End to end support for experimental first-class relationship expiration feature

[josephschorr]

Fixes #1262 by superseding it

When the flag is enabled, relationship expiration can be used in schema via the use expiration directive and the expiration keyword on relation's:

use expiration

definition user {}

definition resource {
  relation viewer: user with expiration
}

When a relationship reaches its expiration, it is immediately filtered from all relationship queries, making it appear as-if it was immediately deleted.

Subsequently (typically 24 hours later), the relationship will be actually removed from the underlying datastore to free space.

Warning

Currently, relationships are filtered using the wall clock found within the datastore, which has the following consequences:

1. For multi-master datastores such as CRDB and Spanner, there may be some slight skew between nodes on clocks, which could lead to different results if queries are called very close to the expiration time for relationship(s) to be returned
2. Caches are not updated if a relationship expires within the caching window, e.g. if a permission answer is computed at time N, a relationship used as part of that computation expires at time N+1 and the cache entry is valid until N+10, the caller will see the cached answer even if the relationship has expired - this is in line with caches reflecting the state of the world when they were computed, but is a change from current behavior when using caveats for expiration
3. at_exact_snapshot calls, as they are made to the datastore, will reflect the expiration as of "now", which means they can return different results depending on when they are invoked. This is a change from current behavior when using caveats for expiration. Note that this may be changed in the future to instead use the timestamp of the revision itself; this change is currently under discussion

Note

This PR does not yet implement returning of the expires_at in CheckPermissionResponse and CheckPermission debug information. That will be done in a followup PR.

[tstirrat15]

See comments, otherwise LGTM

[tstirrat15]

Is this being a float just because that's how Prometheus implements counters?

[josephschorr]

Yes

[tstirrat15]

Does the creation here also attach it to the transaction? Otherwise it looks like it's being constructed and modified but not attached.

[josephschorr]

Line 362 executes the insert statement for it; I fixed the reference

[tstirrat15]

For my own edification - when you set something equal to a struct rather than a pointer to that struct, is it functionally creating a copy of it, which is what lets us safely delete the key?

[josephschorr]

In this case, its safe because we're not reusing it anywhere else

[tstirrat15]

Meaning it defaults to enabled? Or is this something that should look like the above?

[josephschorr]

Yes, for testing. We then explicitly disable it when starting SpiceDB, as its default is false

[tstirrat15]

Suggested change

	func TestWriteExpiringRelationshinps(t *testing.T) {
	func TestWriteExpiringRelationships(t *testing.T) {

[tstirrat15]

Same here - should this reference the config?

[josephschorr]

No; I think its fine to enable by default in the test server

[tstirrat15]

Here as well

[tstirrat15]

LGTM