID and lastPolicyID to curPolicyChangeID and lastPolicyChangeID...
( I saw this code and was thinking "What the heck is a 'current policy' and why do we care?" 🤔 )

[srenatus]

I'll touch this code soon to fix the multi-node issue mentioned in the comments. I'll probably do this, then.

[msorens]

Not sure the comment on the line communicates anything additional here...?

[srenatus]

I think it does. I'll elaborate.

[msorens]

Perhaps add a comment explaining why it is OK to use the same test code for v2 and v2p1 here.

[msorens]

Nice!

[srenatus]

So this most likely has issues with switching between v2 and v2.1 in a multi-node setting. I'm not sure how this is currently tested, so thinking hard is the only method we have right now for figuring this out. I'm torn between adding a card outlining the problematic scenario; and adding some commits on top of this PR. I'd rather not do the latter, but since I have no idea who depends on this functionality when, I'm probably opting for that anyways.