There is a bug in the Grants API. It does not support concurrent grant/revoke operations.
TableAcl grant/revoke operations are not atomic. When granting the permissions, the service would first get all existing permissions, append with the new permissions and set the full list in the database. If there are concurrent grant requests, both requests might succeed and emit the audit logs, but what actually happens could be that the new permission list from one request overrides the other one, causing permission loss.
Since this bug in the platform should be fixed in the future. It should be enough to just use 1 thread for the Table ACLs. We can increase it to more threads again once the issue is fixed.
There is a bug in the Grants API. It does not support concurrent grant/revoke operations.
See the ES ticket here.
Since this bug in the platform should be fixed in the future. It should be enough to just use 1 thread for the Table ACLs. We can increase it to more threads again once the issue is fixed.