Skip to content

SS-1898 Add configurable caching for auth permission checks#541

Merged
hamzaimran08 merged 8 commits into
developfrom
SS-1898-add-caching-to-auth
Jun 11, 2026
Merged

SS-1898 Add configurable caching for auth permission checks#541
hamzaimran08 merged 8 commits into
developfrom
SS-1898-add-caching-to-auth

Conversation

@hamzaimran08

@hamzaimran08 hamzaimran08 commented Jun 5, 2026

Copy link
Copy Markdown
Collaborator

Description

This PR relates to SS-1898.

This reduces repeated database work on high-traffic auth, status, and public-app flows that can add pressure to the Postgres connection pool during concurrency spikes. The caches are configurable and use short TTLs so they can be enabled gradually without making permission changes stale for long.

  • /auth/ permission cache: caches the internal /auth/ allow/deny decision for subdomain requests. It is off by default and can be enabled with AUTH_PERMISSION_CACHE_ENABLED=true.
  • Auth request logging: logs uncached /auth/ checks so we can see when requests actually hit the permission path instead of being served from cache.
  • Project permission cache: caches short-lived can_view_project decisions for frequently-polled status endpoints. Grant, revoke, and project delete paths invalidate the relevant project permission cache entry immediately; missing projects are not cached.
  • Early auth rejection: GetStatusView, BackgroundTaskStatusAPI, and ProjectStatusView now reject unauthenticated or unauthorized requests before doing project, app, or task lookups.
  • Cache structure: generic cache helpers live in common/auth_cache.py, /auth/-specific logic lives in studio/auth_permission_cache.py, and project permission caching/invalidation lives in projects/permissions.py.
  • Public endpoint caching: /openapi/v1/public-apps, the public apps page, homepage counts, and recent public apps now cache their results with PUBLIC_APPS_CACHE_TIMEOUT.
  • Query cleanup: public app listing avoids repeated Apps.objects.get(...) calls by using bulk loading, select_related, and .values(...) where appropriate.
  • Optional session cache: adds SESSION_CACHE_ENABLED for Django’s cached_db session backend when Redis-backed session caching should be enabled.

Config

  • AUTH_PERMISSION_CACHE_ENABLED default: false
  • AUTH_PERMISSION_CACHE_TIMEOUT default: 30
  • AUTH_PERMISSION_CACHE_DENY_TIMEOUT default: 5
  • AUTH_REQUEST_LOGGING_ENABLED default: true
  • PROJECT_PERMISSION_CACHE_TIMEOUT default: 5, set to 0 to disable
  • PUBLIC_APPS_CACHE_TIMEOUT default: 30
  • SESSION_CACHE_ENABLED default: false

Checklist

  • This pull request is against develop branch (not applicable for hotfixes)
  • I have included a link to the issue on GitHub or JIRA (if any)
  • I have included migration files (if there are changes to the model classes)
  • I have added or updated unit and end2end tests or a manual test case to complement my changes
  • I have ran unit and end2end tests
  • I have updated the related documentation (if necessary)
  • I have added a reviewer for this pull request
  • I have added myself as an author for this pull request
  • In the case I have modified settings.py, then I have also updated the studio-settings-configmap.yaml file in serve-charts
  • In case your changes are large enough, did you deploy your changes to develop instance?

@hamzaimran08 hamzaimran08 self-assigned this Jun 5, 2026
@hamzaimran08 hamzaimran08 requested a review from a team as a code owner June 5, 2026 12:35
@hamzaimran08 hamzaimran08 requested a review from j-awada June 5, 2026 13:29
@j-awada

j-awada commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

I think I would have implemented this similar to the way you did however some suggestions that I'll paste here that are up for discussion but are non-blocking:

  • To structure the caching logic in a separate auth_cache.py file with compact functions like _build_auth_cache_key, _set_auth_cache_key, get key from cache, invalidate key in cache, etc.
  • These can then be imported from studio/views.py but also maybe project/views.py or other, where the cache key needs to be invalidated after a permission change like can_view_project.
  • This would also make it easy to do future changes or to extend on the code if the logic sits together somewhat like studio/throttle.py

Comment thread studio/views.py Outdated
Comment thread studio/views.py Outdated
@hamzaimran08

Copy link
Copy Markdown
Collaborator Author

I think I would have implemented this similar to the way you did however some suggestions that I'll paste here that are up for discussion but are non-blocking:

  • To structure the caching logic in a separate auth_cache.py file with compact functions like _build_auth_cache_key, _set_auth_cache_key, get key from cache, invalidate key in cache, etc.
  • These can then be imported from studio/views.py but also maybe project/views.py or other, where the cache key needs to be invalidated after a permission change like can_view_project.
  • This would also make it easy to do future changes or to extend on the code if the logic sits together somewhat like studio/throttle.py

Agreed, I will make these changes.

@j-awada j-awada left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making the changes, works as expected locally.

@hamzaimran08 hamzaimran08 merged commit 4b4195f into develop Jun 11, 2026
2 checks passed
@hamzaimran08 hamzaimran08 deleted the SS-1898-add-caching-to-auth branch June 11, 2026 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants