[FC-0099] refactor: use decorator to manage policy lifecycle for low-level APIs

[mariajgrimaldi]

Description

Implement a decorator to handle the policy lifecycle before and after calling any public API method. The goal is to free clients from manually loading and clearing the enforcer, ensuring each operation uses the latest policies from the datastore.

The decorator should:

1. Load the policy into the enforcer before calling the API method. This means reading the policy from the datastore (Django model) and loading it into memory, making it accessible to the enforcer instance.
2. Call the API function, which assumes it’s working with the latest policy data.
3. Clear the enforcer once the function completes, so it can be safely reused.

The main concern with this approach (and the previous one, though it's clearer here) is that we have a single enforcer per process. If two requests run in parallel and one finishes first, clearing the enforcer could affect the other request mid-operation.

Here's what I've been thinking:

1. A possible alternative is to create one enforcer per transaction, where a transaction represents a low-level API operation. The enforcer would be disposed of afterward, avoiding shared state between concurrent requests. Or instead of per transaction, per request.
2. Another option is to use a synced enforcer, which provides synchronized access but may reduce performance.
3. We make the enforcer a shared entity, read-only, loaded once at first and then reloaded (safely) only when there is a change here: https://github.com/openedx/openedx-authz/blob/main/openedx_authz/engine/watcher.py#L22-L32

What do you think?

Casbin references related to this topic:

• https://casbin.org/docs/enforcers
• https://casbin.org/docs/multi-threading

[openedx-webhooks]

Thanks for the pull request, @mariajgrimaldi!

This repository is currently maintained by @openedx/committers-openedx-authz.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[mariajgrimaldi]

TODO: need to add tests for action grouping at least for enforcement.

[bmtcril]

nit: You can probably just annotate this return as Any from typing.

[bmtcril]

Are we planning on getting this working for Ulmo? If not, I would rather temporarily remove the code we're not using than have code that we don't trust just disabled via a flag.

[mariajgrimaldi]

I agree! I can remove it and save it in another branch. My initial idea was to start by loading the entire policy and then address any issues with this approach retroactively. I did try adding support for filtered loading, but I ran into some issues while finishing the implementation and adding tests. As I mentioned here: https://github.com/openedx/openedx-authz/pull/86/files#diff-a6773904192669f0814472909dcec3567d5a893f6a97e6b8682cdd2ba8bcb55dR40-R55, in my opinion, making filtered loading consistent would probably require a different model, which isn't a priority right now. We could revisit it later if we notice resource consumption issues.

[BryanttV]

It looks great, I just have a few comments. I'll be testing these changes more thoroughly in my local environment.

[BryanttV]

Unused variable

[BryanttV]

Could we use the GENERIC_SCOPE_WILDCARD variable instead of the * literal character?

[BryanttV]

Could we add examples in the docstring? I think they are very useful for understanding.

[BryanttV]

To highlight the code:

Suggested change

	# Without filtering (loads all policies):
	@manage_policy_lifecycle()
	def get_all_roles():
	return enforcer.get_all_roles()
	# With scope filtering (loads only relevant policies):
	@manage_policy_lifecycle(filter_on="scope")
	def get_roles_in_scope(scope: ScopeData):
	return enforcer.get_filtered_roles(scope.namespaced_key)
	- Without filtering (loads all policies)::
	@manage_policy_lifecycle()
	def get_all_roles():
	return enforcer.get_all_roles()
	- With scope filtering (loads only relevant policies)::
	@manage_policy_lifecycle(filter_on="scope")
	def get_roles_in_scope(scope: ScopeData):
	return enforcer.get_filtered_roles(scope.namespaced_key)

[BryanttV]

Please, remove the enforcer.load_policy()

[BryanttV]

I'm concerned about having to load the policy twice, since this function is called internally by other functions here.

[BryanttV]

I have already tested the changes using the REST API with different users, and it loads the policies correctly. Thanks!

[BryanttV]

Suggested change

	@manage_policy_lifecycle(filter_on="scope")
	@manage_policy_lifecycle()

[BryanttV]

Please add the decorator to the get_subjects_for_role function

[mariajgrimaldi]

Thanks for the review, @bmtcril @BryanttV! I'll be going through your comments later today :)

What do you think of the concern I documented in the cover letter? Let me know!

[bmtcril]

Thanks for the review, @bmtcril @BryanttV! I'll be going through your comments later today :)

What do you think of the concern I documented in the cover letter? Let me know!

Here are my assumptions, please correct me if I'm wrong:

• The policy is a combination all of the permissions, roles, permission inheritance, and role assignments to users
• The policy can be partially invalidated by adding or deleting rows (at runtime this should always be granting or revoking roles from users, I think?)

I think I've come around to the sync'd enforcer with a short timeout of like 5-10 seconds for the following reasons:

• Why not option 1: Pulling all rows from MySQL once or several times per view can be a very heavy operation on large instances
• Why not option 3: redis-watcher doesn't support reconnection, so if redis goes down or the application loses the connection the application will be stuck with an old policy until restart (see here and here)
• I'd considered a pull through redis cache, but I think the whole policy is likely to grow too large to store in redis.

Compared to these, a few seconds of staleness seems to be the lesser evil. It is worth noting that it would still be 1 enforcer per process (by default Tutor runs 2 processes per container) so on a large instance with, say 15 lms/cms containers and 5 lms-worker/cms-worker containers running (each is only 1 process). So with 35 distinct Python processes it would still constantly hit the database several times a second at a 10 second cadence (though in most cases it would probably be cached). As such we should definitely make this configurable if we go this way.

Thoughts for the future:

• If the watcher could handle service interruptions better I think that would be the way to go
• I'd be curious to see how much we can scope our access patterns down to smaller chunks and aggressively cache those in redis. I'd expect that by far the majority of interactions with the policy would be scoped permissions checks for a single user, which should be cacheable. Combining this with a more resilient watcher might be our best option.

[BryanttV]

Hi @bmtcril, thanks for your proposal! I just created a PR with the necessary changes to use the SynEnforcer here: #103, Any questions or suggestions are welcome!

[mariajgrimaldi]

If approved, this PR should be closed in favor of #103

[bmtcril]

If approved, this PR should be closed in favor of #103

@mariajgrimaldi I approved on that one, but would appreciate your review there too

[mariajgrimaldi]

This PR will be closed in favor of #103, other efforts to use load_filtered_policy will be addressed as part of a different effort which could reuse this initial approach.