[Core] Update cache for workspace permission check

[DanielZhangQD]

Fix #8991
Update the cache mechanism from LRU cache to a DB-backed KV cache to avoid the stale cache result when the permission of the workspace or the role of the users is changed.

Tested (run the relevant ones):

• Code formatting: install pre-commit (auto-check on commit) or bash format.sh
• Any manual or new tests for this PR (please specify below)
  • Update workspace
  • Delete workspace
  • Add workspace
  • Update config (add, update, delete workspace)
  • Update user role
  • Delete user
• All smoke tests: /smoke-test (CI) or pytest tests/test_smoke.py (local)
• Relevant individual tests: /smoke-test -k test_name (CI) or pytest tests/test_smoke.py::test_name (local)
• Backward compatibility: /quicktest-core (CI) or pytest tests/smoke_tests/test_backward_compat.py (local)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the workspace permission checking mechanism by migrating from an in-memory, request-scoped LRU cache to a persistent, database-backed key-value store. This change addresses potential inconsistencies in permission checks across distributed components and ensures that all processes operate with the most up-to-date access policies. The update also includes robust invalidation strategies to clear relevant cache entries whenever user roles or workspace policies are altered, thereby guaranteeing data freshness and correctness.

Highlights

• Database-backed KV Cache for Workspace Permissions: Implemented a new database-backed key-value cache for check_workspace_permission to ensure consistent permission results across all server and executor processes, replacing the previous request-scoped LRU cache.
• Comprehensive Cache Invalidation: Introduced explicit cache invalidation mechanisms for user role changes (delete_user, update_role) and workspace policy modifications (add_workspace_policy, update_workspace_policy, remove_workspace_policy) to maintain data freshness.
• New KV Cache Utility Functions: Added delete_cache_entries_by_prefix and delete_cache_entries_by_pattern to the kv_cache module, enabling more flexible and efficient cache invalidation operations.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a DB-backed KV cache for workspace permission checks, significantly improving performance and ensuring consistency across server and executor processes. The implementation includes robust cache invalidation mechanisms, which are correctly triggered when user roles or workspace policies are modified. New utility functions for deleting cache entries by prefix and pattern have been added to kv_cache.py, along with comprehensive unit tests to cover both the new cache functionalities and the cache invalidation logic within the permission service. The changes are well-designed and contribute positively to the system's efficiency and reliability.

[DanielZhangQD]

Hi @SeungjinYang @ibrahimnd2000 PTAL when you're available. Thanks!