nodedb 0.2.0

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

// SPDX-License-Identifier: BUSL-1.1

//! Post-apply side effects for RLS policy `CatalogEntry` variants.
//!
//! After the synchronous `apply::rls` step has written the redb row,
//! this rehydrates the runtime `RlsPolicy` (deserializing the
//! compiled predicate / deny mode JSON) and installs it into the
//! in-memory `RlsPolicyStore` on every node so the read/write
//! evaluators see the new policy on their next request.

use std::sync::Arc;

use tracing::warn;

use crate::control::security::catalog::StoredRlsPolicy;
use crate::control::state::SharedState;

pub fn put(stored: StoredRlsPolicy, shared: Arc<SharedState>) {
    match stored.to_runtime() {
        Ok(runtime) => {
            shared.rls.install_replicated_policy(runtime);
            tracing::debug!(
                policy = %stored.name,
                collection = %stored.collection,
                tenant = stored.tenant_id,
                "post_apply: RLS policy replicated"
            );
        }
        Err(e) => {
            warn!(
                policy = %stored.name,
                collection = %stored.collection,
                tenant = stored.tenant_id,
                error = %e,
                "post_apply: RLS policy rehydration failed"
            );
        }
    }
}

pub fn delete(tenant_id: u64, collection: String, name: String, shared: Arc<SharedState>) {
    let removed = shared
        .rls
        .install_replicated_drop_policy(tenant_id, &collection, &name);
    tracing::debug!(
        policy = %name,
        collection = %collection,
        tenant = tenant_id,
        removed,
        "post_apply: RLS policy drop replicated"
    );
}