feat(eventstore): increase parallel write capabilities (#5940)

This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2025-08-11 21:37:32 +00:00 · 2023-10-19 12:19:10 +02:00
parent 259faba3f0
commit b5564572bc
791 changed files with 30326 additions and 43202 deletions
--- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
+++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
@@ -19,8 +19,7 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
-	v1 "github.com/zitadel/zitadel/internal/eventstore/v1"
-	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
+	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	usr_model "github.com/zitadel/zitadel/internal/user/model"
@@ -30,7 +29,7 @@ import (

 type TokenVerifierRepo struct {
 	TokenVerificationKey crypto.EncryptionAlgorithm
-	Eventstore           v1.Eventstore
+	Eventstore           *eventstore.Eventstore
 	View                 *view.View
 	Query                *query.Queries
 	ExternalSecure       bool
@@ -48,7 +47,7 @@ func (repo *TokenVerifierRepo) tokenByID(ctx context.Context, tokenID, userID st

 	// always load the latest sequence first, so in case the token was not found by id,
 	// the sequence will be equal or lower than the actual projection and no events are lost
-	sequence, err := repo.View.GetLatestTokenSequence(ctx, instanceID)
+	sequence, err := repo.View.GetLatestState(ctx)
 	logging.WithFields("instanceID", instanceID, "userID", userID, "tokenID", tokenID).
 		OnError(err).
 		Errorf("could not get current sequence for token check")
@@ -62,7 +61,7 @@ func (repo *TokenVerifierRepo) tokenByID(ctx context.Context, tokenID, userID st
 		token.ID = tokenID
 		token.UserID = userID
 		if sequence != nil {
-			token.Sequence = sequence.CurrentSequence
+			token.Sequence = sequence.Sequence
 		}
 	}

@@ -245,14 +244,14 @@ func (repo *TokenVerifierRepo) VerifierClientID(ctx context.Context, appName str
 	return clientID, app.ProjectID, nil
 }

-func (repo *TokenVerifierRepo) getUserEvents(ctx context.Context, userID, instanceID string, sequence uint64, eventTypes []models.EventType) (_ []*models.Event, err error) {
+func (repo *TokenVerifierRepo) getUserEvents(ctx context.Context, userID, instanceID string, sequence uint64, eventTypes []eventstore.EventType) (_ []eventstore.Event, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	query, err := usr_view.UserByIDQuery(userID, instanceID, sequence, eventTypes)
 	if err != nil {
 		return nil, err
 	}
-	return repo.Eventstore.FilterEvents(ctx, query)
+	return repo.Eventstore.Filter(ctx, query)
 }

 // getTokenIDAndSubject returns the TokenID and Subject of both opaque tokens and JWTs
--- a/internal/authz/repository/eventsourcing/eventstore/user_membership.go
+++ b/internal/authz/repository/eventsourcing/eventstore/user_membership.go
@@ -12,17 +12,18 @@ type UserMembershipRepo struct {
 	Queries *query.Queries
 }

-func (repo *UserMembershipRepo) SearchMyMemberships(ctx context.Context, orgID string) (_ []*authz.Membership, err error) {
+func (repo *UserMembershipRepo) SearchMyMemberships(ctx context.Context, orgID string, shouldTriggerBulk bool) (_ []*authz.Membership, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
-	memberships, err := repo.searchUserMemberships(ctx, orgID)
+
+	memberships, err := repo.searchUserMemberships(ctx, orgID, shouldTriggerBulk)
 	if err != nil {
 		return nil, err
 	}
 	return userMembershipsToMemberships(memberships), nil
 }

-func (repo *UserMembershipRepo) searchUserMemberships(ctx context.Context, orgID string) (_ []*query.Membership, err error) {
+func (repo *UserMembershipRepo) searchUserMemberships(ctx context.Context, orgID string, shouldTriggerBulk bool) (_ []*query.Membership, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 	ctxData := authz.GetCtxData(ctx)
@@ -40,7 +41,7 @@ func (repo *UserMembershipRepo) searchUserMemberships(ctx context.Context, orgID
 	}
 	memberships, err := repo.Queries.Memberships(ctx, &query.MembershipSearchQuery{
 		Queries: []query.SearchQuery{userIDQuery, query.Or(orgIDsQuery, grantedIDQuery)},
-	}, false)
+	}, false, shouldTriggerBulk)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/authz/repository/eventsourcing/repository.go
+++ b/internal/authz/repository/eventsourcing/repository.go
@@ -4,37 +4,30 @@ import (
 	"context"

 	"github.com/zitadel/zitadel/internal/authz/repository"
-	"github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore"
+	authz_es "github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore"
 	authz_view "github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/view"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
-	v1 "github.com/zitadel/zitadel/internal/eventstore/v1"
-	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/query"
 )

 type EsRepository struct {
-	eventstore.UserMembershipRepo
-	eventstore.TokenVerifierRepo
+	authz_es.UserMembershipRepo
+	authz_es.TokenVerifierRepo
 }

-func Start(queries *query.Queries, dbClient *database.DB, keyEncryptionAlgorithm crypto.EncryptionAlgorithm, externalSecure, allowOrderByCreationDate bool) (repository.Repository, error) {
-	es, err := v1.Start(dbClient, allowOrderByCreationDate)
-	if err != nil {
-		return nil, err
-	}
-
-	idGenerator := id.SonyFlakeGenerator()
-	view, err := authz_view.StartView(dbClient, idGenerator, queries)
+func Start(queries *query.Queries, es *eventstore.Eventstore, dbClient *database.DB, keyEncryptionAlgorithm crypto.EncryptionAlgorithm, externalSecure bool) (repository.Repository, error) {
+	view, err := authz_view.StartView(dbClient, queries)
 	if err != nil {
 		return nil, err
 	}

 	return &EsRepository{
-		eventstore.UserMembershipRepo{
+		authz_es.UserMembershipRepo{
 			Queries: queries,
 		},
-		eventstore.TokenVerifierRepo{
+		authz_es.TokenVerifierRepo{
 			TokenVerificationKey: keyEncryptionAlgorithm,
 			Eventstore:           es,
 			View:                 view,
--- a/internal/authz/repository/eventsourcing/view/error_event.go
+++ b/internal/authz/repository/eventsourcing/view/error_event.go
@@ -1,17 +0,0 @@
-package view
-
-import (
-	"github.com/zitadel/zitadel/internal/view/repository"
-)
-
-const (
-	errTable = "auth.failed_events"
-)
-
-func (v *View) saveFailedEvent(failedEvent *repository.FailedEvent) error {
-	return repository.SaveFailedEvent(v.Db, errTable, failedEvent)
-}
-
-func (v *View) latestFailedEvent(viewName, instanceID string, sequence uint64) (*repository.FailedEvent, error) {
-	return repository.LatestFailedEvent(v.Db, errTable, viewName, instanceID, sequence)
-}
--- a/internal/authz/repository/eventsourcing/view/sequence.go
+++ b/internal/authz/repository/eventsourcing/view/sequence.go
@@ -1,20 +0,0 @@
-package view
-
-import (
-	"context"
-
-	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
-	"github.com/zitadel/zitadel/internal/view/repository"
-)
-
-const (
-	sequencesTable = "auth.current_sequences"
-)
-
-func (v *View) saveCurrentSequence(viewName string, event *models.Event) error {
-	return repository.SaveCurrentSequence(v.Db, sequencesTable, viewName, event.InstanceID, event.Sequence, event.CreationDate)
-}
-
-func (v *View) latestSequence(ctx context.Context, viewName, instanceID string) (*repository.CurrentSequence, error) {
-	return repository.LatestSequence(v.Db, v.TimeTravel(ctx, sequencesTable), viewName, instanceID)
-}
--- a/internal/authz/repository/eventsourcing/view/token.go
+++ b/internal/authz/repository/eventsourcing/view/token.go
@@ -3,11 +3,12 @@ package view
 import (
 	"context"

+	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
+	"github.com/zitadel/zitadel/internal/query"
 	usr_view "github.com/zitadel/zitadel/internal/user/repository/view"
 	usr_view_model "github.com/zitadel/zitadel/internal/user/repository/view/model"
-	"github.com/zitadel/zitadel/internal/view/repository"
 )

 const (
@@ -19,11 +20,7 @@ func (v *View) TokenByIDs(tokenID, userID, instanceID string) (*usr_view_model.T
 }

 func (v *View) PutToken(token *usr_view_model.TokenView, event *models.Event) error {
-	err := usr_view.PutToken(v.Db, tokenTable, token)
-	if err != nil {
-		return err
-	}
-	return v.ProcessedTokenSequence(event)
+	return usr_view.PutToken(v.Db, tokenTable, token)
 }

 func (v *View) DeleteToken(tokenID, instanceID string, event *models.Event) error {
@@ -31,7 +28,7 @@ func (v *View) DeleteToken(tokenID, instanceID string, event *models.Event) erro
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
-	return v.ProcessedTokenSequence(event)
+	return nil
 }

 func (v *View) DeleteSessionTokens(agentID, userID, instanceID string, event *models.Event) error {
@@ -39,13 +36,24 @@ func (v *View) DeleteSessionTokens(agentID, userID, instanceID string, event *mo
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
-	return v.ProcessedTokenSequence(event)
+	return nil
 }

-func (v *View) GetLatestTokenSequence(ctx context.Context, instanceID string) (*repository.CurrentSequence, error) {
-	return v.latestSequence(ctx, tokenTable, instanceID)
-}
-
-func (v *View) ProcessedTokenSequence(event *models.Event) error {
-	return v.saveCurrentSequence(tokenTable, event)
+func (v *View) GetLatestState(ctx context.Context) (_ *query.CurrentState, err error) {
+	q := &query.CurrentStateSearchQueries{
+		Queries: make([]query.SearchQuery, 2),
+	}
+	q.Queries[0], err = query.NewCurrentStatesInstanceIDSearchQuery(authz.GetInstance(ctx).InstanceID())
+	if err != nil {
+		return nil, err
+	}
+	q.Queries[1], err = query.NewCurrentStatesProjectionSearchQuery(tokenTable)
+	if err != nil {
+		return nil, err
+	}
+	states, err := v.Query.SearchCurrentStates(ctx, q)
+	if err != nil || states.SearchResponse.Count == 0 {
+		return nil, err
+	}
+	return states.CurrentStates[0], nil
 }
--- a/internal/authz/repository/eventsourcing/view/view.go
+++ b/internal/authz/repository/eventsourcing/view/view.go
@@ -7,27 +7,24 @@ import (

 	"github.com/zitadel/zitadel/internal/api/call"
 	"github.com/zitadel/zitadel/internal/database"
-	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/query"
 )

 type View struct {
-	Db          *gorm.DB
-	Query       *query.Queries
-	idGenerator id.Generator
-	client      *database.DB
+	Db     *gorm.DB
+	client *database.DB
+	Query  *query.Queries
 }

-func StartView(sqlClient *database.DB, idGenerator id.Generator, queries *query.Queries) (*View, error) {
+func StartView(sqlClient *database.DB, queries *query.Queries) (*View, error) {
 	gorm, err := gorm.Open("postgres", sqlClient.DB)
 	if err != nil {
 		return nil, err
 	}
 	return &View{
-		Db:          gorm,
-		idGenerator: idGenerator,
-		Query:       queries,
-		client:      sqlClient,
+		Db:     gorm,
+		Query:  queries,
+		client: sqlClient,
 	}, nil
 }

--- a/internal/authz/repository/user_membership.go
+++ b/internal/authz/repository/user_membership.go
@@ -7,5 +7,5 @@ import (
 )

 type UserMembershipRepository interface {
-	SearchMyMemberships(ctx context.Context, orgID string) ([]*authz.Membership, error)
+	SearchMyMemberships(ctx context.Context, orgID string, shouldTriggerBulk bool) ([]*authz.Membership, error)
 }