fix: Reverted enable_multiple_grants #1225
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Revert for enable_multiple_grants because it does not work properly as intended and is causing side effects. One of the biggest side effects is that because the roles are part of the id, when a role is added to an existing object grant, the id changes, which in turn triggers the resource to be replaced which means that the current roles will be revoked then granted again. This causes a significant disruption when users that are using the affected roles are running a query when the grants are being rolled out.
This side effect was only noticed by us now because we were creating new grants with the new id format which includes the roles in the id itself. For our old grant resources this is not the case because it was still using the id format that excluded the roles prior to the introduction of the enable_multiple_grants feature.
Test Plan
References