Skip to content

[3.3.6 Backport] CBG-5395: User Access History Compaction#8328

Merged
RIT3shSapata merged 7 commits into
release/3.3.6from
CBG-5395
Jun 9, 2026
Merged

[3.3.6 Backport] CBG-5395: User Access History Compaction#8328
RIT3shSapata merged 7 commits into
release/3.3.6from
CBG-5395

Conversation

@RIT3shSapata

@RIT3shSapata RIT3shSapata commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

CBG-5395

Describe your PR here...

  • Backport of user access history compaction

Pre-review checklist

  • Removed debug logging (fmt.Print, log.Print, ...)
  • Logging sensitive data? Make sure it's tagged (e.g. base.UD(docID), base.MD(dbName))
  • Updated relevant information in the API specifications (such as endpoint descriptions, schemas, ...) in docs/api

Dependencies (if applicable)

  • Link upstream PRs
  • Update Go module dependencies when merged

Integration Tests

@RIT3shSapata RIT3shSapata requested a review from adamcfraser June 2, 2026 15:42
Copilot AI review requested due to automatic review settings June 2, 2026 15:42
@github-actions

github-actions Bot commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown

Redocly previews

Copilot AI reviewed Jun 2, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for inspecting and compacting user channel revocation history (access history) via new admin endpoints, including audit events and OpenAPI documentation, plus coverage in unit, REST, and upgrade tests.

Changes:

  • Add admin REST endpoints to GET a user’s access history and POST compaction requests to remove selected channels from that history.
  • Introduce auth-layer helpers for enumerating collection-scoped history and compacting history entries by channel key.
  • Add audit event IDs/tests and OpenAPI paths/schemas for the new endpoints (including upgrade tests covering default + named collections).

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
rest/user_api_test.go Adds REST tests for GET access history and POST compaction across single and multi-collection setups.
rest/upgradetest/user_access_history_test.go Adds upgrade tests ensuring access history/compaction works after adding a named collection to a default-only DB.
rest/routing.go Registers the new admin routes for access history read and compaction.
rest/revocation_test.go Extends revocation test to compact access history and validate behavior post-compaction.
rest/audit_test.go Adds audit-log tests for the new access history read/compact audit events.
rest/admin_api.go Implements the new admin handlers and response types for access history read/compaction.
docs/api/paths/admin/db-_user-name-_access_history.yaml Documents the new GET endpoint.
docs/api/paths/admin/db-_user-name-_access_history-compact.yaml Documents the new POST compaction endpoint.
docs/api/components/schemas.yaml Adds/extends schemas to represent collection-scoped access history and compaction responses.
docs/api/admin.yaml Exposes the new paths in the admin OpenAPI entrypoint.
base/audit_events.go Adds new audit event IDs and event metadata for access history read/compaction.
auth/user_test.go Adds unit tests for channel-history compaction behavior across scopes/collections.
auth/role.go Adds keyed pruning and a CompactChannelHistory method on principals.
auth/role_collection_access.go Adds CollectionAccessHistory type and collection-scoped history extraction logic.
auth/principal.go Extends Principal interface with CompactChannelHistory and collection history access via embedded APIs.
auth/collection_access.go Extends collection-channel API with GetCollectionAccessHistory (plus comment typo fix needed).

Comment thread rest/admin_api.go
Comment on lines +2394 to +2404
colAccessHistoryMap := make(map[string]map[string][]string)
for scope, cols := range reqUserChannelHistory.Channels {
colAccessHistoryMap[scope] = make(map[string][]string)
for col, colVal := range cols {
colAccessHistoryMap[scope][col] = user.CompactChannelHistory(scope, col, colVal)
}
}

userCompactedChannelHistory := CompactUserAccessHistoryResponse{
CompactedChannels: colAccessHistoryMap,
}
Comment thread rest/admin_api.go
Comment on lines +2371 to +2374
h.writeJSON(userChannelHistory)

return err
}
Comment thread docs/api/paths/admin/db-_user-name-_access_history.yaml
$ref: ../../components/responses.yaml#/Not-found
tags:
- Database Security
operationId: get_db-_user-name-_history
Comment thread docs/api/paths/admin/db-_user-name-_access_history-compact.yaml
$ref: ../../components/responses.yaml#/Not-found
tags:
- Database Security
operationId: post_db-_user-name-_history-compact
Comment thread docs/api/paths/admin/db-_user-name-_access_history-compact.yaml
Comment on lines +43 to +51
'400':
description: Bad request. Invalid channel names or malformed request body.
content:
application/json:
schema:
$ref: ../../components/schemas.yaml#/HTTP-Error
example:
error: "Bad Request"
reason: "Invalid channel format: channels must be non-empty strings"
Comment thread auth/collection_access.go
Comment on lines +69 to +70
// Returns the ColelctionAccessHistory map
GetCollectionAccessHistory() CollectionAccessHistory
Comment thread auth/user_test.go
Comment on lines +656 to +657
// First ch1 succeeds (returns true), second ch1 fails (already deleted, returns false in the map check)
// So we get ch1 and ch2 in the result. The function returns duplicates if passed duplicates.
adamcfraser
adamcfraser requested changes Jun 4, 2026
View reviewed changes

@adamcfraser adamcfraser left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks fine, but want to confirm some content in api docs that may not be necessary to backport.

Comment thread docs/api/components/schemas.yaml Outdated
type: string
example: This is an info message produced by console.log("test").

ClusterInfo:

@adamcfraser adamcfraser Jun 4, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a number of definitions being backported here that don't look like they are necessary for the User Access History API. Are those intentional?

@RIT3shSapata RIT3shSapata requested a review from adamcfraser June 5, 2026 15:09
adamcfraser
adamcfraser requested changes Jun 5, 2026
View reviewed changes

@adamcfraser adamcfraser left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You've removed the schema doc entirely here, instead of revoking the unnecessary backports to it.

@RIT3shSapata RIT3shSapata requested a review from adamcfraser June 8, 2026 08:46
@RIT3shSapata RIT3shSapata merged commit 4f240d8 into release/3.3.6 Jun 9, 2026
49 checks passed
@RIT3shSapata RIT3shSapata deleted the CBG-5395 branch June 9, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adamcfraser adamcfraser adamcfraser approved these changes

Assignees

@adamcfraser adamcfraser

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RIT3shSapata @adamcfraser