feat: Policy cache invalidation approach (openedx#140)

Author: rodmgwgu

CHANGELOG.rst

@@ -16,6 +16,15 @@ Unreleased
 
 *
 
+0.19.0 - 2025-11-18
+********************
+
+Added
+=====
+
+* Handle cache invalidation via a uuid in the database to ensure policy reloads
+  occur only when necessary.
+
 0.18.0 - 2025-11-17
 ********************
 

openedx_authz/__init__.py

@@ -4,6 +4,6 @@
 
 import os
 
-__version__ = "0.18.0"
+__version__ = "0.19.0"
 
 ROOT_DIRECTORY = os.path.dirname(os.path.abspath(__file__))

openedx_authz/api/roles.py

@@ -219,6 +219,9 @@ def assign_role_to_subject_in_scope(subject: SubjectData, role: RoleData, scope:
         )
         if not extended_rule:
             raise Exception("Failed to create ExtendedCasbinRule for the assignment")
+
+    # Invalidate policy cache to ensure changes are picked up
+    AuthzEnforcer.invalidate_policy_cache()
     return True
 
 
@@ -245,7 +248,12 @@ def unassign_role_from_subject_in_scope(subject: SubjectData, role: RoleData, sc
         bool: True if the role was unassigned successfully, False otherwise.
     """
     enforcer = AuthzEnforcer.get_enforcer()
-    return enforcer.delete_roles_for_user_in_domain(subject.namespaced_key, role.namespaced_key, scope.namespaced_key)
+    success = enforcer.delete_roles_for_user_in_domain(
+        subject.namespaced_key, role.namespaced_key, scope.namespaced_key
+    )
+    # Invalidate policy cache to ensure changes are picked up
+    AuthzEnforcer.invalidate_policy_cache()
+    return success
 
 
 def batch_unassign_role_from_subjects_in_scope(subjects: list[SubjectData], role: RoleData, scope: ScopeData) -> None:

openedx_authz/engine/enforcer.py

@@ -16,12 +16,14 @@
 """
 
 import logging
+from uuid import uuid4
 
 from casbin import SyncedEnforcer
 from casbin_adapter.enforcer import initialize_enforcer
 from django.conf import settings
 
 from openedx_authz.engine.adapter import ExtendedAdapter
+from openedx_authz.models.engine import PolicyCacheControl
 
 
 def libraries_v2_enabled() -> bool:
@@ -68,6 +70,7 @@ class AuthzEnforcer:
 
     _enforcer = None
     _adapter = None
+    _last_policy_loaded_version = None
 
     def __new__(cls):
         """Singleton pattern to ensure a single enforcer instance."""
@@ -153,6 +156,45 @@ def configure_enforcer_auto_save_and_load(cls):
 
         cls.configure_enforcer_auto_save(auto_save_policy)
 
+    @classmethod
+    def load_policy_if_needed(cls):
+        """Load policy if the last load version indicates it's needed.
+
+        This method checks if the policy needs to be reloaded comparing
+        the last load version with the version in the cache invalidation model,
+        and reloads it if necessary.
+
+        Returns:
+            None
+        """
+        last_version = PolicyCacheControl.get_version()
+
+        if last_version is None:
+            # No version in cache control; initialize it
+            last_version = uuid4()
+            PolicyCacheControl.set_version(last_version)
+            logger.info("Initialized policy last modified version in cache control.")
+
+        if cls._last_policy_loaded_version is None or last_version != cls._last_policy_loaded_version:
+            # Policy has been modified since last load; reload it
+            cls._enforcer.load_policy()
+            cls._last_policy_loaded_version = last_version
+            logger.info(f"Reloaded policy to version {last_version}")
+
+    @classmethod
+    def invalidate_policy_cache(cls):
+        """Invalidate the current policy cache to force a reload on next check.
+
+        This method updates the last modified version in the cache invalidation model
+        to a new UUID, indicating that the policy has changed.
+
+        Returns:
+            None
+        """
+        new_version = uuid4()
+        PolicyCacheControl.set_version(new_version)
+        logger.info(f"Invalidated policy cache to version {new_version}")
+
     @classmethod
     def get_enforcer(cls) -> SyncedEnforcer:
         """Get the enforcer instance, creating it if needed.
@@ -163,6 +205,9 @@ def get_enforcer(cls) -> SyncedEnforcer:
         if cls._enforcer is None:
             cls._enforcer = cls._initialize_enforcer()
 
+        # (re)load policy if needed
+        cls.load_policy_if_needed()
+
         # HACK: This code block will only be useful when in Ulmo to deactivate
         # the enforcer when the new library experience is disabled. It should be
         # removed for the next release cycle.

openedx_authz/migrations/0005_policycachecontrol.py

@@ -0,0 +1,21 @@
+# Generated by Django 4.2.24 on 2025-11-14 22:38
+
+import uuid
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("openedx_authz", "0004_contentlibraryscope"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="PolicyCacheControl",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("version", models.UUIDField(default=uuid.uuid4)),
+            ],
+        ),
+    ]

…tions/0005_migrate_legacy_permissions.py …tions/0006_migrate_legacy_permissions.pyopenedx_authz/migrations/0005_migrate_legacy_permissions.py renamed to openedx_authz/migrations/0006_migrate_legacy_permissions.py openedx_authz/migrations/0005_migrate_legacy_permissions.py renamed to openedx_authz/migrations/0006_migrate_legacy_permissions.py

@@ -53,7 +53,7 @@ class Migration(migrations.Migration):
     """
 
     dependencies = [
-        ("openedx_authz", "0004_contentlibraryscope"),
+        ("openedx_authz", "0005_policycachecontrol"),
     ]
 
     operations = [

openedx_authz/models/engine.py

@@ -0,0 +1,51 @@
+"""Models for the authorization engine."""
+
+from uuid import UUID, uuid4
+
+from django.db import models
+
+
+class PolicyCacheControl(models.Model):
+    """Model to control policy cache invalidation.
+
+    This model can be used to trigger cache invalidation for authorization policies
+    by changing the version. Whenever this model is updated, the authorization
+    engine should invalidate its cached policies.
+
+    .. no_pii:
+    """
+
+    version = models.UUIDField(default=uuid4)
+
+    def save(self, *args, **kwargs):
+        """Override save to ensure a single instance."""
+        self.pk = 1  # Ensure a single instance
+        super().save(*args, **kwargs)
+
+    @classmethod
+    def get(cls):
+        """Get the singleton instance of the model."""
+        obj, _ = cls.objects.get_or_create(pk=1)
+        return obj
+
+    @classmethod
+    def get_version(cls):
+        """Get the version for policy cache control.
+
+        Returns:
+            UUID: The version of the last update.
+        """
+        instance = cls.get()
+        return instance.version
+
+    @classmethod
+    def set_version(cls, version: UUID):
+        """Update the cache version.
+
+        This method updates the cache version, which can be used to signal
+        that the policy cache should be invalidated.
+        """
+        instance = cls.get()
+        instance.version = version
+
+        instance.save()

openedx_authz/rest_api/v1/permissions.py

@@ -5,7 +5,6 @@
 from rest_framework.permissions import BasePermission
 
 from openedx_authz import api
-from openedx_authz.engine.enforcer import AuthzEnforcer
 
 
 class PermissionMeta(type(BasePermission)):
@@ -183,7 +182,6 @@ def has_permission(self, request, view) -> bool:
         """
         if request.user.is_superuser or request.user.is_staff:
             return True
-        AuthzEnforcer.get_enforcer().load_policy()
         return self._get_permission_instance(request).has_permission(request, view)
 
     def has_object_permission(self, request, view, obj) -> bool:
@@ -200,7 +198,6 @@ def has_object_permission(self, request, view, obj) -> bool:
         """
         if request.user.is_superuser or request.user.is_staff:
             return True
-        AuthzEnforcer.get_enforcer().load_policy()
         return self._get_permission_instance(request).has_object_permission(request, view, obj)
 
 

openedx_authz/rest_api/v1/views.py

@@ -16,7 +16,6 @@
 
 from openedx_authz import api
 from openedx_authz.constants import permissions
-from openedx_authz.engine.enforcer import AuthzEnforcer
 from openedx_authz.rest_api.data import RoleOperationError, RoleOperationStatus
 from openedx_authz.rest_api.decorators import authz_permissions, view_auth_classes
 from openedx_authz.rest_api.utils import (
@@ -103,7 +102,6 @@ class PermissionValidationMeView(APIView):
     )
     def post(self, request: HttpRequest) -> Response:
         """Validate one or more permissions for the authenticated user."""
-        AuthzEnforcer.get_enforcer().load_policy()
 
         serializer = PermissionValidationSerializer(data=request.data, many=True)
         serializer.is_valid(raise_exception=True)

openedx_authz/settings/common.py

@@ -31,8 +31,10 @@ def plugin_settings(settings):
     # Set default CASBIN_AUTO_LOAD_POLICY_INTERVAL if not already set.
     # This setting defines how often (in seconds) the Casbin enforcer should
     # automatically reload policies from the database.
+    # By default, we set it to 0, which disables the auto-reload.
+    # As it shouldn't be needed thanks to cache invalidation.
     if not hasattr(settings, "CASBIN_AUTO_LOAD_POLICY_INTERVAL"):
-        settings.CASBIN_AUTO_LOAD_POLICY_INTERVAL = 5
+        settings.CASBIN_AUTO_LOAD_POLICY_INTERVAL = 0
 
     # Set default CASBIN_AUTO_SAVE_POLICY if not already set.
     # This setting defines whether the Casbin enforcer should automatically