Add batch of members endpoints to fix race conditions (#2760) #2779

haydnli-shopify · 2025-06-09T18:58:50Z

Summary

Implements atomic single and batch member management endpoints to eliminate race conditions when multiple automations add/remove project members simultaneously. The existing set_members endpoint required passing an authoritative list of all members, creating race conditions in concurrent scenarios.

This PR enhances the member management system to support both single-user and batch operations through the same endpoints, providing flexibility for different use cases while maintaining backwards compatibility.

Fixes #2684 (parent ticket #2742)

Changes Made

Enhanced AddProjectMemberRequest to accept single member or array of members
Enhanced RemoveProjectMemberRequest to accept single username or array of usernames
Implemented add_project_members() and remove_project_members() service functions supporting both single and batch operations
Enhanced POST /api/projects/{project_name}/add_member endpoint for single/batch operations
Enhanced POST /api/projects/{project_name}/remove_member endpoint for single/batch operations
Extended ProjectsAPIClient with backwards-compatible methods and new batch methods
Comprehensive permission controls (managers/admins only, global admin privileges) for all operations
Support for username or email lookup in both single and batch modes
Protection against removing all project admins
Atomic database operations eliminating read-modify-write patterns
Comprehensive test suite covering single, batch, and edge case scenarios

API Usage

Add a single member
POST /api/projects/my-project/add_member
Body:

{
  "members": {
    "username": "john@example.com",
    "project_role": "user"
  }
}

Add multiple members (batch)
POST /api/projects/my-project/add_member
Body:

{
  "members": [
    {"username": "john@example.com", "project_role": "user"},
    {"username": "jane_doe", "project_role": "manager"},
    {"username": "alice", "project_role": "user"}
  ]
}

Remove a single member
POST /api/projects/my-project/remove_member
Body:

{
  "usernames": "john_doe"
}

Remove multiple members (batch)
POST /api/projects/my-project/remove_member
Body:

{
  "usernames": ["john_doe", "jane@example.com", "alice"]
}

Update existing member role (via add_member)
POST /api/projects/my-project/add_member
Body:

{
  "members": {
    "username": "jane",
    "project_role": "admin"
  }
}

Race Condition Fix

Previously, concurrent automations had to read and rewrite the entire project member list using the set_members endpoint, which led to race conditions and unintended overwrites. This PR introduces atomic add_member and remove_member operations that support both single and batch operations, allowing changes to apply independently and safely—even when triggered simultaneously.

peterschmidt85 · 2025-06-09T19:09:14Z

Why not allow adding/removing a batch of users?

src/dstack/_internal/server/routers/projects.py

src/dstack/_internal/server/schemas/projects.py

src/dstack/_internal/server/services/projects.py

peterschmidt85 · 2025-06-10T09:40:37Z

One more thought:
In order to support Join or Leave functionality, can we allow add_members and remove_members when a user adds/removes themselves to a public project – without reqing project/global admin rights.

One this is done, we can also add UI via a separate PR.

src/dstack/_internal/server/security/permissions.py

src/dstack/_internal/server/services/projects.py

haydnli-shopify · 2025-06-16T18:15:24Z

@r4victor Both ticket are ready for review
PR for backend APIs: #2779
PR for UI: #2795

src/dstack/_internal/server/schemas/projects.py

src/dstack/_internal/server/security/permissions.py

src/dstack/_internal/server/routers/projects.py

src/dstack/_internal/server/security/permissions.py

peterschmidt85 · 2025-06-20T09:44:27Z

Is this PR a part of #2795? If so, should it be closed?

haydnli-shopify · 2025-06-20T19:55:57Z

Is this PR a part of #2795? If so, should it be closed?

Yes it is part of #2795, in order to make the code review easier, we split the PR into two different one, once this is merged, the changes in this PR cannot be seen in the UI one

…r projects

…ct updates

peterschmidt85 · 2025-06-24T20:27:50Z

@r4victor please confirm if this is good to merge

src/dstack/_internal/server/services/projects.py

peterschmidt85 · 2025-06-26T09:57:38Z

@haydnli-shopify Since we merged #2795, this PR can be closed, right?

haydnli-shopify · 2025-06-26T13:53:49Z

@haydnli-shopify Since we merged #2795, this PR can be closed, right?

Yes, i will close it!

haydnli-shopify force-pushed the PR2-add-single-member-endpoint branch from 5aa6f22 to 95d076d Compare June 9, 2025 19:55

colinjc reviewed Jun 9, 2025

View reviewed changes

haydnli-shopify changed the title ~~Add single member endpoints to fix race conditions (#2760)~~ Add batch of members endpoints to fix race conditions (#2760) Jun 9, 2025

haydnli-shopify force-pushed the PR2-add-single-member-endpoint branch 8 times, most recently from e89a648 to 146cce7 Compare June 10, 2025 18:53

haydnli-shopify requested a review from colinjc June 11, 2025 13:35

haydnli-shopify mentioned this pull request Jun 11, 2025

Add public projects #2759

Merged

dakota-shop reviewed Jun 11, 2025

View reviewed changes

haydnli-shopify force-pushed the PR2-add-single-member-endpoint branch 2 times, most recently from f00e467 to 5ca77f9 Compare June 12, 2025 14:29

haydnli-shopify mentioned this pull request Jun 12, 2025

Pr3 add join leave UI buttons #2795

Merged

haydnli-shopify requested a review from dakota-shop June 12, 2025 15:11

haydnli-shopify force-pushed the PR2-add-single-member-endpoint branch from 437899b to 806c095 Compare June 13, 2025 14:38

haydnli-shopify marked this pull request as ready for review June 16, 2025 18:13