Ajout du dossier src

src/actix/actix_telemetry.rs

@@ -0,0 +1,90 @@
+use std::future::{ready, Ready};
+use std::sync::Arc;
+
+use actix_web::dev::{Service, ServiceRequest, ServiceResponse, Transform};
+use actix_web::Error;
+use futures_util::future::LocalBoxFuture;
+use parking_lot::Mutex;
+
+use crate::common::telemetry_ops::requests_telemetry::{
+    ActixTelemetryCollector, ActixWorkerTelemetryCollector,
+};
+
+pub struct ActixTelemetryService<S> {
+    service: S,
+    telemetry_data: Arc<Mutex<ActixWorkerTelemetryCollector>>,
+}
+
+pub struct ActixTelemetryTransform {
+    telemetry_collector: Arc<Mutex<ActixTelemetryCollector>>,
+}
+
+/// Actix telemetry service. It hooks every request and looks into response status code.
+///
+/// More about actix service with similar example
+/// <https://actix.rs/docs/middleware/>
+impl<S, B> Service<ServiceRequest> for ActixTelemetryService<S>
+where
+    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
+    S::Future: 'static,
+    B: 'static,
+{
+    type Response = ServiceResponse<B>;
+    type Error = Error;
+    type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
+
+    actix_web::dev::forward_ready!(service);
+
+    fn call(&self, request: ServiceRequest) -> Self::Future {
+        let match_pattern = request
+            .match_pattern()
+            .unwrap_or_else(|| "unknown".to_owned());
+        let request_key = format!("{} {}", request.method(), match_pattern);
+        let future = self.service.call(request);
+        let telemetry_data = self.telemetry_data.clone();
+        Box::pin(async move {
+            let instant = std::time::Instant::now();
+            let response = future.await?;
+            let status = response.response().status().as_u16();
+            telemetry_data
+                .lock()
+                .add_response(request_key, status, instant);
+            Ok(response)
+        })
+    }
+}
+
+impl ActixTelemetryTransform {
+    pub fn new(telemetry_collector: Arc<Mutex<ActixTelemetryCollector>>) -> Self {
+        Self {
+            telemetry_collector,
+        }
+    }
+}
+
+/// Actix telemetry transform. It's a builder for an actix service
+///
+/// More about actix transform with similar example
+/// <https://actix.rs/docs/middleware/>
+impl<S, B> Transform<S, ServiceRequest> for ActixTelemetryTransform
+where
+    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
+    S::Future: 'static,
+    B: 'static,
+{
+    type Response = ServiceResponse<B>;
+    type Error = Error;
+    type Transform = ActixTelemetryService<S>;
+    type InitError = ();
+    type Future = Ready<Result<Self::Transform, Self::InitError>>;
+
+    fn new_transform(&self, service: S) -> Self::Future {
+        ready(Ok(ActixTelemetryService {
+            service,
+            telemetry_data: self
+                .telemetry_collector
+                .lock()
+                .create_web_worker_telemetry(),
+        }))
+    }
+}

src/actix/api/cluster_api.rs

@@ -0,0 +1,189 @@
+use std::future::Future;
+
+use actix_web::{delete, get, post, put, web, HttpResponse};
+use actix_web_validator::Query;
+use collection::operations::verification::new_unchecked_verification_pass;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+use storage::content_manager::consensus_ops::ConsensusOperations;
+use storage::content_manager::errors::StorageError;
+use storage::dispatcher::Dispatcher;
+use storage::rbac::AccessRequirements;
+use validator::Validate;
+
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers;
+
+#[derive(Debug, Deserialize, Validate)]
+struct QueryParams {
+    #[serde(default)]
+    force: bool,
+    #[serde(default)]
+    #[validate(range(min = 1))]
+    timeout: Option<u64>,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct MetadataParams {
+    #[serde(default)]
+    pub wait: bool,
+}
+
+#[get("/cluster")]
+fn cluster_status(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+) -> impl Future<Output = HttpResponse> {
+    helpers::time(async move {
+        access.check_global_access(AccessRequirements::new())?;
+        Ok(dispatcher.cluster_status())
+    })
+}
+
+#[post("/cluster/recover")]
+fn recover_current_peer(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+) -> impl Future<Output = HttpResponse> {
+    // Not a collection level request.
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(async move {
+        access.check_global_access(AccessRequirements::new().manage())?;
+        dispatcher.toc(&access, &pass).request_snapshot()?;
+        Ok(true)
+    })
+}
+
+#[delete("/cluster/peer/{peer_id}")]
+fn remove_peer(
+    dispatcher: web::Data<Dispatcher>,
+    peer_id: web::Path<u64>,
+    Query(params): Query<QueryParams>,
+    ActixAccess(access): ActixAccess,
+) -> impl Future<Output = HttpResponse> {
+    // Not a collection level request.
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(async move {
+        access.check_global_access(AccessRequirements::new().manage())?;
+
+        let dispatcher = dispatcher.into_inner();
+        let toc = dispatcher.toc(&access, &pass);
+        let peer_id = peer_id.into_inner();
+
+        let has_shards = toc.peer_has_shards(peer_id).await;
+        if !params.force && has_shards {
+            return Err(StorageError::BadRequest {
+                description: format!("Cannot remove peer {peer_id} as there are shards on it"),
+            });
+        }
+
+        match dispatcher.consensus_state() {
+            Some(consensus_state) => {
+                consensus_state
+                    .propose_consensus_op_with_await(
+                        ConsensusOperations::RemovePeer(peer_id),
+                        params.timeout.map(std::time::Duration::from_secs),
+                    )
+                    .await
+            }
+            None => Err(StorageError::BadRequest {
+                description: "Distributed mode disabled.".to_string(),
+            }),
+        }
+    })
+}
+
+#[get("/cluster/metadata/keys")]
+async fn get_cluster_metadata_keys(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    helpers::time(async move {
+        access.check_global_access(AccessRequirements::new())?;
+
+        let keys = dispatcher
+            .consensus_state()
+            .ok_or_else(|| StorageError::service_error("Qdrant is running in standalone mode"))?
+            .persistent
+            .read()
+            .get_cluster_metadata_keys();
+
+        Ok(keys)
+    })
+    .await
+}
+
+#[get("/cluster/metadata/keys/{key}")]
+async fn get_cluster_metadata_key(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+    key: web::Path<String>,
+) -> HttpResponse {
+    helpers::time(async move {
+        access.check_global_access(AccessRequirements::new())?;
+
+        let value = dispatcher
+            .consensus_state()
+            .ok_or_else(|| StorageError::service_error("Qdrant is running in standalone mode"))?
+            .persistent
+            .read()
+            .get_cluster_metadata_key(key.as_ref());
+
+        Ok(value)
+    })
+    .await
+}
+
+#[put("/cluster/metadata/keys/{key}")]
+async fn update_cluster_metadata_key(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+    key: web::Path<String>,
+    params: Query<MetadataParams>,
+    value: web::Json<serde_json::Value>,
+) -> HttpResponse {
+    // Not a collection level request.
+    let pass = new_unchecked_verification_pass();
+    helpers::time(async move {
+        let toc = dispatcher.toc(&access, &pass);
+        access.check_global_access(AccessRequirements::new().write())?;
+
+        toc.update_cluster_metadata(key.into_inner(), value.into_inner(), params.wait)
+            .await?;
+        Ok(true)
+    })
+    .await
+}
+
+#[delete("/cluster/metadata/keys/{key}")]
+async fn delete_cluster_metadata_key(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+    key: web::Path<String>,
+    params: Query<MetadataParams>,
+) -> HttpResponse {
+    // Not a collection level request.
+    let pass = new_unchecked_verification_pass();
+    helpers::time(async move {
+        let toc = dispatcher.toc(&access, &pass);
+        access.check_global_access(AccessRequirements::new().write())?;
+
+        toc.update_cluster_metadata(key.into_inner(), serde_json::Value::Null, params.wait)
+            .await?;
+        Ok(true)
+    })
+    .await
+}
+
+// Configure services
+pub fn config_cluster_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(cluster_status)
+        .service(remove_peer)
+        .service(recover_current_peer)
+        .service(get_cluster_metadata_keys)
+        .service(get_cluster_metadata_key)
+        .service(update_cluster_metadata_key)
+        .service(delete_cluster_metadata_key);
+}

src/actix/api/collections_api.rs

@@ -0,0 +1,256 @@
+use std::time::Duration;
+
+use actix_web::rt::time::Instant;
+use actix_web::{delete, get, patch, post, put, web, HttpResponse, Responder};
+use actix_web_validator::{Json, Path, Query};
+use collection::operations::cluster_ops::ClusterOperations;
+use collection::operations::verification::new_unchecked_verification_pass;
+use serde::Deserialize;
+use storage::content_manager::collection_meta_ops::{
+    ChangeAliasesOperation, CollectionMetaOperations, CreateCollection, CreateCollectionOperation,
+    DeleteCollectionOperation, UpdateCollection, UpdateCollectionOperation,
+};
+use storage::dispatcher::Dispatcher;
+use validator::Validate;
+
+use super::CollectionPath;
+use crate::actix::api::StrictCollectionPath;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, process_response};
+use crate::common::collections::*;
+
+#[derive(Debug, Deserialize, Validate)]
+pub struct WaitTimeout {
+    #[validate(range(min = 1))]
+    timeout: Option<u64>,
+}
+
+impl WaitTimeout {
+    pub fn timeout(&self) -> Option<Duration> {
+        self.timeout.map(Duration::from_secs)
+    }
+}
+
+#[get("/collections")]
+async fn get_collections(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    // No request to verify
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(do_list_collections(dispatcher.toc(&access, &pass), access)).await
+}
+
+#[get("/aliases")]
+async fn get_aliases(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    // No request to verify
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(do_list_aliases(dispatcher.toc(&access, &pass), access)).await
+}
+
+#[get("/collections/{name}")]
+async fn get_collection(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    // No request to verify
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(do_get_collection(
+        dispatcher.toc(&access, &pass),
+        access,
+        &collection.name,
+        None,
+    ))
+    .await
+}
+
+#[get("/collections/{name}/exists")]
+async fn get_collection_existence(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    // No request to verify
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(do_collection_exists(
+        dispatcher.toc(&access, &pass),
+        access,
+        &collection.name,
+    ))
+    .await
+}
+
+#[get("/collections/{name}/aliases")]
+async fn get_collection_aliases(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    // No request to verify
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(do_list_collection_aliases(
+        dispatcher.toc(&access, &pass),
+        access,
+        &collection.name,
+    ))
+    .await
+}
+
+#[put("/collections/{name}")]
+async fn create_collection(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<StrictCollectionPath>,
+    operation: Json<CreateCollection>,
+    Query(query): Query<WaitTimeout>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    helpers::time(dispatcher.submit_collection_meta_op(
+        CollectionMetaOperations::CreateCollection(CreateCollectionOperation::new(
+            collection.name.clone(),
+            operation.into_inner(),
+        )),
+        access,
+        query.timeout(),
+    ))
+    .await
+}
+
+#[patch("/collections/{name}")]
+async fn update_collection(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<UpdateCollection>,
+    Query(query): Query<WaitTimeout>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+    let name = collection.name.clone();
+    let response = dispatcher
+        .submit_collection_meta_op(
+            CollectionMetaOperations::UpdateCollection(UpdateCollectionOperation::new(
+                name,
+                operation.into_inner(),
+            )),
+            access,
+            query.timeout(),
+        )
+        .await;
+    process_response(response, timing, None)
+}
+
+#[delete("/collections/{name}")]
+async fn delete_collection(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    Query(query): Query<WaitTimeout>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+    let response = dispatcher
+        .submit_collection_meta_op(
+            CollectionMetaOperations::DeleteCollection(DeleteCollectionOperation(
+                collection.name.clone(),
+            )),
+            access,
+            query.timeout(),
+        )
+        .await;
+    process_response(response, timing, None)
+}
+
+#[post("/collections/aliases")]
+async fn update_aliases(
+    dispatcher: web::Data<Dispatcher>,
+    operation: Json<ChangeAliasesOperation>,
+    Query(query): Query<WaitTimeout>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+    let response = dispatcher
+        .submit_collection_meta_op(
+            CollectionMetaOperations::ChangeAliases(operation.0),
+            access,
+            query.timeout(),
+        )
+        .await;
+    process_response(response, timing, None)
+}
+
+#[get("/collections/{name}/cluster")]
+async fn get_cluster_info(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // No request to verify
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(do_get_collection_cluster(
+        dispatcher.toc(&access, &pass),
+        access,
+        &collection.name,
+    ))
+    .await
+}
+
+#[post("/collections/{name}/cluster")]
+async fn update_collection_cluster(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<ClusterOperations>,
+    Query(query): Query<WaitTimeout>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+    let wait_timeout = query.timeout();
+    let response = do_update_collection_cluster(
+        &dispatcher.into_inner(),
+        collection.name.clone(),
+        operation.0,
+        access,
+        wait_timeout,
+    )
+    .await;
+    process_response(response, timing, None)
+}
+
+// Configure services
+pub fn config_collections_api(cfg: &mut web::ServiceConfig) {
+    // Ordering of services is important for correct path pattern matching
+    // See: <https://github.com/qdrant/qdrant/issues/3543>
+    cfg.service(update_aliases)
+        .service(get_collections)
+        .service(get_collection)
+        .service(get_collection_existence)
+        .service(create_collection)
+        .service(update_collection)
+        .service(delete_collection)
+        .service(get_aliases)
+        .service(get_collection_aliases)
+        .service(get_cluster_info)
+        .service(update_collection_cluster);
+}
+
+#[cfg(test)]
+mod tests {
+    use actix_web::web::Query;
+
+    use super::WaitTimeout;
+
+    #[test]
+    fn timeout_is_deserialized() {
+        let timeout: WaitTimeout = Query::from_query("").unwrap().0;
+        assert!(timeout.timeout.is_none());
+        let timeout: WaitTimeout = Query::from_query("timeout=10").unwrap().0;
+        assert_eq!(timeout.timeout, Some(10))
+    }
+}

src/actix/api/count_api.rs

@@ -0,0 +1,69 @@
+use actix_web::{post, web, Responder};
+use actix_web_validator::{Json, Path, Query};
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use collection::operations::types::CountRequest;
+use storage::content_manager::collection_verification::check_strict_mode;
+use storage::dispatcher::Dispatcher;
+use tokio::time::Instant;
+
+use super::CollectionPath;
+use crate::actix::api::read_params::ReadParams;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, get_request_hardware_counter, process_response_error};
+use crate::common::points::do_count_points;
+use crate::settings::ServiceConfig;
+
+#[post("/collections/{name}/points/count")]
+async fn count_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<CountRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let CountRequest {
+        count_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &count_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let shard_selector = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => ShardSelectorInternal::from(shard_keys),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+
+    let timing = Instant::now();
+
+    let result = do_count_points(
+        dispatcher.toc(&access, &pass),
+        &collection.name,
+        count_request,
+        params.consistency,
+        params.timeout(),
+        shard_selector,
+        access,
+        request_hw_counter.get_counter(),
+    )
+    .await;
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}

src/actix/api/debug_api.rs

@@ -0,0 +1,36 @@
+use actix_web::{get, patch, web, Responder};
+use storage::rbac::AccessRequirements;
+
+use crate::actix::auth::ActixAccess;
+use crate::common::debugger::{DebugConfigPatch, DebuggerState};
+
+#[get("/debugger")]
+async fn get_debugger_config(
+    ActixAccess(access): ActixAccess,
+    debugger_state: web::Data<DebuggerState>,
+) -> impl Responder {
+    crate::actix::helpers::time(async move {
+        access.check_global_access(AccessRequirements::new().manage())?;
+        Ok(debugger_state.get_config())
+    })
+    .await
+}
+
+#[patch("/debugger")]
+async fn update_debugger_config(
+    ActixAccess(access): ActixAccess,
+    debugger_state: web::Data<DebuggerState>,
+    debug_patch: web::Json<DebugConfigPatch>,
+) -> impl Responder {
+    crate::actix::helpers::time(async move {
+        access.check_global_access(AccessRequirements::new().manage())?;
+        Ok(debugger_state.apply_config_patch(debug_patch.into_inner()))
+    })
+    .await
+}
+
+// Configure services
+pub fn config_debugger_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(get_debugger_config);
+    cfg.service(update_debugger_config);
+}

src/actix/api/discovery_api.rs

@@ -0,0 +1,140 @@
+use actix_web::{post, web, Responder};
+use actix_web_validator::{Json, Path, Query};
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use collection::operations::types::{DiscoverRequest, DiscoverRequestBatch};
+use itertools::Itertools;
+use storage::content_manager::collection_verification::{
+    check_strict_mode, check_strict_mode_batch,
+};
+use storage::dispatcher::Dispatcher;
+use tokio::time::Instant;
+
+use crate::actix::api::read_params::ReadParams;
+use crate::actix::api::CollectionPath;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, get_request_hardware_counter, process_response_error};
+use crate::common::points::do_discover_batch_points;
+use crate::settings::ServiceConfig;
+
+#[post("/collections/{name}/points/discover")]
+async fn discover_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<DiscoverRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let DiscoverRequest {
+        discover_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &discover_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => shard_keys.into(),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+
+    let timing = Instant::now();
+
+    let result = dispatcher
+        .toc(&access, &pass)
+        .discover(
+            &collection.name,
+            discover_request,
+            params.consistency,
+            shard_selection,
+            access,
+            params.timeout(),
+            request_hw_counter.get_counter(),
+        )
+        .await
+        .map(|scored_points| {
+            scored_points
+                .into_iter()
+                .map(api::rest::ScoredPoint::from)
+                .collect_vec()
+        });
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+#[post("/collections/{name}/points/discover/batch")]
+async fn discover_batch_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<DiscoverRequestBatch>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let request = request.into_inner();
+
+    let pass = match check_strict_mode_batch(
+        request.searches.iter().map(|i| &i.discover_request),
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+
+    let result = do_discover_batch_points(
+        dispatcher.toc(&access, &pass),
+        &collection.name,
+        request,
+        params.consistency,
+        access,
+        params.timeout(),
+        request_hw_counter.get_counter(),
+    )
+    .await
+    .map(|batch_scored_points| {
+        batch_scored_points
+            .into_iter()
+            .map(|scored_points| {
+                scored_points
+                    .into_iter()
+                    .map(api::rest::ScoredPoint::from)
+                    .collect_vec()
+            })
+            .collect_vec()
+    });
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+pub fn config_discovery_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(discover_points);
+    cfg.service(discover_batch_points);
+}

src/actix/api/facet_api.rs

@@ -0,0 +1,77 @@
+use actix_web::{post, web, Responder};
+use actix_web_validator::{Json, Path, Query};
+use api::rest::{FacetRequest, FacetResponse};
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use storage::content_manager::collection_verification::check_strict_mode;
+use storage::dispatcher::Dispatcher;
+use tokio::time::Instant;
+
+use crate::actix::api::read_params::ReadParams;
+use crate::actix::api::CollectionPath;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{
+    get_request_hardware_counter, process_response, process_response_error,
+};
+use crate::settings::ServiceConfig;
+
+#[post("/collections/{name}/facet")]
+async fn facet(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<FacetRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+
+    let FacetRequest {
+        facet_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &facet_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, timing, None),
+    };
+
+    let facet_params = From::from(facet_request);
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => shard_keys.into(),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+
+    let response = dispatcher
+        .toc(&access, &pass)
+        .facet(
+            &collection.name,
+            facet_params,
+            shard_selection,
+            params.consistency,
+            access,
+            params.timeout(),
+        )
+        .await
+        .map(FacetResponse::from);
+
+    process_response(response, timing, request_hw_counter.to_rest_api())
+}
+
+pub fn config_facet_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(facet);
+}

src/actix/api/issues_api.rs

@@ -0,0 +1,32 @@
+use actix_web::{delete, get, web, Responder};
+use collection::operations::types::IssuesReport;
+use storage::rbac::AccessRequirements;
+
+use crate::actix::auth::ActixAccess;
+
+#[get("/issues")]
+async fn get_issues(ActixAccess(access): ActixAccess) -> impl Responder {
+    crate::actix::helpers::time(async move {
+        access.check_global_access(AccessRequirements::new().manage())?;
+        Ok(IssuesReport {
+            issues: issues::all_issues(),
+        })
+    })
+    .await
+}
+
+#[delete("/issues")]
+async fn clear_issues(ActixAccess(access): ActixAccess) -> impl Responder {
+    crate::actix::helpers::time(async move {
+        access.check_global_access(AccessRequirements::new().manage())?;
+        issues::clear();
+        Ok(true)
+    })
+    .await
+}
+
+// Configure services
+pub fn config_issues_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(get_issues);
+    cfg.service(clear_issues);
+}

src/actix/api/local_shard_api.rs

@@ -0,0 +1,267 @@
+use std::sync::Arc;
+
+use actix_web::{post, web, Responder};
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use collection::operations::types::{
+    CountRequestInternal, PointRequestInternal, ScrollRequestInternal,
+};
+use collection::operations::verification::{new_unchecked_verification_pass, VerificationPass};
+use collection::shards::shard::ShardId;
+use segment::types::{Condition, Filter};
+use storage::content_manager::collection_verification::check_strict_mode;
+use storage::content_manager::errors::{StorageError, StorageResult};
+use storage::dispatcher::Dispatcher;
+use storage::rbac::{Access, AccessRequirements};
+use tokio::time::Instant;
+
+use crate::actix::api::read_params::ReadParams;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, get_request_hardware_counter, process_response_error};
+use crate::common::points;
+use crate::settings::ServiceConfig;
+
+// Configure services
+pub fn config_local_shard_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(get_points)
+        .service(scroll_points)
+        .service(count_points)
+        .service(cleanup_shard);
+}
+
+#[post("/collections/{collection}/shards/{shard}/points")]
+async fn get_points(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+    path: web::Path<CollectionShard>,
+    request: web::Json<PointRequestInternal>,
+    params: web::Query<ReadParams>,
+) -> impl Responder {
+    // No strict mode verification needed
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(async move {
+        let records = points::do_get_points(
+            dispatcher.toc(&access, &pass),
+            &path.collection,
+            request.into_inner(),
+            params.consistency,
+            params.timeout(),
+            ShardSelectorInternal::ShardId(path.shard),
+            access,
+        )
+        .await?;
+
+        let records: Vec<_> = records.into_iter().map(api::rest::Record::from).collect();
+        Ok(records)
+    })
+    .await
+}
+
+#[post("/collections/{collection}/shards/{shard}/points/scroll")]
+async fn scroll_points(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+    path: web::Path<CollectionShard>,
+    request: web::Json<WithFilter<ScrollRequestInternal>>,
+    params: web::Query<ReadParams>,
+) -> impl Responder {
+    let WithFilter {
+        mut request,
+        hash_ring_filter,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &request,
+        params.timeout_as_secs(),
+        &path.collection,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    helpers::time(async move {
+        let hash_ring_filter = match hash_ring_filter {
+            Some(filter) => get_hash_ring_filter(
+                &dispatcher,
+                &access,
+                &path.collection,
+                AccessRequirements::new(),
+                filter.expected_shard_id,
+                &pass,
+            )
+            .await?
+            .into(),
+
+            None => None,
+        };
+
+        request.filter = merge_with_optional_filter(request.filter.take(), hash_ring_filter);
+
+        dispatcher
+            .toc(&access, &pass)
+            .scroll(
+                &path.collection,
+                request,
+                params.consistency,
+                params.timeout(),
+                ShardSelectorInternal::ShardId(path.shard),
+                access,
+            )
+            .await
+    })
+    .await
+}
+
+#[post("/collections/{collection}/shards/{shard}/points/count")]
+async fn count_points(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+    path: web::Path<CollectionShard>,
+    request: web::Json<WithFilter<CountRequestInternal>>,
+    params: web::Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+) -> impl Responder {
+    let WithFilter {
+        mut request,
+        hash_ring_filter,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &request,
+        params.timeout_as_secs(),
+        &path.collection,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        path.collection.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+    let hw_measurement_acc = request_hw_counter.get_counter();
+
+    let result = async move {
+        let hash_ring_filter = match hash_ring_filter {
+            Some(filter) => get_hash_ring_filter(
+                &dispatcher,
+                &access,
+                &path.collection,
+                AccessRequirements::new(),
+                filter.expected_shard_id,
+                &pass,
+            )
+            .await?
+            .into(),
+
+            None => None,
+        };
+
+        request.filter = merge_with_optional_filter(request.filter.take(), hash_ring_filter);
+
+        points::do_count_points(
+            dispatcher.toc(&access, &pass),
+            &path.collection,
+            request,
+            params.consistency,
+            params.timeout(),
+            ShardSelectorInternal::ShardId(path.shard),
+            access,
+            hw_measurement_acc,
+        )
+        .await
+    }
+    .await;
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+#[post("/collections/{collection}/shards/{shard}/cleanup")]
+async fn cleanup_shard(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+    path: web::Path<CollectionShard>,
+) -> impl Responder {
+    // Nothing to verify here.
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(async move {
+        let path = path.into_inner();
+        dispatcher
+            .toc(&access, &pass)
+            .cleanup_local_shard(&path.collection, path.shard, access)
+            .await
+    })
+    .await
+}
+
+#[derive(serde::Deserialize, validator::Validate)]
+struct CollectionShard {
+    #[validate(length(min = 1, max = 255))]
+    collection: String,
+    shard: ShardId,
+}
+
+#[derive(Clone, Debug, serde::Deserialize)]
+struct WithFilter<T> {
+    #[serde(flatten)]
+    request: T,
+    #[serde(default)]
+    hash_ring_filter: Option<SerdeHelper>,
+}
+
+#[derive(Clone, Debug, serde::Deserialize)]
+struct SerdeHelper {
+    expected_shard_id: ShardId,
+}
+
+async fn get_hash_ring_filter(
+    dispatcher: &Dispatcher,
+    access: &Access,
+    collection: &str,
+    reqs: AccessRequirements,
+    expected_shard_id: ShardId,
+    verification_pass: &VerificationPass,
+) -> StorageResult<Filter> {
+    let pass = access.check_collection_access(collection, reqs)?;
+
+    let shard_holder = dispatcher
+        .toc(access, verification_pass)
+        .get_collection(&pass)
+        .await?
+        .shards_holder();
+
+    let hash_ring_filter = shard_holder
+        .read()
+        .await
+        .hash_ring_filter(expected_shard_id)
+        .ok_or_else(|| {
+            StorageError::bad_request(format!(
+                "shard {expected_shard_id} does not exist in collection {collection}"
+            ))
+        })?;
+
+    let condition = Condition::CustomIdChecker(Arc::new(hash_ring_filter));
+    let filter = Filter::new_must(condition);
+
+    Ok(filter)
+}
+
+fn merge_with_optional_filter(filter: Option<Filter>, hash_ring: Option<Filter>) -> Option<Filter> {
+    match (filter, hash_ring) {
+        (Some(filter), Some(hash_ring)) => hash_ring.merge_owned(filter).into(),
+        (Some(filter), None) => filter.into(),
+        (None, Some(hash_ring)) => hash_ring.into(),
+        _ => None,
+    }
+}

src/actix/api/mod.rs

@@ -0,0 +1,46 @@
+use common::validation::validate_collection_name;
+use serde::Deserialize;
+use validator::Validate;
+
+pub mod cluster_api;
+pub mod collections_api;
+pub mod count_api;
+pub mod debug_api;
+pub mod discovery_api;
+pub mod facet_api;
+pub mod issues_api;
+pub mod local_shard_api;
+pub mod query_api;
+pub mod read_params;
+pub mod recommend_api;
+pub mod retrieve_api;
+pub mod search_api;
+pub mod service_api;
+pub mod shards_api;
+pub mod snapshot_api;
+pub mod update_api;
+
+/// A collection path with stricter validation
+///
+/// Validation for collection paths has been made more strict over time.
+/// To prevent breaking changes on existing collections, this is only enforced for newly created
+/// collections. Basic validation is enforced everywhere else.
+#[derive(Deserialize, Validate)]
+struct StrictCollectionPath {
+    #[validate(
+        length(min = 1, max = 255),
+        custom(function = "validate_collection_name")
+    )]
+    name: String,
+}
+
+/// A collection path with basic validation
+///
+/// Validation for collection paths has been made more strict over time.
+/// To prevent breaking changes on existing collections, this is only enforced for newly created
+/// collections. Basic validation is enforced everywhere else.
+#[derive(Deserialize, Validate)]
+struct CollectionPath {
+    #[validate(length(min = 1, max = 255))]
+    name: String,
+}

src/actix/api/query_api.rs

@@ -0,0 +1,232 @@
+use actix_web::{post, web, Responder};
+use actix_web_validator::{Json, Path, Query};
+use api::rest::{QueryGroupsRequest, QueryRequest, QueryRequestBatch, QueryResponse};
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use itertools::Itertools;
+use storage::content_manager::collection_verification::{
+    check_strict_mode, check_strict_mode_batch,
+};
+use storage::content_manager::errors::StorageError;
+use storage::dispatcher::Dispatcher;
+use tokio::time::Instant;
+
+use super::read_params::ReadParams;
+use super::CollectionPath;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, get_request_hardware_counter, process_response_error};
+use crate::common::inference::query_requests_rest::{
+    convert_query_groups_request_from_rest, convert_query_request_from_rest,
+};
+use crate::common::points::do_query_point_groups;
+use crate::settings::ServiceConfig;
+
+#[post("/collections/{name}/points/query")]
+async fn query_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<QueryRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let QueryRequest {
+        internal: query_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &query_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => shard_keys.into(),
+    };
+    let hw_measurement_acc = request_hw_counter.get_counter();
+
+    let result = async move {
+        let request = convert_query_request_from_rest(query_request).await?;
+
+        let points = dispatcher
+            .toc(&access, &pass)
+            .query_batch(
+                &collection.name,
+                vec![(request, shard_selection)],
+                params.consistency,
+                access,
+                params.timeout(),
+                hw_measurement_acc,
+            )
+            .await?
+            .pop()
+            .ok_or_else(|| {
+                StorageError::service_error("Expected at least one response for one query")
+            })?
+            .into_iter()
+            .map(api::rest::ScoredPoint::from)
+            .collect_vec();
+
+        Ok(QueryResponse { points })
+    }
+    .await;
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+#[post("/collections/{name}/points/query/batch")]
+async fn query_points_batch(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<QueryRequestBatch>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let QueryRequestBatch { searches } = request.into_inner();
+
+    let pass = match check_strict_mode_batch(
+        searches.iter().map(|i| &i.internal),
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+    let hw_measurement_acc = request_hw_counter.get_counter();
+
+    let result = async move {
+        let mut batch = Vec::with_capacity(searches.len());
+        for request in searches {
+            let QueryRequest {
+                internal,
+                shard_key,
+            } = request;
+
+            let request = convert_query_request_from_rest(internal).await?;
+            let shard_selection = match shard_key {
+                None => ShardSelectorInternal::All,
+                Some(shard_keys) => shard_keys.into(),
+            };
+
+            batch.push((request, shard_selection));
+        }
+
+        let res = dispatcher
+            .toc(&access, &pass)
+            .query_batch(
+                &collection.name,
+                batch,
+                params.consistency,
+                access,
+                params.timeout(),
+                hw_measurement_acc,
+            )
+            .await?
+            .into_iter()
+            .map(|response| QueryResponse {
+                points: response
+                    .into_iter()
+                    .map(api::rest::ScoredPoint::from)
+                    .collect_vec(),
+            })
+            .collect_vec();
+        Ok(res)
+    }
+    .await;
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+#[post("/collections/{name}/points/query/groups")]
+async fn query_points_groups(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<QueryGroupsRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let QueryGroupsRequest {
+        search_group_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &search_group_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+    let hw_measurement_acc = request_hw_counter.get_counter();
+
+    let result = async move {
+        let shard_selection = match shard_key {
+            None => ShardSelectorInternal::All,
+            Some(shard_keys) => shard_keys.into(),
+        };
+
+        let query_group_request =
+            convert_query_groups_request_from_rest(search_group_request).await?;
+
+        do_query_point_groups(
+            dispatcher.toc(&access, &pass),
+            &collection.name,
+            query_group_request,
+            params.consistency,
+            shard_selection,
+            access,
+            params.timeout(),
+            hw_measurement_acc,
+        )
+        .await
+    }
+    .await;
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+pub fn config_query_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(query_points);
+    cfg.service(query_points_batch);
+    cfg.service(query_points_groups);
+}

src/actix/api/read_params.rs

@@ -0,0 +1,118 @@
+use std::num::NonZeroU64;
+use std::time::Duration;
+
+use collection::operations::consistency_params::ReadConsistency;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use validator::Validate;
+
+#[derive(Copy, Clone, Debug, Default, Eq, PartialEq, Deserialize, JsonSchema, Validate)]
+pub struct ReadParams {
+    #[serde(default, deserialize_with = "deserialize_read_consistency")]
+    #[validate(nested)]
+    pub consistency: Option<ReadConsistency>,
+    /// If set, overrides global timeout for this request. Unit is seconds.
+    pub timeout: Option<NonZeroU64>,
+}
+
+impl ReadParams {
+    pub fn timeout(&self) -> Option<Duration> {
+        self.timeout.map(|num| Duration::from_secs(num.get()))
+    }
+
+    pub(crate) fn timeout_as_secs(&self) -> Option<usize> {
+        self.timeout.map(|i| i.get() as usize)
+    }
+}
+
+fn deserialize_read_consistency<'de, D>(
+    deserializer: D,
+) -> Result<Option<ReadConsistency>, D::Error>
+where
+    D: serde::Deserializer<'de>,
+{
+    #[derive(Deserialize)]
+    #[serde(untagged)]
+    enum Helper<'a> {
+        ReadConsistency(ReadConsistency),
+        Str(&'a str),
+    }
+
+    match Helper::deserialize(deserializer)? {
+        Helper::ReadConsistency(read_consistency) => Ok(Some(read_consistency)),
+        Helper::Str("") => Ok(None),
+        _ => Err(serde::de::Error::custom(
+            "failed to deserialize read consistency query parameter value",
+        )),
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use collection::operations::consistency_params::ReadConsistencyType;
+
+    use super::*;
+
+    #[test]
+    fn deserialize_empty_string() {
+        test_str("", ReadParams::default());
+    }
+
+    #[test]
+    fn deserialize_empty_value() {
+        test("", ReadParams::default());
+    }
+
+    #[test]
+    fn deserialize_type() {
+        test("all", from_type(ReadConsistencyType::All));
+        test("majority", from_type(ReadConsistencyType::Majority));
+        test("quorum", from_type(ReadConsistencyType::Quorum));
+    }
+
+    #[test]
+    fn deserialize_factor() {
+        for factor in 1..42 {
+            test(&factor.to_string(), from_factor(factor));
+        }
+    }
+
+    #[test]
+    fn try_deserialize_factor_0() {
+        assert!(try_deserialize(&str("0")).is_err());
+    }
+
+    fn test(value: &str, params: ReadParams) {
+        test_str(&str(value), params);
+    }
+
+    fn test_str(str: &str, params: ReadParams) {
+        assert_eq!(deserialize(str), params);
+    }
+
+    fn deserialize(str: &str) -> ReadParams {
+        try_deserialize(str).unwrap()
+    }
+
+    fn try_deserialize(str: &str) -> Result<ReadParams, serde_urlencoded::de::Error> {
+        serde_urlencoded::from_str(str)
+    }
+
+    fn str(value: &str) -> String {
+        format!("consistency={value}")
+    }
+
+    fn from_type(r#type: ReadConsistencyType) -> ReadParams {
+        ReadParams {
+            consistency: Some(ReadConsistency::Type(r#type)),
+            ..Default::default()
+        }
+    }
+
+    fn from_factor(factor: usize) -> ReadParams {
+        ReadParams {
+            consistency: Some(ReadConsistency::Factor(factor)),
+            ..Default::default()
+        }
+    }
+}

src/actix/api/recommend_api.rs

@@ -0,0 +1,235 @@
+use std::time::Duration;
+
+use actix_web::{post, web, Responder};
+use actix_web_validator::{Json, Path, Query};
+use collection::operations::consistency_params::ReadConsistency;
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use collection::operations::types::{
+    RecommendGroupsRequest, RecommendRequest, RecommendRequestBatch,
+};
+use common::counter::hardware_accumulator::HwMeasurementAcc;
+use itertools::Itertools;
+use segment::types::ScoredPoint;
+use storage::content_manager::collection_verification::{
+    check_strict_mode, check_strict_mode_batch,
+};
+use storage::content_manager::errors::StorageError;
+use storage::content_manager::toc::TableOfContent;
+use storage::dispatcher::Dispatcher;
+use storage::rbac::Access;
+use tokio::time::Instant;
+
+use super::read_params::ReadParams;
+use super::CollectionPath;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, get_request_hardware_counter, process_response_error};
+use crate::settings::ServiceConfig;
+
+#[post("/collections/{name}/points/recommend")]
+async fn recommend_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<RecommendRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let RecommendRequest {
+        recommend_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &recommend_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => shard_keys.into(),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+
+    let timing = Instant::now();
+
+    let result = dispatcher
+        .toc(&access, &pass)
+        .recommend(
+            &collection.name,
+            recommend_request,
+            params.consistency,
+            shard_selection,
+            access,
+            params.timeout(),
+            request_hw_counter.get_counter(),
+        )
+        .await
+        .map(|scored_points| {
+            scored_points
+                .into_iter()
+                .map(api::rest::ScoredPoint::from)
+                .collect_vec()
+        });
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+async fn do_recommend_batch_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: RecommendRequestBatch,
+    read_consistency: Option<ReadConsistency>,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<Vec<Vec<ScoredPoint>>, StorageError> {
+    let requests = request
+        .searches
+        .into_iter()
+        .map(|req| {
+            let shard_selector = match req.shard_key {
+                None => ShardSelectorInternal::All,
+                Some(shard_key) => ShardSelectorInternal::from(shard_key),
+            };
+
+            (req.recommend_request, shard_selector)
+        })
+        .collect();
+
+    toc.recommend_batch(
+        collection_name,
+        requests,
+        read_consistency,
+        access,
+        timeout,
+        hw_measurement_acc,
+    )
+    .await
+}
+
+#[post("/collections/{name}/points/recommend/batch")]
+async fn recommend_batch_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<RecommendRequestBatch>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let pass = match check_strict_mode_batch(
+        request.searches.iter().map(|i| &i.recommend_request),
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+
+    let result = do_recommend_batch_points(
+        dispatcher.toc(&access, &pass),
+        &collection.name,
+        request.into_inner(),
+        params.consistency,
+        access,
+        params.timeout(),
+        request_hw_counter.get_counter(),
+    )
+    .await
+    .map(|batch_scored_points| {
+        batch_scored_points
+            .into_iter()
+            .map(|scored_points| {
+                scored_points
+                    .into_iter()
+                    .map(api::rest::ScoredPoint::from)
+                    .collect_vec()
+            })
+            .collect_vec()
+    });
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+#[post("/collections/{name}/points/recommend/groups")]
+async fn recommend_point_groups(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<RecommendGroupsRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let RecommendGroupsRequest {
+        recommend_group_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &recommend_group_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => shard_keys.into(),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+
+    let result = crate::common::points::do_recommend_point_groups(
+        dispatcher.toc(&access, &pass),
+        &collection.name,
+        recommend_group_request,
+        params.consistency,
+        shard_selection,
+        access,
+        params.timeout(),
+        request_hw_counter.get_counter(),
+    )
+    .await;
+
+    helpers::process_response(result, timing, request_hw_counter.to_rest_api())
+}
+// Configure services
+pub fn config_recommend_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(recommend_points)
+        .service(recommend_batch_points)
+        .service(recommend_point_groups);
+}

src/actix/api/retrieve_api.rs

@@ -0,0 +1,200 @@
+use std::time::Duration;
+
+use actix_web::{get, post, web, Responder};
+use actix_web_validator::{Json, Path, Query};
+use collection::operations::consistency_params::ReadConsistency;
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use collection::operations::types::{
+    PointRequest, PointRequestInternal, RecordInternal, ScrollRequest,
+};
+use futures::TryFutureExt;
+use itertools::Itertools;
+use segment::types::{PointIdType, WithPayloadInterface};
+use serde::Deserialize;
+use storage::content_manager::collection_verification::{
+    check_strict_mode, check_strict_mode_timeout,
+};
+use storage::content_manager::errors::StorageError;
+use storage::content_manager::toc::TableOfContent;
+use storage::dispatcher::Dispatcher;
+use storage::rbac::Access;
+use tokio::time::Instant;
+use validator::Validate;
+
+use super::read_params::ReadParams;
+use super::CollectionPath;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, process_response_error};
+use crate::common::points::do_get_points;
+
+#[derive(Deserialize, Validate)]
+struct PointPath {
+    #[validate(length(min = 1))]
+    // TODO: validate this is a valid ID type (usize or UUID)? Does currently error on deserialize.
+    id: String,
+}
+
+async fn do_get_point(
+    toc: &TableOfContent,
+    collection_name: &str,
+    point_id: PointIdType,
+    read_consistency: Option<ReadConsistency>,
+    timeout: Option<Duration>,
+    access: Access,
+) -> Result<Option<RecordInternal>, StorageError> {
+    let request = PointRequestInternal {
+        ids: vec![point_id],
+        with_payload: Some(WithPayloadInterface::Bool(true)),
+        with_vector: true.into(),
+    };
+
+    let shard_selection = ShardSelectorInternal::All;
+
+    toc.retrieve(
+        collection_name,
+        request,
+        read_consistency,
+        timeout,
+        shard_selection,
+        access,
+    )
+    .await
+    .map(|points| points.into_iter().next())
+}
+
+#[get("/collections/{name}/points/{id}")]
+async fn get_point(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    point: Path<PointPath>,
+    params: Query<ReadParams>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let pass = match check_strict_mode_timeout(
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(p) => p,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    helpers::time(async move {
+        let point_id: PointIdType = point.id.parse().map_err(|_| StorageError::BadInput {
+            description: format!("Can not recognize \"{}\" as point id", point.id),
+        })?;
+
+        let Some(record) = do_get_point(
+            dispatcher.toc(&access, &pass),
+            &collection.name,
+            point_id,
+            params.consistency,
+            params.timeout(),
+            access,
+        )
+        .await?
+        else {
+            return Err(StorageError::NotFound {
+                description: format!("Point with id {point_id} does not exists!"),
+            });
+        };
+
+        Ok(api::rest::Record::from(record))
+    })
+    .await
+}
+
+#[post("/collections/{name}/points")]
+async fn get_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<PointRequest>,
+    params: Query<ReadParams>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let pass = match check_strict_mode_timeout(
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(p) => p,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let PointRequest {
+        point_request,
+        shard_key,
+    } = request.into_inner();
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => ShardSelectorInternal::from(shard_keys),
+    };
+
+    helpers::time(
+        do_get_points(
+            dispatcher.toc(&access, &pass),
+            &collection.name,
+            point_request,
+            params.consistency,
+            params.timeout(),
+            shard_selection,
+            access,
+        )
+        .map_ok(|response| {
+            response
+                .into_iter()
+                .map(api::rest::Record::from)
+                .collect_vec()
+        }),
+    )
+    .await
+}
+
+#[post("/collections/{name}/points/scroll")]
+async fn scroll_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<ScrollRequest>,
+    params: Query<ReadParams>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let ScrollRequest {
+        scroll_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &scroll_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => ShardSelectorInternal::from(shard_keys),
+    };
+
+    helpers::time(dispatcher.toc(&access, &pass).scroll(
+        &collection.name,
+        scroll_request,
+        params.consistency,
+        params.timeout(),
+        shard_selection,
+        access,
+    ))
+    .await
+}

src/actix/api/search_api.rs

@@ -0,0 +1,333 @@
+use actix_web::{post, web, HttpResponse, Responder};
+use actix_web_validator::{Json, Path, Query};
+use api::rest::{SearchMatrixOffsetsResponse, SearchMatrixPairsResponse, SearchMatrixRequest};
+use collection::collection::distance_matrix::CollectionSearchMatrixRequest;
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use collection::operations::types::{
+    CoreSearchRequest, SearchGroupsRequest, SearchRequest, SearchRequestBatch,
+};
+use itertools::Itertools;
+use storage::content_manager::collection_verification::{
+    check_strict_mode, check_strict_mode_batch,
+};
+use storage::dispatcher::Dispatcher;
+use tokio::time::Instant;
+
+use super::read_params::ReadParams;
+use super::CollectionPath;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{
+    get_request_hardware_counter, process_response, process_response_error,
+};
+use crate::common::points::{
+    do_core_search_points, do_search_batch_points, do_search_point_groups, do_search_points_matrix,
+};
+use crate::settings::ServiceConfig;
+
+#[post("/collections/{name}/points/search")]
+async fn search_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<SearchRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    let SearchRequest {
+        search_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &search_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => shard_keys.into(),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+
+    let timing = Instant::now();
+
+    let result = do_core_search_points(
+        dispatcher.toc(&access, &pass),
+        &collection.name,
+        search_request.into(),
+        params.consistency,
+        shard_selection,
+        access,
+        params.timeout(),
+        request_hw_counter.get_counter(),
+    )
+    .await
+    .map(|scored_points| {
+        scored_points
+            .into_iter()
+            .map(api::rest::ScoredPoint::from)
+            .collect_vec()
+    });
+
+    process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+#[post("/collections/{name}/points/search/batch")]
+async fn batch_search_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<SearchRequestBatch>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    let requests = request
+        .into_inner()
+        .searches
+        .into_iter()
+        .map(|req| {
+            let SearchRequest {
+                search_request,
+                shard_key,
+            } = req;
+            let shard_selection = match shard_key {
+                None => ShardSelectorInternal::All,
+                Some(shard_keys) => shard_keys.into(),
+            };
+            let core_request: CoreSearchRequest = search_request.into();
+
+            (core_request, shard_selection)
+        })
+        .collect::<Vec<_>>();
+
+    let pass = match check_strict_mode_batch(
+        requests.iter().map(|i| &i.0),
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+
+    let timing = Instant::now();
+
+    let result = do_search_batch_points(
+        dispatcher.toc(&access, &pass),
+        &collection.name,
+        requests,
+        params.consistency,
+        access,
+        params.timeout(),
+        request_hw_counter.get_counter(),
+    )
+    .await
+    .map(|batch_scored_points| {
+        batch_scored_points
+            .into_iter()
+            .map(|scored_points| {
+                scored_points
+                    .into_iter()
+                    .map(api::rest::ScoredPoint::from)
+                    .collect_vec()
+            })
+            .collect_vec()
+    });
+
+    process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+#[post("/collections/{name}/points/search/groups")]
+async fn search_point_groups(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<SearchGroupsRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    let SearchGroupsRequest {
+        search_group_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &search_group_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => shard_keys.into(),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+
+    let result = do_search_point_groups(
+        dispatcher.toc(&access, &pass),
+        &collection.name,
+        search_group_request,
+        params.consistency,
+        shard_selection,
+        access,
+        params.timeout(),
+        request_hw_counter.get_counter(),
+    )
+    .await;
+
+    process_response(result, timing, request_hw_counter.to_rest_api())
+}
+
+#[post("/collections/{name}/points/search/matrix/pairs")]
+async fn search_points_matrix_pairs(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<SearchMatrixRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let SearchMatrixRequest {
+        search_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &search_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => shard_keys.into(),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+
+    let response = do_search_points_matrix(
+        dispatcher.toc(&access, &pass),
+        &collection.name,
+        CollectionSearchMatrixRequest::from(search_request),
+        params.consistency,
+        shard_selection,
+        access,
+        params.timeout(),
+        request_hw_counter.get_counter(),
+    )
+    .await
+    .map(SearchMatrixPairsResponse::from);
+
+    process_response(response, timing, request_hw_counter.to_rest_api())
+}
+
+#[post("/collections/{name}/points/search/matrix/offsets")]
+async fn search_points_matrix_offsets(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<SearchMatrixRequest>,
+    params: Query<ReadParams>,
+    service_config: web::Data<ServiceConfig>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let SearchMatrixRequest {
+        search_request,
+        shard_key,
+    } = request.into_inner();
+
+    let pass = match check_strict_mode(
+        &search_request,
+        params.timeout_as_secs(),
+        &collection.name,
+        &dispatcher,
+        &access,
+    )
+    .await
+    {
+        Ok(pass) => pass,
+        Err(err) => return process_response_error(err, Instant::now(), None),
+    };
+
+    let shard_selection = match shard_key {
+        None => ShardSelectorInternal::All,
+        Some(shard_keys) => shard_keys.into(),
+    };
+
+    let request_hw_counter = get_request_hardware_counter(
+        &dispatcher,
+        collection.name.clone(),
+        service_config.hardware_reporting(),
+    );
+    let timing = Instant::now();
+
+    let response = do_search_points_matrix(
+        dispatcher.toc(&access, &pass),
+        &collection.name,
+        CollectionSearchMatrixRequest::from(search_request),
+        params.consistency,
+        shard_selection,
+        access,
+        params.timeout(),
+        request_hw_counter.get_counter(),
+    )
+    .await
+    .map(SearchMatrixOffsetsResponse::from);
+
+    process_response(response, timing, request_hw_counter.to_rest_api())
+}
+
+// Configure services
+pub fn config_search_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(search_points)
+        .service(batch_search_points)
+        .service(search_point_groups)
+        .service(search_points_matrix_pairs)
+        .service(search_points_matrix_offsets);
+}

src/actix/api/service_api.rs

@@ -0,0 +1,217 @@
+use std::future::Future;
+use std::sync::Arc;
+
+use actix_web::http::header::ContentType;
+use actix_web::http::StatusCode;
+use actix_web::rt::time::Instant;
+use actix_web::web::Query;
+use actix_web::{get, post, web, HttpResponse, Responder};
+use actix_web_validator::Json;
+use collection::operations::verification::new_unchecked_verification_pass;
+use common::types::{DetailsLevel, TelemetryDetail};
+use schemars::JsonSchema;
+use segment::common::anonymize::Anonymize;
+use serde::{Deserialize, Serialize};
+use storage::content_manager::errors::StorageError;
+use storage::dispatcher::Dispatcher;
+use storage::rbac::AccessRequirements;
+use tokio::sync::Mutex;
+
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, process_response_error};
+use crate::common::health;
+use crate::common::helpers::LocksOption;
+use crate::common::metrics::MetricsData;
+use crate::common::stacktrace::get_stack_trace;
+use crate::common::telemetry::TelemetryCollector;
+use crate::tracing;
+
+#[derive(Deserialize, Serialize, JsonSchema)]
+pub struct TelemetryParam {
+    pub anonymize: Option<bool>,
+    pub details_level: Option<usize>,
+}
+
+#[get("/telemetry")]
+fn telemetry(
+    telemetry_collector: web::Data<Mutex<TelemetryCollector>>,
+    params: Query<TelemetryParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Future<Output = HttpResponse> {
+    helpers::time(async move {
+        access.check_global_access(AccessRequirements::new())?;
+        let anonymize = params.anonymize.unwrap_or(false);
+        let details_level = params
+            .details_level
+            .map_or(DetailsLevel::Level0, Into::into);
+        let detail = TelemetryDetail {
+            level: details_level,
+            histograms: false,
+        };
+        let telemetry_collector = telemetry_collector.lock().await;
+        let telemetry_data = telemetry_collector.prepare_data(&access, detail).await;
+        let telemetry_data = if anonymize {
+            telemetry_data.anonymize()
+        } else {
+            telemetry_data
+        };
+        Ok(telemetry_data)
+    })
+}
+
+#[derive(Deserialize, Serialize, JsonSchema)]
+pub struct MetricsParam {
+    pub anonymize: Option<bool>,
+}
+
+#[get("/metrics")]
+async fn metrics(
+    telemetry_collector: web::Data<Mutex<TelemetryCollector>>,
+    params: Query<MetricsParam>,
+    ActixAccess(access): ActixAccess,
+) -> HttpResponse {
+    if let Err(err) = access.check_global_access(AccessRequirements::new()) {
+        return process_response_error(err, Instant::now(), None);
+    }
+
+    let anonymize = params.anonymize.unwrap_or(false);
+    let telemetry_collector = telemetry_collector.lock().await;
+    let telemetry_data = telemetry_collector
+        .prepare_data(
+            &access,
+            TelemetryDetail {
+                level: DetailsLevel::Level1,
+                histograms: true,
+            },
+        )
+        .await;
+    let telemetry_data = if anonymize {
+        telemetry_data.anonymize()
+    } else {
+        telemetry_data
+    };
+
+    HttpResponse::Ok()
+        .content_type(ContentType::plaintext())
+        .body(MetricsData::from(telemetry_data).format_metrics())
+}
+
+#[post("/locks")]
+fn put_locks(
+    dispatcher: web::Data<Dispatcher>,
+    locks_option: Json<LocksOption>,
+    ActixAccess(access): ActixAccess,
+) -> impl Future<Output = HttpResponse> {
+    // Not a collection level request.
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(async move {
+        let toc = dispatcher.toc(&access, &pass);
+        access.check_global_access(AccessRequirements::new().manage())?;
+        let result = LocksOption {
+            write: toc.is_write_locked(),
+            error_message: toc.get_lock_error_message(),
+        };
+        toc.set_locks(locks_option.write, locks_option.error_message.clone());
+        Ok(result)
+    })
+}
+
+#[get("/locks")]
+fn get_locks(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+) -> impl Future<Output = HttpResponse> {
+    // Not a collection level request.
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(async move {
+        access.check_global_access(AccessRequirements::new())?;
+        let toc = dispatcher.toc(&access, &pass);
+        let result = LocksOption {
+            write: toc.is_write_locked(),
+            error_message: toc.get_lock_error_message(),
+        };
+        Ok(result)
+    })
+}
+
+#[get("/stacktrace")]
+fn get_stacktrace(ActixAccess(access): ActixAccess) -> impl Future<Output = HttpResponse> {
+    helpers::time(async move {
+        access.check_global_access(AccessRequirements::new().manage())?;
+        Ok(get_stack_trace())
+    })
+}
+
+#[get("/healthz")]
+async fn healthz() -> impl Responder {
+    kubernetes_healthz()
+}
+
+#[get("/livez")]
+async fn livez() -> impl Responder {
+    kubernetes_healthz()
+}
+
+#[get("/readyz")]
+async fn readyz(health_checker: web::Data<Option<Arc<health::HealthChecker>>>) -> impl Responder {
+    let is_ready = match health_checker.as_ref() {
+        Some(health_checker) => health_checker.check_ready().await,
+        None => true,
+    };
+
+    let (status, body) = if is_ready {
+        (StatusCode::OK, "all shards are ready")
+    } else {
+        (StatusCode::SERVICE_UNAVAILABLE, "some shards are not ready")
+    };
+
+    HttpResponse::build(status)
+        .content_type(ContentType::plaintext())
+        .body(body)
+}
+
+/// Basic Kubernetes healthz endpoint
+fn kubernetes_healthz() -> impl Responder {
+    HttpResponse::Ok()
+        .content_type(ContentType::plaintext())
+        .body("healthz check passed")
+}
+
+#[get("/logger")]
+async fn get_logger_config(handle: web::Data<tracing::LoggerHandle>) -> impl Responder {
+    let timing = Instant::now();
+    let result = handle.get_config().await;
+    helpers::process_response(Ok(result), timing, None)
+}
+
+#[post("/logger")]
+async fn update_logger_config(
+    handle: web::Data<tracing::LoggerHandle>,
+    config: web::Json<tracing::LoggerConfig>,
+) -> impl Responder {
+    let timing = Instant::now();
+
+    let result = handle
+        .update_config(config.into_inner())
+        .await
+        .map(|_| true)
+        .map_err(|err| StorageError::service_error(err.to_string()));
+
+    helpers::process_response(result, timing, None)
+}
+
+// Configure services
+pub fn config_service_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(telemetry)
+        .service(metrics)
+        .service(put_locks)
+        .service(get_locks)
+        .service(get_stacktrace)
+        .service(healthz)
+        .service(livez)
+        .service(readyz)
+        .service(get_logger_config)
+        .service(update_logger_config);
+}

src/actix/api/shards_api.rs

@@ -0,0 +1,80 @@
+use actix_web::{post, put, web, Responder};
+use actix_web_validator::{Json, Path, Query};
+use collection::operations::cluster_ops::{
+    ClusterOperations, CreateShardingKey, CreateShardingKeyOperation, DropShardingKey,
+    DropShardingKeyOperation,
+};
+use storage::dispatcher::Dispatcher;
+use tokio::time::Instant;
+
+use crate::actix::api::collections_api::WaitTimeout;
+use crate::actix::api::CollectionPath;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::process_response;
+use crate::common::collections::do_update_collection_cluster;
+
+// ToDo: introduce API for listing shard keys
+
+#[put("/collections/{name}/shards")]
+async fn create_shard_key(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<CreateShardingKey>,
+    Query(query): Query<WaitTimeout>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+    let wait_timeout = query.timeout();
+    let dispatcher = dispatcher.into_inner();
+
+    let request = request.into_inner();
+
+    let operation = ClusterOperations::CreateShardingKey(CreateShardingKeyOperation {
+        create_sharding_key: request,
+    });
+
+    let response = do_update_collection_cluster(
+        &dispatcher,
+        collection.name.clone(),
+        operation,
+        access,
+        wait_timeout,
+    )
+    .await;
+
+    process_response(response, timing, None)
+}
+
+#[post("/collections/{name}/shards/delete")]
+async fn delete_shard_key(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    request: Json<DropShardingKey>,
+    Query(query): Query<WaitTimeout>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+    let wait_timeout = query.timeout();
+
+    let dispatcher = dispatcher.into_inner();
+    let request = request.into_inner();
+
+    let operation = ClusterOperations::DropShardingKey(DropShardingKeyOperation {
+        drop_sharding_key: request,
+    });
+
+    let response = do_update_collection_cluster(
+        &dispatcher,
+        collection.name.clone(),
+        operation,
+        access,
+        wait_timeout,
+    )
+    .await;
+
+    process_response(response, timing, None)
+}
+
+pub fn config_shards_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(create_shard_key).service(delete_shard_key);
+}

src/actix/api/snapshot_api.rs

@@ -0,0 +1,585 @@
+use std::path::Path;
+
+use actix_multipart::form::tempfile::TempFile;
+use actix_multipart::form::MultipartForm;
+use actix_web::{delete, get, post, put, web, Responder, Result};
+use actix_web_validator as valid;
+use collection::common::file_utils::move_file;
+use collection::common::sha_256::{hash_file, hashes_equal};
+use collection::common::snapshot_stream::SnapshotStream;
+use collection::operations::snapshot_ops::{
+    ShardSnapshotRecover, SnapshotPriority, SnapshotRecover,
+};
+use collection::operations::verification::new_unchecked_verification_pass;
+use collection::shards::shard::ShardId;
+use futures::{FutureExt as _, TryFutureExt as _};
+use reqwest::Url;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+use storage::content_manager::errors::StorageError;
+use storage::content_manager::snapshots::recover::do_recover_from_snapshot;
+use storage::content_manager::snapshots::{
+    do_create_full_snapshot, do_delete_collection_snapshot, do_delete_full_snapshot,
+    do_list_full_snapshots,
+};
+use storage::content_manager::toc::TableOfContent;
+use storage::dispatcher::Dispatcher;
+use storage::rbac::{Access, AccessRequirements};
+use uuid::Uuid;
+use validator::Validate;
+
+use super::{CollectionPath, StrictCollectionPath};
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, HttpError};
+use crate::common;
+use crate::common::collections::*;
+use crate::common::http_client::HttpClient;
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct SnapshotUploadingParam {
+    pub wait: Option<bool>,
+    pub priority: Option<SnapshotPriority>,
+
+    /// Optional SHA256 checksum to verify snapshot integrity before recovery.
+    #[serde(default)]
+    #[validate(custom(function = "::common::validation::validate_sha256_hash"))]
+    pub checksum: Option<String>,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct SnapshottingParam {
+    pub wait: Option<bool>,
+}
+
+#[derive(MultipartForm)]
+pub struct SnapshottingForm {
+    snapshot: TempFile,
+}
+
+// Actix specific code
+pub async fn do_get_full_snapshot(
+    toc: &TableOfContent,
+    access: Access,
+    snapshot_name: &str,
+) -> Result<SnapshotStream, HttpError> {
+    access.check_global_access(AccessRequirements::new())?;
+    let snapshots_storage_manager = toc.get_snapshots_storage_manager()?;
+    let snapshot_path =
+        snapshots_storage_manager.get_full_snapshot_path(toc.snapshots_path(), snapshot_name)?;
+    let snapshot_stream = snapshots_storage_manager
+        .get_snapshot_stream(&snapshot_path)
+        .await?;
+    Ok(snapshot_stream)
+}
+
+pub async fn do_save_uploaded_snapshot(
+    toc: &TableOfContent,
+    collection_name: &str,
+    snapshot: TempFile,
+) -> Result<Url, StorageError> {
+    let filename = snapshot
+        .file_name
+        // Sanitize the file name:
+        // - only take the top level path (no directories such as ../)
+        // - require the file name to be valid UTF-8
+        .and_then(|x| {
+            Path::new(&x)
+                .file_name()
+                .map(|filename| filename.to_owned())
+        })
+        .and_then(|x| x.to_str().map(|x| x.to_owned()))
+        .unwrap_or_else(|| Uuid::new_v4().to_string());
+    let collection_snapshot_path = toc.snapshots_path_for_collection(collection_name);
+    if !collection_snapshot_path.exists() {
+        log::debug!(
+            "Creating missing collection snapshots directory for {}",
+            collection_name
+        );
+        toc.create_snapshots_path(collection_name).await?;
+    }
+
+    let path = collection_snapshot_path.join(filename);
+
+    move_file(snapshot.file.path(), &path).await?;
+
+    let absolute_path = path.canonicalize()?;
+
+    let snapshot_location = Url::from_file_path(&absolute_path).map_err(|_| {
+        StorageError::service_error(format!(
+            "Failed to convert path to URL: {}",
+            absolute_path.display()
+        ))
+    })?;
+
+    Ok(snapshot_location)
+}
+
+// Actix specific code
+pub async fn do_get_snapshot(
+    toc: &TableOfContent,
+    access: Access,
+    collection_name: &str,
+    snapshot_name: &str,
+) -> Result<SnapshotStream, HttpError> {
+    let collection_pass =
+        access.check_collection_access(collection_name, AccessRequirements::new().whole())?;
+    let collection: tokio::sync::RwLockReadGuard<collection::collection::Collection> =
+        toc.get_collection(&collection_pass).await?;
+    let snapshot_storage_manager = collection.get_snapshots_storage_manager()?;
+    let snapshot_path =
+        snapshot_storage_manager.get_snapshot_path(collection.snapshots_path(), snapshot_name)?;
+    let snapshot_stream = snapshot_storage_manager
+        .get_snapshot_stream(&snapshot_path)
+        .await?;
+    Ok(snapshot_stream)
+}
+
+#[get("/collections/{name}/snapshots")]
+async fn list_snapshots(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<String>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // Nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(do_list_snapshots(
+        dispatcher.toc(&access, &pass),
+        access,
+        &path,
+    ))
+    .await
+}
+
+#[post("/collections/{name}/snapshots")]
+async fn create_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<String>,
+    params: valid::Query<SnapshottingParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // Nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let collection_name = path.into_inner();
+
+    let future = async move {
+        do_create_snapshot(
+            dispatcher.toc(&access, &pass).clone(),
+            access,
+            &collection_name,
+        )
+        .await
+    };
+
+    helpers::time_or_accept(future, params.wait.unwrap_or(true)).await
+}
+
+#[post("/collections/{name}/snapshots/upload")]
+async fn upload_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    http_client: web::Data<HttpClient>,
+    collection: valid::Path<StrictCollectionPath>,
+    MultipartForm(form): MultipartForm<SnapshottingForm>,
+    params: valid::Query<SnapshotUploadingParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let wait = params.wait;
+
+    // Nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let future = async move {
+        let snapshot = form.snapshot;
+
+        access.check_global_access(AccessRequirements::new().manage())?;
+
+        if let Some(checksum) = &params.checksum {
+            let snapshot_checksum = hash_file(snapshot.file.path()).await?;
+            if !hashes_equal(snapshot_checksum.as_str(), checksum.as_str()) {
+                return Err(StorageError::checksum_mismatch(snapshot_checksum, checksum));
+            }
+        }
+
+        let snapshot_location =
+            do_save_uploaded_snapshot(dispatcher.toc(&access, &pass), &collection.name, snapshot)
+                .await?;
+
+        // Snapshot is a local file, we do not need an API key for that
+        let http_client = http_client.client(None)?;
+
+        let snapshot_recover = SnapshotRecover {
+            location: snapshot_location,
+            priority: params.priority,
+            checksum: None,
+            api_key: None,
+        };
+
+        do_recover_from_snapshot(
+            dispatcher.get_ref(),
+            &collection.name,
+            snapshot_recover,
+            access,
+            http_client,
+        )
+        .await
+    };
+
+    helpers::time_or_accept(future, wait.unwrap_or(true)).await
+}
+
+#[put("/collections/{name}/snapshots/recover")]
+async fn recover_from_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    http_client: web::Data<HttpClient>,
+    collection: valid::Path<CollectionPath>,
+    request: valid::Json<SnapshotRecover>,
+    params: valid::Query<SnapshottingParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let future = async move {
+        let snapshot_recover = request.into_inner();
+        let http_client = http_client.client(snapshot_recover.api_key.as_deref())?;
+
+        do_recover_from_snapshot(
+            dispatcher.get_ref(),
+            &collection.name,
+            snapshot_recover,
+            access,
+            http_client,
+        )
+        .await
+    };
+
+    helpers::time_or_accept(future, params.wait.unwrap_or(true)).await
+}
+
+#[get("/collections/{name}/snapshots/{snapshot_name}")]
+async fn get_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<(String, String)>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // Nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let (collection_name, snapshot_name) = path.into_inner();
+    do_get_snapshot(
+        dispatcher.toc(&access, &pass),
+        access,
+        &collection_name,
+        &snapshot_name,
+    )
+    .await
+}
+
+#[get("/snapshots")]
+async fn list_full_snapshots(
+    dispatcher: web::Data<Dispatcher>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    helpers::time(do_list_full_snapshots(
+        dispatcher.toc(&access, &pass),
+        access,
+    ))
+    .await
+}
+
+#[post("/snapshots")]
+async fn create_full_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    params: valid::Query<SnapshottingParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let future = async move { do_create_full_snapshot(dispatcher.get_ref(), access).await };
+    helpers::time_or_accept(future, params.wait.unwrap_or(true)).await
+}
+
+#[get("/snapshots/{snapshot_name}")]
+async fn get_full_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<String>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let snapshot_name = path.into_inner();
+    do_get_full_snapshot(dispatcher.toc(&access, &pass), access, &snapshot_name).await
+}
+
+#[delete("/snapshots/{snapshot_name}")]
+async fn delete_full_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<String>,
+    params: valid::Query<SnapshottingParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let future = async move {
+        let snapshot_name = path.into_inner();
+        do_delete_full_snapshot(dispatcher.get_ref(), access, &snapshot_name).await
+    };
+
+    helpers::time_or_accept(future, params.wait.unwrap_or(true)).await
+}
+
+#[delete("/collections/{name}/snapshots/{snapshot_name}")]
+async fn delete_collection_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<(String, String)>,
+    params: valid::Query<SnapshottingParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let future = async move {
+        let (collection_name, snapshot_name) = path.into_inner();
+
+        do_delete_collection_snapshot(
+            dispatcher.get_ref(),
+            access,
+            &collection_name,
+            &snapshot_name,
+        )
+        .await
+    };
+
+    helpers::time_or_accept(future, params.wait.unwrap_or(true)).await
+}
+
+#[get("/collections/{collection}/shards/{shard}/snapshots")]
+async fn list_shard_snapshots(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<(String, ShardId)>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let (collection, shard) = path.into_inner();
+
+    let future = common::snapshots::list_shard_snapshots(
+        dispatcher.toc(&access, &pass).clone(),
+        access,
+        collection,
+        shard,
+    )
+    .map_err(Into::into);
+
+    helpers::time(future).await
+}
+
+#[post("/collections/{collection}/shards/{shard}/snapshots")]
+async fn create_shard_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<(String, ShardId)>,
+    query: web::Query<SnapshottingParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let (collection, shard) = path.into_inner();
+    let future = common::snapshots::create_shard_snapshot(
+        dispatcher.toc(&access, &pass).clone(),
+        access,
+        collection,
+        shard,
+    );
+
+    helpers::time_or_accept(future, query.wait.unwrap_or(true)).await
+}
+
+#[get("/collections/{collection}/shards/{shard}/snapshot")]
+async fn stream_shard_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<(String, ShardId)>,
+    ActixAccess(access): ActixAccess,
+) -> Result<SnapshotStream, HttpError> {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let (collection, shard) = path.into_inner();
+    Ok(common::snapshots::stream_shard_snapshot(
+        dispatcher.toc(&access, &pass).clone(),
+        access,
+        collection,
+        shard,
+    )
+    .await?)
+}
+
+// TODO: `PUT` (same as `recover_from_snapshot`) or `POST`!?
+#[put("/collections/{collection}/shards/{shard}/snapshots/recover")]
+async fn recover_shard_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    http_client: web::Data<HttpClient>,
+    path: web::Path<(String, ShardId)>,
+    query: web::Query<SnapshottingParam>,
+    web::Json(request): web::Json<ShardSnapshotRecover>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let future = async move {
+        let (collection, shard) = path.into_inner();
+
+        common::snapshots::recover_shard_snapshot(
+            dispatcher.toc(&access, &pass).clone(),
+            access,
+            collection,
+            shard,
+            request.location,
+            request.priority.unwrap_or_default(),
+            request.checksum,
+            http_client.as_ref().clone(),
+            request.api_key,
+        )
+        .await?;
+
+        Ok(true)
+    };
+
+    helpers::time_or_accept(future, query.wait.unwrap_or(true)).await
+}
+
+// TODO: `POST` (same as `upload_snapshot`) or `PUT`!?
+#[post("/collections/{collection}/shards/{shard}/snapshots/upload")]
+async fn upload_shard_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<(String, ShardId)>,
+    query: web::Query<SnapshotUploadingParam>,
+    MultipartForm(form): MultipartForm<SnapshottingForm>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let (collection, shard) = path.into_inner();
+    let SnapshotUploadingParam {
+        wait,
+        priority,
+        checksum,
+    } = query.into_inner();
+
+    // - `recover_shard_snapshot_impl` is *not* cancel safe
+    //   - but the task is *spawned* on the runtime and won't be cancelled, if request is cancelled
+
+    let future = cancel::future::spawn_cancel_on_drop(move |cancel| async move {
+        // TODO: Run this check before the multipart blob is uploaded
+        let collection_pass = access
+            .check_global_access(AccessRequirements::new().manage())?
+            .issue_pass(&collection);
+
+        if let Some(checksum) = checksum {
+            let snapshot_checksum = hash_file(form.snapshot.file.path()).await?;
+            if !hashes_equal(snapshot_checksum.as_str(), checksum.as_str()) {
+                return Err(StorageError::checksum_mismatch(snapshot_checksum, checksum));
+            }
+        }
+
+        let future = async {
+            let collection = dispatcher
+                .toc(&access, &pass)
+                .get_collection(&collection_pass)
+                .await?;
+            collection.assert_shard_exists(shard).await?;
+
+            Result::<_, StorageError>::Ok(collection)
+        };
+
+        let collection = cancel::future::cancel_on_token(cancel.clone(), future).await??;
+
+        // `recover_shard_snapshot_impl` is *not* cancel safe
+        common::snapshots::recover_shard_snapshot_impl(
+            dispatcher.toc(&access, &pass),
+            &collection,
+            shard,
+            form.snapshot.file.path(),
+            priority.unwrap_or_default(),
+            cancel,
+        )
+        .await?;
+
+        Ok(())
+    })
+    .map(|x| x.map_err(Into::into).and_then(|x| x));
+
+    helpers::time_or_accept(future, wait.unwrap_or(true)).await
+}
+
+#[get("/collections/{collection}/shards/{shard}/snapshots/{snapshot}")]
+async fn download_shard_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<(String, ShardId, String)>,
+    ActixAccess(access): ActixAccess,
+) -> Result<impl Responder, HttpError> {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let (collection, shard, snapshot) = path.into_inner();
+    let collection_pass =
+        access.check_collection_access(&collection, AccessRequirements::new().whole())?;
+    let collection = dispatcher
+        .toc(&access, &pass)
+        .get_collection(&collection_pass)
+        .await?;
+    let snapshots_storage_manager = collection.get_snapshots_storage_manager()?;
+    let snapshot_path = collection
+        .shards_holder()
+        .read()
+        .await
+        .get_shard_snapshot_path(collection.snapshots_path(), shard, &snapshot)
+        .await?;
+    let snapshot_stream = snapshots_storage_manager
+        .get_snapshot_stream(&snapshot_path)
+        .await?;
+    Ok(snapshot_stream)
+}
+
+#[delete("/collections/{collection}/shards/{shard}/snapshots/{snapshot}")]
+async fn delete_shard_snapshot(
+    dispatcher: web::Data<Dispatcher>,
+    path: web::Path<(String, ShardId, String)>,
+    query: web::Query<SnapshottingParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let (collection, shard, snapshot) = path.into_inner();
+    let future = common::snapshots::delete_shard_snapshot(
+        dispatcher.toc(&access, &pass).clone(),
+        access,
+        collection,
+        shard,
+        snapshot,
+    )
+    .map_ok(|_| true)
+    .map_err(Into::into);
+
+    helpers::time_or_accept(future, query.wait.unwrap_or(true)).await
+}
+
+// Configure services
+pub fn config_snapshots_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(list_snapshots)
+        .service(create_snapshot)
+        .service(upload_snapshot)
+        .service(recover_from_snapshot)
+        .service(get_snapshot)
+        .service(list_full_snapshots)
+        .service(create_full_snapshot)
+        .service(get_full_snapshot)
+        .service(delete_full_snapshot)
+        .service(delete_collection_snapshot)
+        .service(list_shard_snapshots)
+        .service(create_shard_snapshot)
+        .service(stream_shard_snapshot)
+        .service(recover_shard_snapshot)
+        .service(upload_shard_snapshot)
+        .service(download_shard_snapshot)
+        .service(delete_shard_snapshot);
+}

src/actix/api/update_api.rs

@@ -0,0 +1,392 @@
+use actix_web::rt::time::Instant;
+use actix_web::{delete, post, put, web, Responder};
+use actix_web_validator::{Json, Path, Query};
+use api::rest::schema::PointInsertOperations;
+use api::rest::UpdateVectors;
+use collection::operations::payload_ops::{DeletePayload, SetPayload};
+use collection::operations::point_ops::{PointsSelector, WriteOrdering};
+use collection::operations::types::UpdateResult;
+use collection::operations::vector_ops::DeleteVectors;
+use collection::operations::verification::new_unchecked_verification_pass;
+use schemars::JsonSchema;
+use segment::json_path::JsonPath;
+use serde::{Deserialize, Serialize};
+use storage::content_manager::collection_verification::check_strict_mode;
+use storage::dispatcher::Dispatcher;
+use validator::Validate;
+
+use super::CollectionPath;
+use crate::actix::auth::ActixAccess;
+use crate::actix::helpers::{self, process_response, process_response_error};
+use crate::common::points::{
+    do_batch_update_points, do_clear_payload, do_create_index, do_delete_index, do_delete_payload,
+    do_delete_points, do_delete_vectors, do_overwrite_payload, do_set_payload, do_update_vectors,
+    do_upsert_points, CreateFieldIndex, UpdateOperations,
+};
+
+#[derive(Deserialize, Validate)]
+struct FieldPath {
+    #[serde(rename = "field_name")]
+    name: JsonPath,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct UpdateParam {
+    pub wait: Option<bool>,
+    pub ordering: Option<WriteOrdering>,
+}
+
+#[put("/collections/{name}/points")]
+async fn upsert_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<PointInsertOperations>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // nothing to verify.
+    let pass = new_unchecked_verification_pass();
+
+    let operation = operation.into_inner();
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    helpers::time(do_upsert_points(
+        dispatcher.toc(&access, &pass).clone(),
+        collection.into_inner().name,
+        operation,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    ))
+    .await
+}
+
+#[post("/collections/{name}/points/delete")]
+async fn delete_points(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<PointsSelector>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let operation = operation.into_inner();
+    let pass =
+        match check_strict_mode(&operation, None, &collection.name, &dispatcher, &access).await {
+            Ok(pass) => pass,
+            Err(err) => return process_response_error(err, Instant::now(), None),
+        };
+
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    helpers::time(do_delete_points(
+        dispatcher.toc(&access, &pass).clone(),
+        collection.into_inner().name,
+        operation,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    ))
+    .await
+}
+
+#[put("/collections/{name}/points/vectors")]
+async fn update_vectors(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<UpdateVectors>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    // Nothing to verify here.
+    let pass = new_unchecked_verification_pass();
+
+    let operation = operation.into_inner();
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    helpers::time(do_update_vectors(
+        dispatcher.toc(&access, &pass).clone(),
+        collection.into_inner().name,
+        operation,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    ))
+    .await
+}
+
+#[post("/collections/{name}/points/vectors/delete")]
+async fn delete_vectors(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<DeleteVectors>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+
+    let operation = operation.into_inner();
+    let pass =
+        match check_strict_mode(&operation, None, &collection.name, &dispatcher, &access).await {
+            Ok(pass) => pass,
+            Err(err) => return process_response_error(err, timing, None),
+        };
+
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    let response = do_delete_vectors(
+        dispatcher.toc(&access, &pass).clone(),
+        collection.into_inner().name,
+        operation,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    )
+    .await;
+    process_response(response, timing, None)
+}
+
+#[post("/collections/{name}/points/payload")]
+async fn set_payload(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<SetPayload>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let operation = operation.into_inner();
+
+    let pass =
+        match check_strict_mode(&operation, None, &collection.name, &dispatcher, &access).await {
+            Ok(pass) => pass,
+            Err(err) => return process_response_error(err, Instant::now(), None),
+        };
+
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    helpers::time(do_set_payload(
+        dispatcher.toc(&access, &pass).clone(),
+        collection.into_inner().name,
+        operation,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    ))
+    .await
+}
+
+#[put("/collections/{name}/points/payload")]
+async fn overwrite_payload(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<SetPayload>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let operation = operation.into_inner();
+    let pass =
+        match check_strict_mode(&operation, None, &collection.name, &dispatcher, &access).await {
+            Ok(pass) => pass,
+            Err(err) => return process_response_error(err, Instant::now(), None),
+        };
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    helpers::time(do_overwrite_payload(
+        dispatcher.toc(&access, &pass).clone(),
+        collection.into_inner().name,
+        operation,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    ))
+    .await
+}
+
+#[post("/collections/{name}/points/payload/delete")]
+async fn delete_payload(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<DeletePayload>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let operation = operation.into_inner();
+    let pass =
+        match check_strict_mode(&operation, None, &collection.name, &dispatcher, &access).await {
+            Ok(pass) => pass,
+            Err(err) => return process_response_error(err, Instant::now(), None),
+        };
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    helpers::time(do_delete_payload(
+        dispatcher.toc(&access, &pass).clone(),
+        collection.into_inner().name,
+        operation,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    ))
+    .await
+}
+
+#[post("/collections/{name}/points/payload/clear")]
+async fn clear_payload(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<PointsSelector>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let operation = operation.into_inner();
+    let pass =
+        match check_strict_mode(&operation, None, &collection.name, &dispatcher, &access).await {
+            Ok(pass) => pass,
+            Err(err) => return process_response_error(err, Instant::now(), None),
+        };
+
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    helpers::time(do_clear_payload(
+        dispatcher.toc(&access, &pass).clone(),
+        collection.into_inner().name,
+        operation,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    ))
+    .await
+}
+
+#[post("/collections/{name}/points/batch")]
+async fn update_batch(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operations: Json<UpdateOperations>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+    let operations = operations.into_inner();
+
+    let mut vpass = None;
+    for operation in operations.operations.iter() {
+        let pass = match check_strict_mode(operation, None, &collection.name, &dispatcher, &access)
+            .await
+        {
+            Ok(pass) => pass,
+            Err(err) => return process_response_error(err, Instant::now(), None),
+        };
+        vpass = Some(pass);
+    }
+
+    // vpass == None => No update operation available
+    let Some(pass) = vpass else {
+        return process_response::<Vec<UpdateResult>>(Ok(vec![]), timing, None);
+    };
+
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    let response = do_batch_update_points(
+        dispatcher.toc(&access, &pass).clone(),
+        collection.into_inner().name,
+        operations.operations,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    )
+    .await;
+    process_response(response, timing, None)
+}
+#[put("/collections/{name}/index")]
+async fn create_field_index(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    operation: Json<CreateFieldIndex>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+    let operation = operation.into_inner();
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    let response = do_create_index(
+        dispatcher.into_inner(),
+        collection.into_inner().name,
+        operation,
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    )
+    .await;
+    process_response(response, timing, None)
+}
+
+#[delete("/collections/{name}/index/{field_name}")]
+async fn delete_field_index(
+    dispatcher: web::Data<Dispatcher>,
+    collection: Path<CollectionPath>,
+    field: Path<FieldPath>,
+    params: Query<UpdateParam>,
+    ActixAccess(access): ActixAccess,
+) -> impl Responder {
+    let timing = Instant::now();
+    let wait = params.wait.unwrap_or(false);
+    let ordering = params.ordering.unwrap_or_default();
+
+    let response = do_delete_index(
+        dispatcher.into_inner(),
+        collection.into_inner().name,
+        field.name.clone(),
+        None,
+        None,
+        wait,
+        ordering,
+        access,
+    )
+    .await;
+    process_response(response, timing, None)
+}
+
+// Configure services
+pub fn config_update_api(cfg: &mut web::ServiceConfig) {
+    cfg.service(upsert_points)
+        .service(delete_points)
+        .service(update_vectors)
+        .service(delete_vectors)
+        .service(set_payload)
+        .service(overwrite_payload)
+        .service(delete_payload)
+        .service(clear_payload)
+        .service(create_field_index)
+        .service(delete_field_index)
+        .service(update_batch);
+}

src/actix/auth.rs

@@ -0,0 +1,160 @@
+use std::convert::Infallible;
+use std::future::{ready, Ready};
+use std::sync::Arc;
+
+use actix_web::body::{BoxBody, EitherBody};
+use actix_web::dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform};
+use actix_web::{Error, FromRequest, HttpMessage, HttpResponse, ResponseError};
+use futures_util::future::LocalBoxFuture;
+use storage::rbac::Access;
+
+use super::helpers::HttpError;
+use crate::common::auth::{AuthError, AuthKeys};
+
+pub struct Auth {
+    auth_keys: AuthKeys,
+    whitelist: Vec<WhitelistItem>,
+}
+
+impl Auth {
+    pub fn new(auth_keys: AuthKeys, whitelist: Vec<WhitelistItem>) -> Self {
+        Self {
+            auth_keys,
+            whitelist,
+        }
+    }
+}
+
+impl<S, B> Transform<S, ServiceRequest> for Auth
+where
+    S: Service<ServiceRequest, Response = ServiceResponse<EitherBody<B, BoxBody>>, Error = Error>
+        + 'static,
+    S::Future: 'static,
+    B: 'static,
+{
+    type Response = ServiceResponse<EitherBody<B, BoxBody>>;
+    type Error = Error;
+    type InitError = ();
+    type Transform = AuthMiddleware<S>;
+    type Future = Ready<Result<Self::Transform, Self::InitError>>;
+
+    fn new_transform(&self, service: S) -> Self::Future {
+        ready(Ok(AuthMiddleware {
+            auth_keys: Arc::new(self.auth_keys.clone()),
+            whitelist: self.whitelist.clone(),
+            service: Arc::new(service),
+        }))
+    }
+}
+
+#[derive(Clone, Eq, PartialEq, Hash)]
+pub struct WhitelistItem(pub String, pub PathMode);
+
+impl WhitelistItem {
+    pub fn exact<S: Into<String>>(path: S) -> Self {
+        Self(path.into(), PathMode::Exact)
+    }
+
+    pub fn prefix<S: Into<String>>(path: S) -> Self {
+        Self(path.into(), PathMode::Prefix)
+    }
+
+    pub fn matches(&self, other: &str) -> bool {
+        self.1.check(&self.0, other)
+    }
+}
+
+#[derive(Copy, Clone, Eq, PartialEq, Hash)]
+pub enum PathMode {
+    /// Path must match exactly
+    Exact,
+    /// Path must have given prefix
+    Prefix,
+}
+
+impl PathMode {
+    fn check(&self, key: &str, other: &str) -> bool {
+        match self {
+            Self::Exact => key == other,
+            Self::Prefix => other.starts_with(key),
+        }
+    }
+}
+
+pub struct AuthMiddleware<S> {
+    auth_keys: Arc<AuthKeys>,
+    /// List of items whitelisted from authentication.
+    whitelist: Vec<WhitelistItem>,
+    service: Arc<S>,
+}
+
+impl<S> AuthMiddleware<S> {
+    pub fn is_path_whitelisted(&self, path: &str) -> bool {
+        self.whitelist.iter().any(|item| item.matches(path))
+    }
+}
+
+impl<S, B> Service<ServiceRequest> for AuthMiddleware<S>
+where
+    S: Service<ServiceRequest, Response = ServiceResponse<EitherBody<B, BoxBody>>, Error = Error>
+        + 'static,
+    S::Future: 'static,
+    B: 'static,
+{
+    type Response = ServiceResponse<EitherBody<B, BoxBody>>;
+    type Error = Error;
+    type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
+
+    forward_ready!(service);
+
+    fn call(&self, req: ServiceRequest) -> Self::Future {
+        let path = req.path();
+
+        if self.is_path_whitelisted(path) {
+            return Box::pin(self.service.call(req));
+        }
+
+        let auth_keys = self.auth_keys.clone();
+        let service = self.service.clone();
+        Box::pin(async move {
+            match auth_keys
+                .validate_request(|key| req.headers().get(key).and_then(|val| val.to_str().ok()))
+                .await
+            {
+                Ok(access) => {
+                    let previous = req.extensions_mut().insert::<Access>(access);
+                    debug_assert!(
+                        previous.is_none(),
+                        "Previous access object should not exist in the request"
+                    );
+                    service.call(req).await
+                }
+                Err(e) => {
+                    let resp = match e {
+                        AuthError::Unauthorized(e) => HttpResponse::Unauthorized().body(e),
+                        AuthError::Forbidden(e) => HttpResponse::Forbidden().body(e),
+                        AuthError::StorageError(e) => HttpError::from(e).error_response(),
+                    };
+                    Ok(req.into_response(resp).map_into_right_body())
+                }
+            }
+        })
+    }
+}
+
+pub struct ActixAccess(pub Access);
+
+impl FromRequest for ActixAccess {
+    type Error = Infallible;
+    type Future = Ready<Result<Self, Self::Error>>;
+
+    fn from_request(
+        req: &actix_web::HttpRequest,
+        _payload: &mut actix_web::dev::Payload,
+    ) -> Self::Future {
+        let access = req.extensions_mut().remove::<Access>().unwrap_or_else(|| {
+            Access::full("All requests have full by default access when API key is not configured")
+        });
+        ready(Ok(ActixAccess(access)))
+    }
+}

src/actix/certificate_helpers.rs

@@ -0,0 +1,203 @@
+use std::fmt::Debug;
+use std::fs::File;
+use std::io::{self, BufRead, BufReader};
+use std::sync::Arc;
+use std::time::{Duration, Instant};
+
+use parking_lot::RwLock;
+use rustls::client::VerifierBuilderError;
+use rustls::pki_types::CertificateDer;
+use rustls::server::{ClientHello, ResolvesServerCert, WebPkiClientVerifier};
+use rustls::sign::CertifiedKey;
+use rustls::{crypto, RootCertStore, ServerConfig};
+use rustls_pemfile::Item;
+
+use crate::settings::{Settings, TlsConfig};
+
+type Result<T> = std::result::Result<T, Error>;
+
+/// A TTL based rotating server certificate resolver
+#[derive(Debug)]
+struct RotatingCertificateResolver {
+    /// TLS configuration used for loading/refreshing certified key
+    tls_config: TlsConfig,
+
+    /// TTL for each rotation
+    ttl: Option<Duration>,
+
+    /// Current certified key
+    key: RwLock<CertifiedKeyWithAge>,
+}
+
+impl RotatingCertificateResolver {
+    pub fn new(tls_config: TlsConfig, ttl: Option<Duration>) -> Result<Self> {
+        let certified_key = load_certified_key(&tls_config)?;
+
+        Ok(Self {
+            tls_config,
+            ttl,
+            key: RwLock::new(CertifiedKeyWithAge::from(certified_key)),
+        })
+    }
+
+    /// Get certificate key or refresh
+    ///
+    /// The key is automatically refreshed when the TTL is reached.
+    /// If refreshing fails, an error is logged and the old key is persisted.
+    fn get_key_or_refresh(&self) -> Arc<CertifiedKey> {
+        // Get read-only lock to the key. If TTL is not configured or is not expired, return key.
+        let key = self.key.read();
+        let ttl = match self.ttl {
+            Some(ttl) if key.is_expired(ttl) => ttl,
+            _ => return key.key.clone(),
+        };
+        drop(key);
+
+        // If TTL is expired:
+        // - get read-write lock to the key
+        // - *re-check that TTL is expired* (to avoid refreshing the key multiple times from concurrent threads)
+        // - refresh and return the key
+        let mut key = self.key.write();
+        if key.is_expired(ttl) {
+            if let Err(err) = key.refresh(&self.tls_config) {
+                log::error!("Failed to refresh server TLS certificate, keeping current: {err}");
+            }
+        }
+
+        key.key.clone()
+    }
+}
+
+impl ResolvesServerCert for RotatingCertificateResolver {
+    fn resolve(&self, _client_hello: ClientHello<'_>) -> Option<Arc<CertifiedKey>> {
+        Some(self.get_key_or_refresh())
+    }
+}
+
+#[derive(Debug)]
+struct CertifiedKeyWithAge {
+    /// Last time the certificate was updated/replaced
+    last_update: Instant,
+
+    /// Current certified key
+    key: Arc<CertifiedKey>,
+}
+
+impl CertifiedKeyWithAge {
+    pub fn from(key: Arc<CertifiedKey>) -> Self {
+        Self {
+            last_update: Instant::now(),
+            key,
+        }
+    }
+
+    pub fn refresh(&mut self, tls_config: &TlsConfig) -> Result<()> {
+        *self = Self::from(load_certified_key(tls_config)?);
+        Ok(())
+    }
+
+    pub fn age(&self) -> Duration {
+        self.last_update.elapsed()
+    }
+
+    pub fn is_expired(&self, ttl: Duration) -> bool {
+        self.age() >= ttl
+    }
+}
+
+/// Load TLS configuration and construct certified key.
+fn load_certified_key(tls_config: &TlsConfig) -> Result<Arc<CertifiedKey>> {
+    // Load certificates
+    let certs: Vec<CertificateDer> = with_buf_read(&tls_config.cert, |rd| {
+        rustls_pemfile::read_all(rd).collect::<io::Result<Vec<_>>>()
+    })?
+    .into_iter()
+    .filter_map(|item| match item {
+        Item::X509Certificate(data) => Some(data),
+        _ => None,
+    })
+    .collect();
+    if certs.is_empty() {
+        return Err(Error::NoServerCert);
+    }
+
+    // Load private key
+    let private_key_item =
+        with_buf_read(&tls_config.key, rustls_pemfile::read_one)?.ok_or(Error::NoPrivateKey)?;
+    let private_key = match private_key_item {
+        Item::Pkcs1Key(pkey) => rustls_pki_types::PrivateKeyDer::from(pkey),
+        Item::Pkcs8Key(pkey) => rustls_pki_types::PrivateKeyDer::from(pkey),
+        Item::Sec1Key(pkey) => rustls_pki_types::PrivateKeyDer::from(pkey),
+        _ => return Err(Error::InvalidPrivateKey),
+    };
+    let signing_key = crypto::ring::sign::any_supported_type(&private_key).map_err(Error::Sign)?;
+
+    // Construct certified key
+    let certified_key = CertifiedKey::new(certs, signing_key);
+    Ok(Arc::new(certified_key))
+}
+
+/// Generate an actix server configuration with TLS
+///
+/// Uses TLS settings as configured in configuration by user.
+pub fn actix_tls_server_config(settings: &Settings) -> Result<ServerConfig> {
+    let config = ServerConfig::builder();
+    let tls_config = settings
+        .tls
+        .clone()
+        .ok_or_else(Settings::tls_config_is_undefined_error)
+        .map_err(Error::Io)?;
+
+    // Verify client CA or not
+    let config = if settings.service.verify_https_client_certificate {
+        let mut root_cert_store = RootCertStore::empty();
+        let ca_certs: Vec<CertificateDer> = with_buf_read(&tls_config.ca_cert, |rd| {
+            rustls_pemfile::certs(rd).collect()
+        })?;
+        root_cert_store.add_parsable_certificates(ca_certs);
+        let client_cert_verifier = WebPkiClientVerifier::builder(root_cert_store.into())
+            .build()
+            .map_err(Error::ClientCertVerifier)?;
+        config.with_client_cert_verifier(client_cert_verifier)
+    } else {
+        config.with_no_client_auth()
+    };
+
+    // Configure rotating certificate resolver
+    let ttl = match tls_config.cert_ttl {
+        None | Some(0) => None,
+        Some(seconds) => Some(Duration::from_secs(seconds)),
+    };
+    let cert_resolver = RotatingCertificateResolver::new(tls_config, ttl)?;
+    let config = config.with_cert_resolver(Arc::new(cert_resolver));
+
+    Ok(config)
+}
+
+fn with_buf_read<T>(path: &str, f: impl FnOnce(&mut dyn BufRead) -> io::Result<T>) -> Result<T> {
+    let file = File::open(path).map_err(|err| Error::OpenFile(err, path.into()))?;
+    let mut reader = BufReader::new(file);
+    let dyn_reader: &mut dyn BufRead = &mut reader;
+    f(dyn_reader).map_err(|err| Error::ReadFile(err, path.into()))
+}
+
+/// Actix TLS errors.
+#[derive(thiserror::Error, Debug)]
+pub enum Error {
+    #[error("TLS file could not be opened: {1}")]
+    OpenFile(#[source] io::Error, String),
+    #[error("TLS file could not be read: {1}")]
+    ReadFile(#[source] io::Error, String),
+    #[error("general TLS IO error")]
+    Io(#[source] io::Error),
+    #[error("no server certificate found")]
+    NoServerCert,
+    #[error("no private key found")]
+    NoPrivateKey,
+    #[error("invalid private key")]
+    InvalidPrivateKey,
+    #[error("TLS signing error")]
+    Sign(#[source] rustls::Error),
+    #[error("client certificate verification")]
+    ClientCertVerifier(#[source] VerifierBuilderError),
+}

src/actix/helpers.rs

@@ -0,0 +1,179 @@
+use std::fmt::Debug;
+use std::future::Future;
+
+use actix_web::rt::time::Instant;
+use actix_web::{http, HttpResponse, ResponseError};
+use api::rest::models::{ApiResponse, ApiStatus, HardwareUsage};
+use collection::operations::types::CollectionError;
+use common::counter::hardware_accumulator::HwMeasurementAcc;
+use serde::Serialize;
+use storage::content_manager::errors::StorageError;
+use storage::content_manager::toc::request_hw_counter::RequestHwCounter;
+use storage::dispatcher::Dispatcher;
+
+pub fn get_request_hardware_counter(
+    dispatcher: &Dispatcher,
+    collection_name: String,
+    report_to_api: bool,
+) -> RequestHwCounter {
+    RequestHwCounter::new(
+        HwMeasurementAcc::new_with_drain(&dispatcher.get_collection_hw_metrics(collection_name)),
+        report_to_api,
+        false,
+    )
+}
+
+pub fn accepted_response(timing: Instant, hardware_usage: Option<HardwareUsage>) -> HttpResponse {
+    HttpResponse::Accepted().json(ApiResponse::<()> {
+        result: None,
+        status: ApiStatus::Accepted,
+        time: timing.elapsed().as_secs_f64(),
+        usage: hardware_usage,
+    })
+}
+
+pub fn process_response<T>(
+    response: Result<T, StorageError>,
+    timing: Instant,
+    hardware_usage: Option<HardwareUsage>,
+) -> HttpResponse
+where
+    T: Serialize,
+{
+    match response {
+        Ok(res) => HttpResponse::Ok().json(ApiResponse {
+            result: Some(res),
+            status: ApiStatus::Ok,
+            time: timing.elapsed().as_secs_f64(),
+            usage: hardware_usage,
+        }),
+        Err(err) => process_response_error(err, timing, hardware_usage),
+    }
+}
+
+pub fn process_response_error(
+    err: StorageError,
+    timing: Instant,
+    hardware_usage: Option<HardwareUsage>,
+) -> HttpResponse {
+    log_service_error(&err);
+
+    let error = HttpError::from(err);
+
+    HttpResponse::build(error.status_code()).json(ApiResponse::<()> {
+        result: None,
+        status: ApiStatus::Error(error.to_string()),
+        time: timing.elapsed().as_secs_f64(),
+        usage: hardware_usage,
+    })
+}
+
+/// Response wrapper for a `Future` returning `Result`.
+///
+/// # Cancel safety
+///
+/// Future must be cancel safe.
+pub async fn time<T, Fut>(future: Fut) -> HttpResponse
+where
+    Fut: Future<Output = Result<T, StorageError>>,
+    T: serde::Serialize,
+{
+    time_impl(async { future.await.map(Some) }).await
+}
+
+/// Response wrapper for a `Future` returning `Result`.
+/// If `wait` is false, returns `202 Accepted` immediately.
+pub async fn time_or_accept<T, Fut>(future: Fut, wait: bool) -> HttpResponse
+where
+    Fut: Future<Output = Result<T, StorageError>> + Send + 'static,
+    T: serde::Serialize + Send + 'static,
+{
+    let future = async move {
+        let handle = tokio::task::spawn(async move {
+            let result = future.await;
+
+            if !wait {
+                if let Err(err) = &result {
+                    log_service_error(err);
+                }
+            }
+
+            result
+        });
+
+        if wait {
+            handle.await?.map(Some)
+        } else {
+            Ok(None)
+        }
+    };
+
+    time_impl(future).await
+}
+
+/// # Cancel safety
+///
+/// Future must be cancel safe.
+async fn time_impl<T, Fut>(future: Fut) -> HttpResponse
+where
+    Fut: Future<Output = Result<Option<T>, StorageError>>,
+    T: serde::Serialize,
+{
+    let instant = Instant::now();
+    match future.await.transpose() {
+        Some(res) => process_response(res, instant, None),
+        None => accepted_response(instant, None),
+    }
+}
+
+fn log_service_error(err: &StorageError) {
+    if let StorageError::ServiceError { backtrace, .. } = err {
+        log::error!("Error processing request: {err}");
+
+        if let Some(backtrace) = backtrace {
+            log::trace!("Backtrace: {backtrace}");
+        }
+    }
+}
+
+pub type HttpResult<T, E = HttpError> = Result<T, E>;
+
+#[derive(Clone, Debug, thiserror::Error)]
+#[error("{0}")]
+pub struct HttpError(StorageError);
+
+impl ResponseError for HttpError {
+    fn status_code(&self) -> http::StatusCode {
+        match &self.0 {
+            StorageError::BadInput { .. } => http::StatusCode::BAD_REQUEST,
+            StorageError::NotFound { .. } => http::StatusCode::NOT_FOUND,
+            StorageError::ServiceError { .. } => http::StatusCode::INTERNAL_SERVER_ERROR,
+            StorageError::BadRequest { .. } => http::StatusCode::BAD_REQUEST,
+            StorageError::Locked { .. } => http::StatusCode::FORBIDDEN,
+            StorageError::Timeout { .. } => http::StatusCode::REQUEST_TIMEOUT,
+            StorageError::AlreadyExists { .. } => http::StatusCode::CONFLICT,
+            StorageError::ChecksumMismatch { .. } => http::StatusCode::BAD_REQUEST,
+            StorageError::Forbidden { .. } => http::StatusCode::FORBIDDEN,
+            StorageError::PreconditionFailed { .. } => http::StatusCode::INTERNAL_SERVER_ERROR,
+            StorageError::InferenceError { .. } => http::StatusCode::BAD_REQUEST,
+        }
+    }
+}
+
+impl From<StorageError> for HttpError {
+    fn from(err: StorageError) -> Self {
+        HttpError(err)
+    }
+}
+
+impl From<CollectionError> for HttpError {
+    fn from(err: CollectionError) -> Self {
+        HttpError(err.into())
+    }
+}
+
+impl From<std::io::Error> for HttpError {
+    fn from(err: std::io::Error) -> Self {
+        HttpError(err.into()) // TODO: Is this good enough?.. 🤔
+    }
+}

src/actix/mod.rs

@@ -0,0 +1,262 @@
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod actix_telemetry;
+pub mod api;
+mod auth;
+mod certificate_helpers;
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod helpers;
+pub mod web_ui;
+
+use std::io;
+use std::sync::Arc;
+
+use ::api::rest::models::{ApiResponse, ApiStatus, VersionInfo};
+use actix_cors::Cors;
+use actix_multipart::form::tempfile::TempFileConfig;
+use actix_multipart::form::MultipartFormConfig;
+use actix_web::middleware::{Compress, Condition, Logger};
+use actix_web::{error, get, web, App, HttpRequest, HttpResponse, HttpServer, Responder};
+use actix_web_extras::middleware::Condition as ConditionEx;
+use api::facet_api::config_facet_api;
+use collection::operations::validation;
+use collection::operations::verification::new_unchecked_verification_pass;
+use storage::dispatcher::Dispatcher;
+use storage::rbac::Access;
+
+use crate::actix::api::cluster_api::config_cluster_api;
+use crate::actix::api::collections_api::config_collections_api;
+use crate::actix::api::count_api::count_points;
+use crate::actix::api::debug_api::config_debugger_api;
+use crate::actix::api::discovery_api::config_discovery_api;
+use crate::actix::api::issues_api::config_issues_api;
+use crate::actix::api::local_shard_api::config_local_shard_api;
+use crate::actix::api::query_api::config_query_api;
+use crate::actix::api::recommend_api::config_recommend_api;
+use crate::actix::api::retrieve_api::{get_point, get_points, scroll_points};
+use crate::actix::api::search_api::config_search_api;
+use crate::actix::api::service_api::config_service_api;
+use crate::actix::api::shards_api::config_shards_api;
+use crate::actix::api::snapshot_api::config_snapshots_api;
+use crate::actix::api::update_api::config_update_api;
+use crate::actix::auth::{Auth, WhitelistItem};
+use crate::actix::web_ui::{web_ui_factory, web_ui_folder, WEB_UI_PATH};
+use crate::common::auth::AuthKeys;
+use crate::common::debugger::DebuggerState;
+use crate::common::health;
+use crate::common::http_client::HttpClient;
+use crate::common::telemetry::TelemetryCollector;
+use crate::settings::{max_web_workers, Settings};
+use crate::tracing::LoggerHandle;
+
+#[get("/")]
+pub async fn index() -> impl Responder {
+    HttpResponse::Ok().json(VersionInfo::default())
+}
+
+#[allow(dead_code)]
+pub fn init(
+    dispatcher: Arc<Dispatcher>,
+    telemetry_collector: Arc<tokio::sync::Mutex<TelemetryCollector>>,
+    health_checker: Option<Arc<health::HealthChecker>>,
+    settings: Settings,
+    logger_handle: LoggerHandle,
+) -> io::Result<()> {
+    actix_web::rt::System::new().block_on(async {
+        // Nothing to verify here.
+        let pass = new_unchecked_verification_pass();
+        let auth_keys = AuthKeys::try_create(
+            &settings.service,
+            dispatcher
+                .toc(&Access::full("For JWT validation"), &pass)
+                .clone(),
+        );
+        let upload_dir = dispatcher
+            .toc(&Access::full("For upload dir"), &pass)
+            .upload_dir()
+            .unwrap();
+        let dispatcher_data = web::Data::from(dispatcher);
+        let actix_telemetry_collector = telemetry_collector
+            .lock()
+            .await
+            .actix_telemetry_collector
+            .clone();
+        let debugger_state = web::Data::new(DebuggerState::from_settings(&settings));
+        let telemetry_collector_data = web::Data::from(telemetry_collector);
+        let logger_handle_data = web::Data::new(logger_handle);
+        let http_client = web::Data::new(HttpClient::from_settings(&settings)?);
+        let health_checker = web::Data::new(health_checker);
+        let web_ui_available = web_ui_folder(&settings);
+        let service_config = web::Data::new(settings.service.clone());
+
+        let mut api_key_whitelist = vec![
+            WhitelistItem::exact("/"),
+            WhitelistItem::exact("/healthz"),
+            WhitelistItem::prefix("/readyz"),
+            WhitelistItem::prefix("/livez"),
+        ];
+        if web_ui_available.is_some() {
+            api_key_whitelist.push(WhitelistItem::prefix(WEB_UI_PATH));
+        }
+
+        let mut server = HttpServer::new(move || {
+            let cors = Cors::default()
+                .allow_any_origin()
+                .allow_any_method()
+                .allow_any_header();
+            let validate_path_config = actix_web_validator::PathConfig::default()
+                .error_handler(|err, rec| validation_error_handler("path parameters", err, rec));
+            let validate_query_config = actix_web_validator::QueryConfig::default()
+                .error_handler(|err, rec| validation_error_handler("query parameters", err, rec));
+            let validate_json_config = actix_web_validator::JsonConfig::default()
+                .limit(settings.service.max_request_size_mb * 1024 * 1024)
+                .error_handler(|err, rec| validation_error_handler("JSON body", err, rec));
+
+            let mut app = App::new()
+                .wrap(Compress::default()) // Reads the `Accept-Encoding` header to negotiate which compression codec to use.
+                // api_key middleware
+                // note: the last call to `wrap()` or `wrap_fn()` is executed first
+                .wrap(ConditionEx::from_option(auth_keys.as_ref().map(
+                    |auth_keys| Auth::new(auth_keys.clone(), api_key_whitelist.clone()),
+                )))
+                .wrap(Condition::new(settings.service.enable_cors, cors))
+                .wrap(
+                    // Set up logger, but avoid logging hot status endpoints
+                    Logger::default()
+                        .exclude("/")
+                        .exclude("/metrics")
+                        .exclude("/telemetry")
+                        .exclude("/healthz")
+                        .exclude("/readyz")
+                        .exclude("/livez"),
+                )
+                .wrap(actix_telemetry::ActixTelemetryTransform::new(
+                    actix_telemetry_collector.clone(),
+                ))
+                .app_data(dispatcher_data.clone())
+                .app_data(telemetry_collector_data.clone())
+                .app_data(logger_handle_data.clone())
+                .app_data(http_client.clone())
+                .app_data(debugger_state.clone())
+                .app_data(health_checker.clone())
+                .app_data(validate_path_config)
+                .app_data(validate_query_config)
+                .app_data(validate_json_config)
+                .app_data(TempFileConfig::default().directory(&upload_dir))
+                .app_data(MultipartFormConfig::default().total_limit(usize::MAX))
+                .app_data(service_config.clone())
+                .service(index)
+                .configure(config_collections_api)
+                .configure(config_snapshots_api)
+                .configure(config_update_api)
+                .configure(config_cluster_api)
+                .configure(config_service_api)
+                .configure(config_search_api)
+                .configure(config_recommend_api)
+                .configure(config_discovery_api)
+                .configure(config_query_api)
+                .configure(config_facet_api)
+                .configure(config_shards_api)
+                .configure(config_issues_api)
+                .configure(config_debugger_api)
+                .configure(config_local_shard_api)
+                // Ordering of services is important for correct path pattern matching
+                // See: <https://github.com/qdrant/qdrant/issues/3543>
+                .service(scroll_points)
+                .service(count_points)
+                .service(get_point)
+                .service(get_points);
+
+            if let Some(static_folder) = web_ui_available.as_deref() {
+                app = app.service(web_ui_factory(static_folder));
+            }
+
+            app
+        })
+        .workers(max_web_workers(&settings));
+
+        let port = settings.service.http_port;
+        let bind_addr = format!("{}:{}", settings.service.host, port);
+
+        // With TLS enabled, bind with certificate helper and Rustls, or bind regularly
+        server = if settings.service.enable_tls {
+            log::info!(
+                "TLS enabled for REST API (TTL: {})",
+                settings
+                    .tls
+                    .as_ref()
+                    .and_then(|tls| tls.cert_ttl)
+                    .map(|ttl| ttl.to_string())
+                    .unwrap_or_else(|| "none".into()),
+            );
+
+            let config = certificate_helpers::actix_tls_server_config(&settings)
+                .map_err(|err| io::Error::new(io::ErrorKind::Other, err))?;
+            server.bind_rustls_0_23(bind_addr, config)?
+        } else {
+            log::info!("TLS disabled for REST API");
+
+            server.bind(bind_addr)?
+        };
+
+        log::info!("Qdrant HTTP listening on {}", port);
+        server.run().await
+    })
+}
+
+fn validation_error_handler(
+    name: &str,
+    err: actix_web_validator::Error,
+    _req: &HttpRequest,
+) -> error::Error {
+    use actix_web_validator::error::DeserializeErrors;
+
+    // Nicely describe deserialization and validation errors
+    let msg = match &err {
+        actix_web_validator::Error::Validate(errs) => {
+            validation::label_errors(format!("Validation error in {name}"), errs)
+        }
+        actix_web_validator::Error::Deserialize(err) => {
+            format!(
+                "Deserialize error in {name}: {}",
+                match err {
+                    DeserializeErrors::DeserializeQuery(err) => err.to_string(),
+                    DeserializeErrors::DeserializeJson(err) => err.to_string(),
+                    DeserializeErrors::DeserializePath(err) => err.to_string(),
+                }
+            )
+        }
+        actix_web_validator::Error::JsonPayloadError(
+            actix_web::error::JsonPayloadError::Deserialize(err),
+        ) => {
+            format!("Format error in {name}: {err}",)
+        }
+        err => err.to_string(),
+    };
+
+    // Build fitting response
+    let response = match &err {
+        actix_web_validator::Error::Validate(_) => HttpResponse::UnprocessableEntity(),
+        _ => HttpResponse::BadRequest(),
+    }
+    .json(ApiResponse::<()> {
+        result: None,
+        status: ApiStatus::Error(msg),
+        time: 0.0,
+        usage: None,
+    });
+    error::InternalError::from_response(err, response).into()
+}
+
+#[cfg(test)]
+mod tests {
+    use ::api::grpc::api_crate_version;
+
+    #[test]
+    fn test_version() {
+        assert_eq!(
+            api_crate_version(),
+            env!("CARGO_PKG_VERSION"),
+            "Qdrant and lib/api crate versions are not same"
+        );
+    }
+}

src/actix/web_ui.rs

@@ -0,0 +1,115 @@
+use std::path::Path;
+
+use actix_web::dev::HttpServiceFactory;
+use actix_web::http::header::HeaderValue;
+use actix_web::middleware::DefaultHeaders;
+use actix_web::web;
+
+use crate::settings::Settings;
+
+const DEFAULT_STATIC_DIR: &str = "./static";
+pub const WEB_UI_PATH: &str = "/dashboard";
+
+pub fn web_ui_folder(settings: &Settings) -> Option<String> {
+    let web_ui_enabled = settings.service.enable_static_content.unwrap_or(true);
+
+    if web_ui_enabled {
+        let static_folder = settings
+            .service
+            .static_content_dir
+            .clone()
+            .unwrap_or_else(|| DEFAULT_STATIC_DIR.to_string());
+        let static_folder_path = Path::new(&static_folder);
+        if !static_folder_path.exists() || !static_folder_path.is_dir() {
+            // enabled BUT folder does not exist
+            log::warn!(
+                "Static content folder for Web UI '{}' does not exist",
+                static_folder_path.display(),
+            );
+            None
+        } else {
+            // enabled AND folder exists
+            Some(static_folder)
+        }
+    } else {
+        // not enabled
+        None
+    }
+}
+
+pub fn web_ui_factory(static_folder: &str) -> impl HttpServiceFactory {
+    web::scope(WEB_UI_PATH)
+        .wrap(DefaultHeaders::new().add(("X-Frame-Options", HeaderValue::from_static("DENY"))))
+        .service(actix_files::Files::new("/", static_folder).index_file("index.html"))
+}
+
+#[cfg(test)]
+mod tests {
+    use actix_web::http::header::{self, HeaderMap};
+    use actix_web::http::StatusCode;
+    use actix_web::test::{self, TestRequest};
+    use actix_web::App;
+
+    use super::*;
+
+    fn assert_html_custom_headers(headers: &HeaderMap) {
+        let content_type = header::HeaderValue::from_static("text/html; charset=utf-8");
+        assert_eq!(headers.get(header::CONTENT_TYPE), Some(&content_type));
+        let x_frame_options = header::HeaderValue::from_static("DENY");
+        assert_eq!(headers.get(header::X_FRAME_OPTIONS), Some(&x_frame_options),);
+    }
+
+    #[actix_web::test]
+    async fn test_web_ui() {
+        let static_dir = String::from("static");
+        let mut settings = Settings::new(None).unwrap();
+        settings.service.static_content_dir = Some(static_dir.clone());
+
+        let maybe_static_folder = web_ui_folder(&settings);
+        if maybe_static_folder.is_none() {
+            println!("Skipping test because the static folder was not found.");
+            return;
+        }
+
+        let static_folder = maybe_static_folder.unwrap();
+        let srv = test::init_service(App::new().service(web_ui_factory(&static_folder))).await;
+
+        // Index path (no trailing slash)
+        let req = TestRequest::with_uri(WEB_UI_PATH).to_request();
+        let res = test::call_service(&srv, req).await;
+        assert_eq!(res.status(), StatusCode::OK);
+        let headers = res.headers();
+        assert_html_custom_headers(headers);
+        // Index path (trailing slash)
+        let req = TestRequest::with_uri(format!("{WEB_UI_PATH}/").as_str()).to_request();
+        let res = test::call_service(&srv, req).await;
+        assert_eq!(res.status(), StatusCode::OK);
+        let headers = res.headers();
+        assert_html_custom_headers(headers);
+        // Index path (index.html file)
+        let req = TestRequest::with_uri(format!("{WEB_UI_PATH}/index.html").as_str()).to_request();
+        let res = test::call_service(&srv, req).await;
+        assert_eq!(res.status(), StatusCode::OK);
+        let headers = res.headers();
+        assert_html_custom_headers(headers);
+        // Static asset (favicon.ico)
+        let req = TestRequest::with_uri(format!("{WEB_UI_PATH}/favicon.ico").as_str()).to_request();
+        let res = test::call_service(&srv, req).await;
+        assert_eq!(res.status(), StatusCode::OK);
+        let headers = res.headers();
+        assert_eq!(
+            headers.get(header::CONTENT_TYPE),
+            Some(&header::HeaderValue::from_static("image/x-icon")),
+        );
+        // Non-existing path (404 Not Found)
+        let fake_path = uuid::Uuid::new_v4().to_string();
+        let srv = test::init_service(App::new().service(web_ui_factory(&fake_path))).await;
+
+        let req = TestRequest::with_uri(WEB_UI_PATH).to_request();
+        let res = test::call_service(&srv, req).await;
+        assert_eq!(res.status(), StatusCode::NOT_FOUND);
+        let headers = res.headers();
+        assert_eq!(headers.get(header::CONTENT_TYPE), None);
+        assert_eq!(headers.get(header::CONTENT_LENGTH), None);
+    }
+}

src/common/auth/claims.rs

@@ -0,0 +1,69 @@
+use segment::json_path::JsonPath;
+use segment::types::{Condition, FieldCondition, Filter, Match, ValueVariants};
+use serde::{Deserialize, Serialize};
+use storage::rbac::Access;
+use validator::{Validate, ValidationErrors};
+
+#[derive(Serialize, Deserialize, PartialEq, Clone, Debug)]
+pub struct Claims {
+    /// Expiration time (seconds since UNIX epoch)
+    pub exp: Option<u64>,
+
+    #[serde(default = "default_access")]
+    pub access: Access,
+
+    /// Validate this token by looking for a value inside a collection.
+    pub value_exists: Option<ValueExists>,
+}
+
+#[derive(Serialize, Deserialize, PartialEq, Clone, Debug)]
+pub struct KeyValuePair {
+    key: JsonPath,
+    value: ValueVariants,
+}
+
+impl KeyValuePair {
+    pub fn to_condition(&self) -> Condition {
+        Condition::Field(FieldCondition::new_match(
+            self.key.clone(),
+            Match::new_value(self.value.clone()),
+        ))
+    }
+}
+
+#[derive(Serialize, Deserialize, PartialEq, Clone, Debug)]
+pub struct ValueExists {
+    collection: String,
+    matches: Vec<KeyValuePair>,
+}
+
+fn default_access() -> Access {
+    Access::full("Give full access when the access field is not present")
+}
+
+impl ValueExists {
+    pub fn get_collection(&self) -> &str {
+        &self.collection
+    }
+
+    pub fn to_filter(&self) -> Filter {
+        let conditions = self
+            .matches
+            .iter()
+            .map(|pair| pair.to_condition())
+            .collect();
+
+        Filter {
+            should: None,
+            min_should: None,
+            must: Some(conditions),
+            must_not: None,
+        }
+    }
+}
+
+impl Validate for Claims {
+    fn validate(&self) -> Result<(), ValidationErrors> {
+        ValidationErrors::merge_all(Ok(()), "access", self.access.validate())
+    }
+}

src/common/auth/jwt_parser.rs

@@ -0,0 +1,155 @@
+use jsonwebtoken::errors::ErrorKind;
+use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
+use validator::Validate;
+
+use super::claims::Claims;
+use super::AuthError;
+
+#[derive(Clone)]
+pub struct JwtParser {
+    key: DecodingKey,
+    validation: Validation,
+}
+
+impl JwtParser {
+    const ALGORITHM: Algorithm = Algorithm::HS256;
+
+    pub fn new(secret: &str) -> Self {
+        let key = DecodingKey::from_secret(secret.as_bytes());
+        let mut validation = Validation::new(Self::ALGORITHM);
+
+        // Qdrant server is the only audience
+        validation.validate_aud = false;
+
+        // Expiration time leeway to account for clock skew
+        validation.leeway = 30;
+
+        // All claims are optional
+        validation.required_spec_claims = Default::default();
+
+        JwtParser { key, validation }
+    }
+
+    /// Decode the token and return the claims, this already validates the `exp` claim with some leeway.
+    /// Returns None when the token doesn't look like a JWT.
+    pub fn decode(&self, token: &str) -> Option<Result<Claims, AuthError>> {
+        let claims = match decode::<Claims>(token, &self.key, &self.validation) {
+            Ok(token_data) => token_data.claims,
+            Err(e) => {
+                return match e.kind() {
+                    ErrorKind::ExpiredSignature | ErrorKind::InvalidSignature => {
+                        Some(Err(AuthError::Forbidden(e.to_string())))
+                    }
+                    _ => None,
+                }
+            }
+        };
+        if let Err(e) = claims.validate() {
+            return Some(Err(AuthError::Unauthorized(e.to_string())));
+        }
+        Some(Ok(claims))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use segment::types::ValueVariants;
+    use storage::rbac::{
+        Access, CollectionAccess, CollectionAccessList, CollectionAccessMode, GlobalAccessMode,
+        PayloadConstraint,
+    };
+
+    use super::*;
+
+    pub fn create_token(claims: &Claims) -> String {
+        use jsonwebtoken::{encode, EncodingKey, Header};
+
+        let key = EncodingKey::from_secret("secret".as_ref());
+        let header = Header::new(JwtParser::ALGORITHM);
+        encode(&header, claims, &key).unwrap()
+    }
+
+    #[test]
+    fn test_jwt_parser() {
+        let exp = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .expect("Time went backwards")
+            .as_secs();
+        let claims = Claims {
+            exp: Some(exp),
+            access: Access::Collection(CollectionAccessList(vec![CollectionAccess {
+                collection: "collection".to_string(),
+                access: CollectionAccessMode::ReadWrite,
+                payload: Some(PayloadConstraint(
+                    vec![
+                        (
+                            "field1".parse().unwrap(),
+                            ValueVariants::String("value".to_string()),
+                        ),
+                        ("field2".parse().unwrap(), ValueVariants::Integer(42)),
+                        ("field3".parse().unwrap(), ValueVariants::Bool(true)),
+                    ]
+                    .into_iter()
+                    .collect(),
+                )),
+            }])),
+            value_exists: None,
+        };
+        let token = create_token(&claims);
+
+        let secret = "secret";
+        let parser = JwtParser::new(secret);
+        let decoded_claims = parser.decode(&token).unwrap().unwrap();
+
+        assert_eq!(claims, decoded_claims);
+    }
+
+    #[test]
+    fn test_exp_validation() {
+        let exp = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .expect("Time went backwards")
+            .as_secs()
+            - 31; // 31 seconds in the past, bigger than the 30 seconds leeway
+
+        let mut claims = Claims {
+            exp: Some(exp),
+            access: Access::Global(GlobalAccessMode::Read),
+            value_exists: None,
+        };
+
+        let token = create_token(&claims);
+
+        let secret = "secret";
+        let parser = JwtParser::new(secret);
+        assert!(matches!(
+            parser.decode(&token),
+            Some(Err(AuthError::Forbidden(_)))
+        ));
+
+        // Remove the exp claim and it should work
+        claims.exp = None;
+        let token = create_token(&claims);
+
+        let decoded_claims = parser.decode(&token).unwrap().unwrap();
+
+        assert_eq!(claims, decoded_claims);
+    }
+
+    #[test]
+    fn test_invalid_token() {
+        let claims = Claims {
+            exp: None,
+            access: Access::Global(GlobalAccessMode::Read),
+            value_exists: None,
+        };
+        let token = create_token(&claims);
+
+        assert!(matches!(
+            JwtParser::new("wrong-secret").decode(&token),
+            Some(Err(AuthError::Forbidden(_)))
+        ));
+
+        assert!(JwtParser::new("secret").decode("foo.bar.baz").is_none());
+    }
+}

src/common/auth/mod.rs

@@ -0,0 +1,165 @@
+use std::sync::Arc;
+
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use collection::operations::types::ScrollRequestInternal;
+use segment::types::{WithPayloadInterface, WithVector};
+use storage::content_manager::errors::StorageError;
+use storage::content_manager::toc::TableOfContent;
+use storage::rbac::Access;
+
+use self::claims::{Claims, ValueExists};
+use self::jwt_parser::JwtParser;
+use super::strings::ct_eq;
+use crate::settings::ServiceConfig;
+
+pub mod claims;
+pub mod jwt_parser;
+
+pub const HTTP_HEADER_API_KEY: &str = "api-key";
+
+/// The API keys used for auth
+#[derive(Clone)]
+pub struct AuthKeys {
+    /// A key allowing Read or Write operations
+    read_write: Option<String>,
+
+    /// A key allowing Read operations
+    read_only: Option<String>,
+
+    /// A JWT parser, based on the read_write key
+    jwt_parser: Option<JwtParser>,
+
+    /// Table of content, needed to do stateful validation of JWT
+    toc: Arc<TableOfContent>,
+}
+
+#[derive(Debug)]
+pub enum AuthError {
+    Unauthorized(String),
+    Forbidden(String),
+    StorageError(StorageError),
+}
+
+impl AuthKeys {
+    fn get_jwt_parser(service_config: &ServiceConfig) -> Option<JwtParser> {
+        if service_config.jwt_rbac.unwrap_or_default() {
+            service_config
+                .api_key
+                .as_ref()
+                .map(|secret| JwtParser::new(secret))
+        } else {
+            None
+        }
+    }
+
+    /// Defines the auth scheme given the service config
+    ///
+    /// Returns None if no scheme is specified.
+    pub fn try_create(service_config: &ServiceConfig, toc: Arc<TableOfContent>) -> Option<Self> {
+        match (
+            service_config.api_key.clone(),
+            service_config.read_only_api_key.clone(),
+        ) {
+            (None, None) => None,
+            (read_write, read_only) => Some(Self {
+                read_write,
+                read_only,
+                jwt_parser: Self::get_jwt_parser(service_config),
+                toc,
+            }),
+        }
+    }
+
+    /// Validate that the specified request is allowed for given keys.
+    pub async fn validate_request<'a>(
+        &self,
+        get_header: impl Fn(&'a str) -> Option<&'a str>,
+    ) -> Result<Access, AuthError> {
+        let Some(key) = get_header(HTTP_HEADER_API_KEY)
+            .or_else(|| get_header("authorization").and_then(|v| v.strip_prefix("Bearer ")))
+        else {
+            return Err(AuthError::Unauthorized(
+                "Must provide an API key or an Authorization bearer token".to_string(),
+            ));
+        };
+
+        if self.can_write(key) {
+            return Ok(Access::full("Read-write access by key"));
+        }
+
+        if self.can_read(key) {
+            return Ok(Access::full_ro("Read-only access by key"));
+        }
+
+        if let Some(claims) = self.jwt_parser.as_ref().and_then(|p| p.decode(key)) {
+            let Claims {
+                exp: _, // already validated on decoding
+                access,
+                value_exists,
+            } = claims?;
+
+            if let Some(value_exists) = value_exists {
+                self.validate_value_exists(&value_exists).await?;
+            }
+
+            return Ok(access);
+        }
+
+        Err(AuthError::Unauthorized(
+            "Invalid API key or JWT".to_string(),
+        ))
+    }
+
+    async fn validate_value_exists(&self, value_exists: &ValueExists) -> Result<(), AuthError> {
+        let scroll_req = ScrollRequestInternal {
+            offset: None,
+            limit: Some(1),
+            filter: Some(value_exists.to_filter()),
+            with_payload: Some(WithPayloadInterface::Bool(false)),
+            with_vector: WithVector::Bool(false),
+            order_by: None,
+        };
+
+        let res = self
+            .toc
+            .scroll(
+                value_exists.get_collection(),
+                scroll_req,
+                None,
+                None, // no timeout
+                ShardSelectorInternal::All,
+                Access::full("JWT stateful validation"),
+            )
+            .await
+            .map_err(|e| match e {
+                StorageError::NotFound { .. } => {
+                    AuthError::Forbidden("Invalid JWT, stateful validation failed".to_string())
+                }
+                _ => AuthError::StorageError(e),
+            })?;
+
+        if res.points.is_empty() {
+            return Err(AuthError::Unauthorized(
+                "Invalid JWT, stateful validation failed".to_string(),
+            ));
+        };
+
+        Ok(())
+    }
+
+    /// Check if a key is allowed to read
+    #[inline]
+    fn can_read(&self, key: &str) -> bool {
+        self.read_only
+            .as_ref()
+            .is_some_and(|ro_key| ct_eq(ro_key, key))
+    }
+
+    /// Check if a key is allowed to write
+    #[inline]
+    fn can_write(&self, key: &str) -> bool {
+        self.read_write
+            .as_ref()
+            .is_some_and(|rw_key| ct_eq(rw_key, key))
+    }
+}

src/common/collections.rs

@@ -0,0 +1,834 @@
+use std::collections::HashMap;
+use std::sync::Arc;
+use std::time::Duration;
+
+use api::grpc::qdrant::CollectionExists;
+use api::rest::models::{CollectionDescription, CollectionsResponse};
+use collection::config::ShardingMethod;
+use collection::operations::cluster_ops::{
+    AbortTransferOperation, ClusterOperations, DropReplicaOperation, MoveShardOperation,
+    ReplicateShardOperation, ReshardingDirection, RestartTransfer, RestartTransferOperation,
+    StartResharding,
+};
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use collection::operations::snapshot_ops::SnapshotDescription;
+use collection::operations::types::{
+    AliasDescription, CollectionClusterInfo, CollectionInfo, CollectionsAliasesResponse,
+};
+use collection::operations::verification::new_unchecked_verification_pass;
+use collection::shards::replica_set;
+use collection::shards::resharding::ReshardKey;
+use collection::shards::shard::{PeerId, ShardId, ShardsPlacement};
+use collection::shards::transfer::{ShardTransfer, ShardTransferKey, ShardTransferRestart};
+use itertools::Itertools;
+use rand::prelude::SliceRandom;
+use rand::seq::IteratorRandom;
+use storage::content_manager::collection_meta_ops::ShardTransferOperations::{Abort, Start};
+use storage::content_manager::collection_meta_ops::{
+    CollectionMetaOperations, CreateShardKey, DropShardKey, ReshardingOperation,
+    SetShardReplicaState, ShardTransferOperations, UpdateCollectionOperation,
+};
+use storage::content_manager::errors::StorageError;
+use storage::content_manager::toc::TableOfContent;
+use storage::dispatcher::Dispatcher;
+use storage::rbac::{Access, AccessRequirements};
+
+pub async fn do_collection_exists(
+    toc: &TableOfContent,
+    access: Access,
+    name: &str,
+) -> Result<CollectionExists, StorageError> {
+    let collection_pass = access.check_collection_access(name, AccessRequirements::new())?;
+
+    // if this returns Ok, it means the collection exists.
+    // if not, we check that the error is NotFound
+    let Err(error) = toc.get_collection(&collection_pass).await else {
+        return Ok(CollectionExists { exists: true });
+    };
+    match error {
+        StorageError::NotFound { .. } => Ok(CollectionExists { exists: false }),
+        e => Err(e),
+    }
+}
+
+pub async fn do_get_collection(
+    toc: &TableOfContent,
+    access: Access,
+    name: &str,
+    shard_selection: Option<ShardId>,
+) -> Result<CollectionInfo, StorageError> {
+    let collection_pass =
+        access.check_collection_access(name, AccessRequirements::new().whole())?;
+
+    let collection = toc.get_collection(&collection_pass).await?;
+
+    let shard_selection = match shard_selection {
+        None => ShardSelectorInternal::All,
+        Some(shard_id) => ShardSelectorInternal::ShardId(shard_id),
+    };
+
+    Ok(collection.info(&shard_selection).await?)
+}
+
+pub async fn do_list_collections(
+    toc: &TableOfContent,
+    access: Access,
+) -> Result<CollectionsResponse, StorageError> {
+    let collections = toc
+        .all_collections(&access)
+        .await
+        .into_iter()
+        .map(|pass| CollectionDescription {
+            name: pass.name().to_string(),
+        })
+        .collect_vec();
+
+    Ok(CollectionsResponse { collections })
+}
+
+/// Construct shards-replicas layout for the shard from the given scope of peers
+/// Example:
+///   Shards: 3
+///   Replicas: 2
+///   Peers: [A, B, C]
+///
+/// Placement:
+/// [
+///         [A, B]
+///         [B, C]
+///         [A, C]
+/// ]
+fn generate_even_placement(
+    mut pool: Vec<PeerId>,
+    shard_number: usize,
+    replication_factor: usize,
+) -> ShardsPlacement {
+    let mut exact_placement = Vec::new();
+    let mut rng = rand::thread_rng();
+    pool.shuffle(&mut rng);
+    let mut loop_iter = pool.iter().cycle();
+
+    // pool: [1,2,3,4]
+    // shuf_pool: [2,3,4,1]
+    //
+    // loop_iter:       [2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1, 2, 3, 4, 1,...]
+    // shard_placement: [2, 3, 4][1, 2, 3][4, 1, 2][3, 4, 1][2, 3, 4]
+
+    let max_replication_factor = std::cmp::min(replication_factor, pool.len());
+    for _shard in 0..shard_number {
+        let mut shard_placement = Vec::new();
+        for _replica in 0..max_replication_factor {
+            shard_placement.push(*loop_iter.next().unwrap());
+        }
+        exact_placement.push(shard_placement);
+    }
+    exact_placement
+}
+
+pub async fn do_list_collection_aliases(
+    toc: &TableOfContent,
+    access: Access,
+    collection_name: &str,
+) -> Result<CollectionsAliasesResponse, StorageError> {
+    let collection_pass =
+        access.check_collection_access(collection_name, AccessRequirements::new())?;
+    let aliases: Vec<AliasDescription> = toc
+        .collection_aliases(&collection_pass, &access)
+        .await?
+        .into_iter()
+        .map(|alias| AliasDescription {
+            alias_name: alias,
+            collection_name: collection_name.to_string(),
+        })
+        .collect();
+    Ok(CollectionsAliasesResponse { aliases })
+}
+
+pub async fn do_list_aliases(
+    toc: &TableOfContent,
+    access: Access,
+) -> Result<CollectionsAliasesResponse, StorageError> {
+    let aliases = toc.list_aliases(&access).await?;
+    Ok(CollectionsAliasesResponse { aliases })
+}
+
+pub async fn do_list_snapshots(
+    toc: &TableOfContent,
+    access: Access,
+    collection_name: &str,
+) -> Result<Vec<SnapshotDescription>, StorageError> {
+    let collection_pass =
+        access.check_collection_access(collection_name, AccessRequirements::new().whole())?;
+    Ok(toc
+        .get_collection(&collection_pass)
+        .await?
+        .list_snapshots()
+        .await?)
+}
+
+pub async fn do_create_snapshot(
+    toc: Arc<TableOfContent>,
+    access: Access,
+    collection_name: &str,
+) -> Result<SnapshotDescription, StorageError> {
+    let collection_pass = access
+        .check_collection_access(collection_name, AccessRequirements::new().write().whole())?
+        .into_static();
+
+    let result = tokio::spawn(async move { toc.create_snapshot(&collection_pass).await }).await??;
+
+    Ok(result)
+}
+
+pub async fn do_get_collection_cluster(
+    toc: &TableOfContent,
+    access: Access,
+    name: &str,
+) -> Result<CollectionClusterInfo, StorageError> {
+    let collection_pass =
+        access.check_collection_access(name, AccessRequirements::new().whole())?;
+    let collection = toc.get_collection(&collection_pass).await?;
+    Ok(collection.cluster_info(toc.this_peer_id).await?)
+}
+
+pub async fn do_update_collection_cluster(
+    dispatcher: &Dispatcher,
+    collection_name: String,
+    operation: ClusterOperations,
+    access: Access,
+    wait_timeout: Option<Duration>,
+) -> Result<bool, StorageError> {
+    let collection_pass = access.check_collection_access(
+        &collection_name,
+        AccessRequirements::new().write().manage().whole(),
+    )?;
+
+    if dispatcher.consensus_state().is_none() {
+        return Err(StorageError::BadRequest {
+            description: "Distributed mode disabled".to_string(),
+        });
+    }
+    let consensus_state = dispatcher.consensus_state().unwrap();
+
+    let get_all_peer_ids = || {
+        consensus_state
+            .persistent
+            .read()
+            .peer_address_by_id
+            .read()
+            .keys()
+            .cloned()
+            .collect_vec()
+    };
+
+    let validate_peer_exists = |peer_id| {
+        let target_peer_exist = consensus_state
+            .persistent
+            .read()
+            .peer_address_by_id
+            .read()
+            .contains_key(&peer_id);
+        if !target_peer_exist {
+            return Err(StorageError::BadRequest {
+                description: format!("Peer {peer_id} does not exist"),
+            });
+        }
+        Ok(())
+    };
+
+    // All checks should've been done at this point.
+    let pass = new_unchecked_verification_pass();
+
+    let collection = dispatcher
+        .toc(&access, &pass)
+        .get_collection(&collection_pass)
+        .await?;
+
+    match operation {
+        ClusterOperations::MoveShard(MoveShardOperation { move_shard }) => {
+            // validate shard to move
+            if !collection.contains_shard(move_shard.shard_id).await {
+                return Err(StorageError::BadRequest {
+                    description: format!(
+                        "Shard {} of {} does not exist",
+                        move_shard.shard_id, collection_name
+                    ),
+                });
+            };
+
+            // validate target and source peer exists
+            validate_peer_exists(move_shard.to_peer_id)?;
+            validate_peer_exists(move_shard.from_peer_id)?;
+
+            // submit operation to consensus
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::TransferShard(
+                        collection_name,
+                        Start(ShardTransfer {
+                            shard_id: move_shard.shard_id,
+                            to_shard_id: move_shard.to_shard_id,
+                            to: move_shard.to_peer_id,
+                            from: move_shard.from_peer_id,
+                            sync: false,
+                            method: move_shard.method,
+                        }),
+                    ),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+        ClusterOperations::ReplicateShard(ReplicateShardOperation { replicate_shard }) => {
+            // validate shard to move
+            if !collection.contains_shard(replicate_shard.shard_id).await {
+                return Err(StorageError::BadRequest {
+                    description: format!(
+                        "Shard {} of {} does not exist",
+                        replicate_shard.shard_id, collection_name
+                    ),
+                });
+            };
+
+            // validate target peer exists
+            validate_peer_exists(replicate_shard.to_peer_id)?;
+
+            // validate source peer exists
+            validate_peer_exists(replicate_shard.from_peer_id)?;
+
+            // submit operation to consensus
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::TransferShard(
+                        collection_name,
+                        Start(ShardTransfer {
+                            shard_id: replicate_shard.shard_id,
+                            to_shard_id: replicate_shard.to_shard_id,
+                            to: replicate_shard.to_peer_id,
+                            from: replicate_shard.from_peer_id,
+                            sync: true,
+                            method: replicate_shard.method,
+                        }),
+                    ),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+        ClusterOperations::AbortTransfer(AbortTransferOperation { abort_transfer }) => {
+            let transfer = ShardTransferKey {
+                shard_id: abort_transfer.shard_id,
+                to_shard_id: abort_transfer.to_shard_id,
+                to: abort_transfer.to_peer_id,
+                from: abort_transfer.from_peer_id,
+            };
+
+            if !collection.check_transfer_exists(&transfer).await {
+                return Err(StorageError::NotFound {
+                    description: format!(
+                        "Shard transfer {} -> {} for collection {}:{} does not exist",
+                        transfer.from, transfer.to, collection_name, transfer.shard_id
+                    ),
+                });
+            }
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::TransferShard(
+                        collection_name,
+                        Abort {
+                            transfer,
+                            reason: "user request".to_string(),
+                        },
+                    ),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+        ClusterOperations::DropReplica(DropReplicaOperation { drop_replica }) => {
+            if !collection.contains_shard(drop_replica.shard_id).await {
+                return Err(StorageError::BadRequest {
+                    description: format!(
+                        "Shard {} of {} does not exist",
+                        drop_replica.shard_id, collection_name
+                    ),
+                });
+            };
+
+            validate_peer_exists(drop_replica.peer_id)?;
+
+            let mut update_operation = UpdateCollectionOperation::new_empty(collection_name);
+
+            update_operation.set_shard_replica_changes(vec![replica_set::Change::Remove(
+                drop_replica.shard_id,
+                drop_replica.peer_id,
+            )]);
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::UpdateCollection(update_operation),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+        ClusterOperations::CreateShardingKey(create_sharding_key_op) => {
+            let create_sharding_key = create_sharding_key_op.create_sharding_key;
+
+            // Validate that:
+            // - proper sharding method is used
+            // - key does not exist yet
+            //
+            // If placement suggested:
+            // - Peers exist
+
+            let state = collection.state().await;
+
+            match state.config.params.sharding_method.unwrap_or_default() {
+                ShardingMethod::Auto => {
+                    return Err(StorageError::bad_request(
+                        "Shard Key cannot be created with Auto sharding method",
+                    ));
+                }
+                ShardingMethod::Custom => {}
+            }
+
+            let shard_number = create_sharding_key
+                .shards_number
+                .unwrap_or(state.config.params.shard_number)
+                .get() as usize;
+            let replication_factor = create_sharding_key
+                .replication_factor
+                .unwrap_or(state.config.params.replication_factor)
+                .get() as usize;
+
+            let shard_keys_mapping = state.shards_key_mapping;
+            if shard_keys_mapping.contains_key(&create_sharding_key.shard_key) {
+                return Err(StorageError::BadRequest {
+                    description: format!(
+                        "Sharding key {} already exists for collection {}",
+                        create_sharding_key.shard_key, collection_name
+                    ),
+                });
+            }
+
+            let peers_pool: Vec<_> = if let Some(placement) = create_sharding_key.placement {
+                if placement.is_empty() {
+                    return Err(StorageError::BadRequest {
+                        description: format!(
+                            "Sharding key {} placement cannot be empty. If you want to use random placement, do not specify placement",
+                            create_sharding_key.shard_key
+                        ),
+                    });
+                }
+
+                for peer_id in placement.iter().copied() {
+                    validate_peer_exists(peer_id)?;
+                }
+                placement
+            } else {
+                get_all_peer_ids()
+            };
+
+            let exact_placement =
+                generate_even_placement(peers_pool, shard_number, replication_factor);
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::CreateShardKey(CreateShardKey {
+                        collection_name,
+                        shard_key: create_sharding_key.shard_key,
+                        placement: exact_placement,
+                    }),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+        ClusterOperations::DropShardingKey(drop_sharding_key_op) => {
+            let drop_sharding_key = drop_sharding_key_op.drop_sharding_key;
+            // Validate that:
+            // - proper sharding method is used
+            // - key does exist
+
+            let state = collection.state().await;
+
+            match state.config.params.sharding_method.unwrap_or_default() {
+                ShardingMethod::Auto => {
+                    return Err(StorageError::bad_request(
+                        "Shard Key cannot be created with Auto sharding method",
+                    ));
+                }
+                ShardingMethod::Custom => {}
+            }
+
+            let shard_keys_mapping = state.shards_key_mapping;
+            if !shard_keys_mapping.contains_key(&drop_sharding_key.shard_key) {
+                return Err(StorageError::BadRequest {
+                    description: format!(
+                        "Sharding key {} does not exists for collection {}",
+                        drop_sharding_key.shard_key, collection_name
+                    ),
+                });
+            }
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::DropShardKey(DropShardKey {
+                        collection_name,
+                        shard_key: drop_sharding_key.shard_key,
+                    }),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+        ClusterOperations::RestartTransfer(RestartTransferOperation { restart_transfer }) => {
+            // TODO(reshading): Deduplicate resharding operations handling?
+
+            let RestartTransfer {
+                shard_id,
+                to_shard_id,
+                from_peer_id,
+                to_peer_id,
+                method,
+            } = restart_transfer;
+
+            let transfer_key = ShardTransferKey {
+                shard_id,
+                to_shard_id,
+                to: to_peer_id,
+                from: from_peer_id,
+            };
+
+            if !collection.check_transfer_exists(&transfer_key).await {
+                return Err(StorageError::NotFound {
+                    description: format!(
+                        "Shard transfer {} -> {} for collection {}:{} does not exist",
+                        transfer_key.from, transfer_key.to, collection_name, transfer_key.shard_id
+                    ),
+                });
+            }
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::TransferShard(
+                        collection_name,
+                        ShardTransferOperations::Restart(ShardTransferRestart {
+                            shard_id,
+                            to_shard_id,
+                            to: to_peer_id,
+                            from: from_peer_id,
+                            method,
+                        }),
+                    ),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+        ClusterOperations::StartResharding(op) => {
+            let StartResharding {
+                direction,
+                peer_id,
+                shard_key,
+            } = op.start_resharding;
+
+            let collection_state = collection.state().await;
+
+            if let Some(shard_key) = &shard_key {
+                if !collection_state.shards_key_mapping.contains_key(shard_key) {
+                    return Err(StorageError::bad_request(format!(
+                        "sharding key {shard_key} does not exists for collection {collection_name}"
+                    )));
+                }
+            }
+
+            let shard_id = match (direction, shard_key.as_ref()) {
+                // When scaling up, just pick the next shard ID
+                (ReshardingDirection::Up, _) => {
+                    collection_state
+                        .shards
+                        .keys()
+                        .copied()
+                        .max()
+                        .expect("collection must contain shards")
+                        + 1
+                }
+                // When scaling down without shard keys, pick the last shard ID
+                (ReshardingDirection::Down, None) => collection_state
+                    .shards
+                    .keys()
+                    .copied()
+                    .max()
+                    .expect("collection must contain shards"),
+                // When scaling down with shard keys, pick the last shard ID of that key
+                (ReshardingDirection::Down, Some(shard_key)) => collection_state
+                    .shards_key_mapping
+                    .get(shard_key)
+                    .expect("specified shard key must exist")
+                    .iter()
+                    .copied()
+                    .max()
+                    .expect("collection must contain shards"),
+            };
+
+            let peer_id = match (peer_id, direction) {
+                // Select user specified peer, but make sure it exists
+                (Some(peer_id), _) => {
+                    validate_peer_exists(peer_id)?;
+                    peer_id
+                }
+
+                // When scaling up, select peer with least number of shards for this collection
+                (None, ReshardingDirection::Up) => {
+                    let mut shards_on_peers = collection_state
+                        .shards
+                        .values()
+                        .flat_map(|shard_info| shard_info.replicas.keys())
+                        .fold(HashMap::new(), |mut counts, peer_id| {
+                            *counts.entry(*peer_id).or_insert(0) += 1;
+                            counts
+                        });
+                    for peer_id in get_all_peer_ids() {
+                        // Add registered peers not holding any shard yet
+                        shards_on_peers.entry(peer_id).or_insert(0);
+                    }
+                    shards_on_peers
+                        .into_iter()
+                        .min_by_key(|(_, count)| *count)
+                        .map(|(peer_id, _)| peer_id)
+                        .expect("expected at least one peer")
+                }
+
+                // When scaling down, select random peer that contains the shard we're dropping
+                // Other peers work, but are less efficient due to remote operations
+                (None, ReshardingDirection::Down) => collection_state
+                    .shards
+                    .get(&shard_id)
+                    .expect("select shard ID must always exist in collection state")
+                    .replicas
+                    .keys()
+                    .choose(&mut rand::thread_rng())
+                    .copied()
+                    .unwrap(),
+            };
+
+            if let Some(resharding) = &collection_state.resharding {
+                return Err(StorageError::bad_request(format!(
+                    "resharding {resharding:?} is already in progress \
+                     for collection {collection_name}"
+                )));
+            }
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::Resharding(
+                        collection_name.clone(),
+                        ReshardingOperation::Start(ReshardKey {
+                            direction,
+                            peer_id,
+                            shard_id,
+                            shard_key,
+                        }),
+                    ),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+        ClusterOperations::AbortResharding(_) => {
+            // TODO(reshading): Deduplicate resharding operations handling?
+
+            let Some(state) = collection.resharding_state().await else {
+                return Err(StorageError::bad_request(format!(
+                    "resharding is not in progress for collection {collection_name}"
+                )));
+            };
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::Resharding(
+                        collection_name.clone(),
+                        ReshardingOperation::Abort(ReshardKey {
+                            direction: state.direction,
+                            peer_id: state.peer_id,
+                            shard_id: state.shard_id,
+                            shard_key: state.shard_key.clone(),
+                        }),
+                    ),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+        ClusterOperations::FinishResharding(_) => {
+            // TODO(resharding): Deduplicate resharding operations handling?
+
+            let Some(state) = collection.resharding_state().await else {
+                return Err(StorageError::bad_request(format!(
+                    "resharding is not in progress for collection {collection_name}"
+                )));
+            };
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::Resharding(
+                        collection_name.clone(),
+                        ReshardingOperation::Finish(state.key()),
+                    ),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+
+        ClusterOperations::FinishMigratingPoints(op) => {
+            // TODO(resharding): Deduplicate resharding operations handling?
+
+            let Some(state) = collection.resharding_state().await else {
+                return Err(StorageError::bad_request(format!(
+                    "resharding is not in progress for collection {collection_name}"
+                )));
+            };
+
+            let op = op.finish_migrating_points;
+
+            let shard_id = match (op.shard_id, state.direction) {
+                (Some(shard_id), _) => shard_id,
+                (None, ReshardingDirection::Up) => state.shard_id,
+                (None, ReshardingDirection::Down) => {
+                    return Err(StorageError::bad_request(
+                        "shard ID must be specified when resharding down",
+                    ));
+                }
+            };
+
+            let peer_id = match (op.peer_id, state.direction) {
+                (Some(peer_id), _) => peer_id,
+                (None, ReshardingDirection::Up) => state.peer_id,
+                (None, ReshardingDirection::Down) => {
+                    return Err(StorageError::bad_request(
+                        "peer ID must be specified when resharding down",
+                    ));
+                }
+            };
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::SetShardReplicaState(SetShardReplicaState {
+                        collection_name: collection_name.clone(),
+                        shard_id,
+                        peer_id,
+                        state: replica_set::ReplicaState::Active,
+                        from_state: Some(replica_set::ReplicaState::Resharding),
+                    }),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+
+        ClusterOperations::CommitReadHashRing(_) => {
+            // TODO(reshading): Deduplicate resharding operations handling?
+
+            let Some(state) = collection.resharding_state().await else {
+                return Err(StorageError::bad_request(format!(
+                    "resharding is not in progress for collection {collection_name}"
+                )));
+            };
+
+            // TODO(resharding): Add precondition checks?
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::Resharding(
+                        collection_name.clone(),
+                        ReshardingOperation::CommitRead(ReshardKey {
+                            direction: state.direction,
+                            peer_id: state.peer_id,
+                            shard_id: state.shard_id,
+                            shard_key: state.shard_key.clone(),
+                        }),
+                    ),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+
+        ClusterOperations::CommitWriteHashRing(_) => {
+            // TODO(reshading): Deduplicate resharding operations handling?
+
+            let Some(state) = collection.resharding_state().await else {
+                return Err(StorageError::bad_request(format!(
+                    "resharding is not in progress for collection {collection_name}"
+                )));
+            };
+
+            // TODO(resharding): Add precondition checks?
+
+            dispatcher
+                .submit_collection_meta_op(
+                    CollectionMetaOperations::Resharding(
+                        collection_name.clone(),
+                        ReshardingOperation::CommitWrite(ReshardKey {
+                            direction: state.direction,
+                            peer_id: state.peer_id,
+                            shard_id: state.shard_id,
+                            shard_key: state.shard_key.clone(),
+                        }),
+                    ),
+                    access,
+                    wait_timeout,
+                )
+                .await
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::collections::HashSet;
+
+    use super::*;
+
+    #[test]
+    fn test_generate_even_placement() {
+        let pool = vec![1, 2, 3];
+        let placement = generate_even_placement(pool, 3, 2);
+
+        assert_eq!(placement.len(), 3);
+        for shard_placement in placement {
+            assert_eq!(shard_placement.len(), 2);
+            assert_ne!(shard_placement[0], shard_placement[1]);
+        }
+
+        let pool = vec![1, 2, 3];
+        let placement = generate_even_placement(pool, 3, 3);
+
+        assert_eq!(placement.len(), 3);
+        for shard_placement in placement {
+            assert_eq!(shard_placement.len(), 3);
+            let set: HashSet<_> = shard_placement.into_iter().collect();
+            assert_eq!(set.len(), 3);
+        }
+
+        let pool = vec![1, 2, 3, 4, 5, 6];
+        let placement = generate_even_placement(pool, 3, 2);
+
+        assert_eq!(placement.len(), 3);
+        let flat_placement: Vec<_> = placement.into_iter().flatten().collect();
+        let set: HashSet<_> = flat_placement.into_iter().collect();
+        assert_eq!(set.len(), 6);
+
+        let pool = vec![1, 2, 3, 4, 5];
+        let placement = generate_even_placement(pool, 3, 10);
+
+        assert_eq!(placement.len(), 3);
+        for shard_placement in placement {
+            assert_eq!(shard_placement.len(), 5);
+        }
+    }
+}

src/common/debugger.rs

@@ -0,0 +1,90 @@
+use std::sync::Arc;
+
+use parking_lot::Mutex;
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+use crate::common::pyroscope_state::pyro::PyroscopeState;
+use crate::settings::Settings;
+
+#[derive(Serialize, JsonSchema, Debug, Deserialize, Clone)]
+pub struct PyroscopeConfig {
+    pub url: String,
+    pub identifier: String,
+    pub user: Option<String>,
+    pub password: Option<String>,
+    pub sampling_rate: Option<u32>,
+}
+
+#[derive(Default, Debug, Serialize, JsonSchema, Deserialize, Clone)]
+pub struct DebuggerConfig {
+    pub pyroscope: Option<PyroscopeConfig>,
+}
+
+#[derive(Debug, Serialize, JsonSchema, Deserialize, Clone)]
+#[serde(rename_all = "snake_case")]
+pub enum DebugConfigPatch {
+    Pyroscope(Option<PyroscopeConfig>),
+}
+
+pub struct DebuggerState {
+    #[cfg_attr(not(target_os = "linux"), allow(dead_code))]
+    pub pyroscope: Arc<Mutex<Option<PyroscopeState>>>,
+}
+
+impl DebuggerState {
+    pub fn from_settings(settings: &Settings) -> Self {
+        let pyroscope_config = settings.debugger.pyroscope.clone();
+        Self {
+            pyroscope: Arc::new(Mutex::new(PyroscopeState::from_config(pyroscope_config))),
+        }
+    }
+
+    #[cfg_attr(not(target_os = "linux"), allow(clippy::unused_self))]
+    pub fn get_config(&self) -> DebuggerConfig {
+        let pyroscope_config = {
+            #[cfg(target_os = "linux")]
+            {
+                let pyroscope_state_guard = self.pyroscope.lock();
+                pyroscope_state_guard.as_ref().map(|s| s.config.clone())
+            }
+            #[cfg(not(target_os = "linux"))]
+            {
+                None
+            }
+        };
+
+        DebuggerConfig {
+            pyroscope: pyroscope_config,
+        }
+    }
+
+    #[cfg_attr(not(target_os = "linux"), allow(clippy::unused_self))]
+    pub fn apply_config_patch(&self, patch: DebugConfigPatch) -> bool {
+        #[cfg(target_os = "linux")]
+        {
+            match patch {
+                DebugConfigPatch::Pyroscope(new_config) => {
+                    let mut pyroscope_guard = self.pyroscope.lock();
+                    if let Some(pyroscope_state) = pyroscope_guard.as_mut() {
+                        let stopped = pyroscope_state.stop_agent();
+                        if !stopped {
+                            return false;
+                        }
+                    }
+
+                    if let Some(new_config) = new_config {
+                        *pyroscope_guard = PyroscopeState::from_config(Some(new_config));
+                    }
+                    true
+                }
+            }
+        }
+
+        #[cfg(not(target_os = "linux"))]
+        {
+            let _ = patch; // Ignore new_config on non-linux OS
+            false
+        }
+    }
+}

src/common/error_reporting.rs

@@ -0,0 +1,31 @@
+use std::time::Duration;
+
+pub struct ErrorReporter;
+
+impl ErrorReporter {
+    fn get_url() -> String {
+        if cfg!(debug_assertions) {
+            "https://staging-telemetry.qdrant.io".to_string()
+        } else {
+            "https://telemetry.qdrant.io".to_string()
+        }
+    }
+
+    pub fn report(error: &str, reporting_id: &str, backtrace: Option<&str>) {
+        let client = reqwest::blocking::Client::new();
+
+        let report = serde_json::json!({
+            "id": reporting_id,
+            "error": error,
+            "backtrace": backtrace.unwrap_or(""),
+        });
+
+        let data = serde_json::to_string(&report).unwrap();
+        let _resp = client
+            .post(Self::get_url())
+            .body(data)
+            .header("Content-Type", "application/json")
+            .timeout(Duration::from_secs(1))
+            .send();
+    }
+}

src/common/health.rs

@@ -0,0 +1,372 @@
+use std::collections::HashSet;
+use std::future::{self, Future};
+use std::sync::atomic::{self, AtomicBool};
+use std::sync::Arc;
+use std::time::Duration;
+use std::{panic, thread};
+
+use api::grpc::qdrant::qdrant_internal_client::QdrantInternalClient;
+use api::grpc::qdrant::{GetConsensusCommitRequest, GetConsensusCommitResponse};
+use api::grpc::transport_channel_pool::{self, TransportChannelPool};
+use collection::shards::shard::ShardId;
+use collection::shards::CollectionId;
+use common::defaults;
+use futures::stream::FuturesUnordered;
+use futures::{FutureExt as _, StreamExt as _, TryStreamExt as _};
+use itertools::Itertools;
+use storage::content_manager::consensus_manager::ConsensusStateRef;
+use storage::content_manager::toc::TableOfContent;
+use storage::rbac::Access;
+use tokio::{runtime, sync, time};
+
+const READY_CHECK_TIMEOUT: Duration = Duration::from_millis(500);
+const GET_CONSENSUS_COMMITS_RETRIES: usize = 2;
+
+/// Structure used to process health checks like `/readyz` endpoints.
+pub struct HealthChecker {
+    // The state of the health checker.
+    // Once set to `true`, it should not change back to `false`.
+    // Initially set to `false`.
+    is_ready: Arc<AtomicBool>,
+    // The signal that notifies that state has changed.
+    // Comes from the health checker task.
+    is_ready_signal: Arc<sync::Notify>,
+    // Signal to the health checker task, that the API was called.
+    // Used to drive the health checker task and avoid constant polling.
+    check_ready_signal: Arc<sync::Notify>,
+    cancel: cancel::DropGuard,
+}
+
+impl HealthChecker {
+    pub fn spawn(
+        toc: Arc<TableOfContent>,
+        consensus_state: ConsensusStateRef,
+        runtime: &runtime::Handle,
+        wait_for_bootstrap: bool,
+    ) -> Self {
+        let task = Task {
+            toc,
+            consensus_state,
+            is_ready: Default::default(),
+            is_ready_signal: Default::default(),
+            check_ready_signal: Default::default(),
+            cancel: Default::default(),
+            wait_for_bootstrap,
+        };
+
+        let health_checker = Self {
+            is_ready: task.is_ready.clone(),
+            is_ready_signal: task.is_ready_signal.clone(),
+            check_ready_signal: task.check_ready_signal.clone(),
+            cancel: task.cancel.clone().drop_guard(),
+        };
+
+        let task = runtime.spawn(task.exec());
+        drop(task); // drop `JoinFuture` explicitly to make clippy happy
+
+        health_checker
+    }
+
+    pub async fn check_ready(&self) -> bool {
+        if self.is_ready() {
+            return true;
+        }
+
+        self.notify_task();
+        self.wait_ready().await
+    }
+
+    pub fn is_ready(&self) -> bool {
+        self.is_ready.load(atomic::Ordering::Relaxed)
+    }
+
+    pub fn notify_task(&self) {
+        self.check_ready_signal.notify_one();
+    }
+
+    async fn wait_ready(&self) -> bool {
+        let is_ready_signal = self.is_ready_signal.notified();
+
+        if self.is_ready() {
+            return true;
+        }
+
+        time::timeout(READY_CHECK_TIMEOUT, is_ready_signal)
+            .await
+            .is_ok()
+    }
+}
+
+pub struct Task {
+    toc: Arc<TableOfContent>,
+    consensus_state: ConsensusStateRef,
+    // Shared state with the health checker
+    // Once set to `true`, it should not change back to `false`.
+    is_ready: Arc<AtomicBool>,
+    // Used to notify the health checker service that the state has changed.
+    is_ready_signal: Arc<sync::Notify>,
+    // Driver signal for the health checker task
+    // Once received, the task should proceed with an attempt to check the state.
+    // Usually comes from the API call, but can be triggered by the task itself.
+    check_ready_signal: Arc<sync::Notify>,
+    cancel: cancel::CancellationToken,
+    wait_for_bootstrap: bool,
+}
+
+impl Task {
+    pub async fn exec(mut self) {
+        while let Err(err) = self.exec_catch_unwind().await {
+            let message = common::panic::downcast_str(&err).unwrap_or("");
+            let separator = if !message.is_empty() { ": " } else { "" };
+
+            log::error!("HealthChecker task panicked, retrying{separator}{message}",);
+        }
+    }
+
+    async fn exec_catch_unwind(&mut self) -> thread::Result<()> {
+        panic::AssertUnwindSafe(self.exec_cancel())
+            .catch_unwind()
+            .await
+    }
+
+    async fn exec_cancel(&mut self) {
+        let _ = cancel::future::cancel_on_token(self.cancel.clone(), self.exec_impl()).await;
+    }
+
+    async fn exec_impl(&mut self) {
+        // Wait until node joins cluster for the first time
+        //
+        // If this is a new deployment and `--bootstrap` CLI parameter was specified...
+        if self.wait_for_bootstrap {
+            // Check if this is the only node in the cluster
+            while self.consensus_state.peer_count() <= 1 {
+                // If cluster is empty, make another attempt to check
+                // after we receive another call to `/readyz`
+                //
+                // Wait for `/readyz` signal
+                self.check_ready_signal.notified().await;
+            }
+        }
+
+        // Artificial simulate signal from `/readyz` endpoint
+        // as if it was already called by the user.
+        // This allows to check the happy path without waiting for the first call.
+        self.check_ready_signal.notify_one();
+
+        // Get *cluster* commit index, or check if this is the only node in the cluster
+        let Some(cluster_commit_index) = self.cluster_commit_index().await else {
+            self.set_ready();
+            return;
+        };
+
+        // Check if *local* commit index >= *cluster* commit index...
+        while self.commit_index() < cluster_commit_index {
+            // Wait for `/readyz` signal
+            self.check_ready_signal.notified().await;
+
+            // If not:
+            //
+            // - Check if this is the only node in the cluster
+            if self.consensus_state.peer_count() <= 1 {
+                self.set_ready();
+                return;
+            }
+
+            // TODO: Do we want to update `cluster_commit_index` here?
+            //
+            // I.e.:
+            // - If we *don't* update `cluster_commit_index`, then we will only wait till the node
+            //   catch up with the cluster commit index *at the moment the node has been started*
+            // - If we *do* update `cluster_commit_index`, then we will keep track of cluster
+            //   commit index updates and wait till the node *completely* catch up with the leader,
+            //   which might be hard (if not impossible) in some situations
+        }
+
+        // Collect "unhealthy" shards list
+        let mut unhealthy_shards = self.unhealthy_shards().await;
+
+        // Check if all shards are "healthy"...
+        while !unhealthy_shards.is_empty() {
+            // If not:
+            //
+            // - Wait for `/readyz` signal
+            self.check_ready_signal.notified().await;
+
+            // - Refresh "unhealthy" shards list
+            let current_unhealthy_shards = self.unhealthy_shards().await;
+
+            // - Check if any shards "healed" since last check
+            unhealthy_shards.retain(|shard| current_unhealthy_shards.contains(shard));
+        }
+
+        self.set_ready();
+    }
+
+    async fn cluster_commit_index(&self) -> Option<u64> {
+        // Wait for `/readyz` signal
+        self.check_ready_signal.notified().await;
+
+        // Check if there is only 1 node in the cluster
+        if self.consensus_state.peer_count() <= 1 {
+            return None;
+        }
+
+        // Get *cluster* commit index
+        let peer_address_by_id = self.consensus_state.peer_address_by_id();
+        let transport_channel_pool = &self.toc.get_channel_service().channel_pool;
+        let this_peer_id = self.toc.this_peer_id;
+        let this_peer_uri = peer_address_by_id.get(&this_peer_id);
+
+        let mut requests = peer_address_by_id
+            .values()
+            // Do not get the current commit from ourselves
+            .filter(|&uri| Some(uri) != this_peer_uri)
+            // Historic peers might use the same URLs as our current peers, request each URI once
+            .unique()
+            .map(|uri| get_consensus_commit(transport_channel_pool, uri))
+            .collect::<FuturesUnordered<_>>()
+            .inspect_err(|err| log::error!("GetConsensusCommit request failed: {err}"))
+            .filter_map(|res| future::ready(res.ok()));
+
+        // Raft commits consensus operation, after majority of nodes persisted it.
+        //
+        // This means, if we check the majority of nodes (e.g., `total nodes / 2 + 1`), at least one
+        // of these nodes will *always* have an up-to-date commit index. And so, the highest commit
+        // index among majority of nodes *is* the cluster commit index.
+        //
+        // Our current node *is* one of the cluster nodes, so it's enough to query `total nodes / 2`
+        // *additional* nodes, to get cluster commit index.
+        //
+        // The check goes like this:
+        // - Either at least one of the "additional" nodes return a *higher* commit index, which
+        //   means our node is *not* up-to-date, and we have to wait to reach this commit index
+        // - Or *all* of them return *lower* commit index, which means current node is *already*
+        //   up-to-date, and `/readyz` check will pass to the next step
+        //
+        // Example:
+        //
+        // Total nodes: 2
+        // Required: 2 / 2 = 1
+        //
+        // Total nodes: 3
+        // Required: 3 / 2 = 1
+        //
+        // Total nodes: 4
+        // Required: 4 / 2 = 2
+        //
+        // Total nodes: 5
+        // Required: 5 / 2 = 2
+        let sufficient_commit_indices_count = peer_address_by_id.len() / 2;
+
+        // *Wait* for `total nodex / 2` successful responses...
+        let mut commit_indices: Vec<_> = (&mut requests)
+            .take(sufficient_commit_indices_count)
+            .collect()
+            .await;
+
+        // ...and also collect any additional responses, that we might have *already* received
+        while let Ok(Some(resp)) = time::timeout(Duration::ZERO, requests.next()).await {
+            commit_indices.push(resp);
+        }
+
+        // Find the maximum commit index among all responses.
+        //
+        // Note, that we progress even if most (or even *all*) requests failed (e.g., because all
+        // other nodes are unavailable or they don't support `GetConsensusCommit` gRPC API).
+        //
+        // So this check is not 100% reliable and can give a false-positive result!
+        let cluster_commit_index = commit_indices
+            .into_iter()
+            .map(|resp| resp.into_inner().commit)
+            .max()
+            .unwrap_or(0);
+
+        Some(cluster_commit_index as _)
+    }
+
+    fn commit_index(&self) -> u64 {
+        // TODO: Blocking call in async context!?
+        self.consensus_state
+            .persistent
+            .read()
+            .last_applied_entry()
+            .unwrap_or(0)
+    }
+
+    /// List shards that are unhealthy, which may undergo automatic recovery.
+    ///
+    /// Shards in resharding state are not considered unhealthy and are excluded here.
+    /// They require an external driver to make them active or to drop them.
+    async fn unhealthy_shards(&self) -> HashSet<Shard> {
+        let this_peer_id = self.toc.this_peer_id;
+        let collections = self
+            .toc
+            .all_collections(&Access::full("For health check"))
+            .await;
+
+        let mut unhealthy_shards = HashSet::new();
+
+        for collection_pass in &collections {
+            let state = match self.toc.get_collection(collection_pass).await {
+                Ok(collection) => collection.state().await,
+                Err(_) => continue,
+            };
+
+            for (&shard, info) in state.shards.iter() {
+                let Some(state) = info.replicas.get(&this_peer_id) else {
+                    continue;
+                };
+
+                if state.is_active_or_listener_or_resharding() {
+                    continue;
+                }
+
+                unhealthy_shards.insert(Shard::new(collection_pass.name(), shard));
+            }
+        }
+
+        unhealthy_shards
+    }
+
+    fn set_ready(&self) {
+        self.is_ready.store(true, atomic::Ordering::Relaxed);
+        self.is_ready_signal.notify_waiters();
+    }
+}
+
+fn get_consensus_commit<'a>(
+    transport_channel_pool: &'a TransportChannelPool,
+    uri: &'a tonic::transport::Uri,
+) -> impl Future<Output = GetConsensusCommitResult> + 'a {
+    transport_channel_pool.with_channel_timeout(
+        uri,
+        |channel| async {
+            let mut client = QdrantInternalClient::new(channel);
+            let mut request = tonic::Request::new(GetConsensusCommitRequest {});
+            request.set_timeout(defaults::CONSENSUS_META_OP_WAIT);
+            client.get_consensus_commit(request).await
+        },
+        Some(defaults::CONSENSUS_META_OP_WAIT),
+        GET_CONSENSUS_COMMITS_RETRIES,
+    )
+}
+
+type GetConsensusCommitResult = Result<
+    tonic::Response<GetConsensusCommitResponse>,
+    transport_channel_pool::RequestError<tonic::Status>,
+>;
+
+#[derive(Clone, Debug, Eq, PartialEq, Hash)]
+struct Shard {
+    collection: CollectionId,
+    shard: ShardId,
+}
+
+impl Shard {
+    pub fn new(collection: impl Into<CollectionId>, shard: ShardId) -> Self {
+        Self {
+            collection: collection.into(),
+            shard,
+        }
+    }
+}

src/common/helpers.rs

@@ -0,0 +1,151 @@
+use std::cmp::max;
+use std::sync::atomic::{AtomicUsize, Ordering};
+use std::{fs, io};
+
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+use tokio::runtime;
+use tokio::runtime::Runtime;
+use tonic::transport::{Certificate, ClientTlsConfig, Identity, ServerTlsConfig};
+use validator::Validate;
+
+use crate::settings::{Settings, TlsConfig};
+
+#[derive(Debug, Deserialize, Serialize, JsonSchema, Validate)]
+pub struct LocksOption {
+    pub error_message: Option<String>,
+    pub write: bool,
+}
+
+pub fn create_search_runtime(max_search_threads: usize) -> io::Result<Runtime> {
+    let mut search_threads = max_search_threads;
+
+    if search_threads == 0 {
+        let num_cpu = common::cpu::get_num_cpus();
+        // At least one thread, but not more than number of CPUs - 1 if there are more than 2 CPU
+        // Example:
+        // Num CPU = 1 -> 1 thread
+        // Num CPU = 2 -> 2 thread - if we use one thread with 2 cpus, its too much un-utilized resources
+        // Num CPU = 3 -> 2 thread
+        // Num CPU = 4 -> 3 thread
+        // Num CPU = 5 -> 4 thread
+        search_threads = match num_cpu {
+            0 => 1,
+            1 => 1,
+            2 => 2,
+            _ => num_cpu - 1,
+        };
+    }
+
+    runtime::Builder::new_multi_thread()
+        .worker_threads(search_threads)
+        .max_blocking_threads(search_threads)
+        .enable_all()
+        .thread_name_fn(|| {
+            static ATOMIC_ID: AtomicUsize = AtomicUsize::new(0);
+            let id = ATOMIC_ID.fetch_add(1, Ordering::SeqCst);
+            format!("search-{id}")
+        })
+        .build()
+}
+
+pub fn create_update_runtime(max_optimization_threads: usize) -> io::Result<Runtime> {
+    let mut update_runtime_builder = runtime::Builder::new_multi_thread();
+
+    update_runtime_builder
+        .enable_time()
+        .thread_name_fn(move || {
+            static ATOMIC_ID: AtomicUsize = AtomicUsize::new(0);
+            let update_id = ATOMIC_ID.fetch_add(1, Ordering::SeqCst);
+            format!("update-{update_id}")
+        });
+
+    if max_optimization_threads > 0 {
+        // panics if val is not larger than 0.
+        update_runtime_builder.max_blocking_threads(max_optimization_threads);
+    }
+    update_runtime_builder.build()
+}
+
+pub fn create_general_purpose_runtime() -> io::Result<Runtime> {
+    runtime::Builder::new_multi_thread()
+        .enable_time()
+        .enable_io()
+        .worker_threads(max(common::cpu::get_num_cpus(), 2))
+        .thread_name_fn(|| {
+            static ATOMIC_ID: AtomicUsize = AtomicUsize::new(0);
+            let general_id = ATOMIC_ID.fetch_add(1, Ordering::SeqCst);
+            format!("general-{general_id}")
+        })
+        .build()
+}
+
+/// Load client TLS configuration.
+pub fn load_tls_client_config(settings: &Settings) -> io::Result<Option<ClientTlsConfig>> {
+    if settings.cluster.p2p.enable_tls {
+        let tls_config = &settings.tls()?;
+        Ok(Some(
+            ClientTlsConfig::new()
+                .identity(load_identity(tls_config)?)
+                .ca_certificate(load_ca_certificate(tls_config)?),
+        ))
+    } else {
+        Ok(None)
+    }
+}
+
+/// Load server TLS configuration for external gRPC
+pub fn load_tls_external_server_config(tls_config: &TlsConfig) -> io::Result<ServerTlsConfig> {
+    Ok(ServerTlsConfig::new().identity(load_identity(tls_config)?))
+}
+
+/// Load server TLS configuration for internal gRPC, check client certificate against CA
+pub fn load_tls_internal_server_config(tls_config: &TlsConfig) -> io::Result<ServerTlsConfig> {
+    Ok(ServerTlsConfig::new()
+        .identity(load_identity(tls_config)?)
+        .client_ca_root(load_ca_certificate(tls_config)?))
+}
+
+fn load_identity(tls_config: &TlsConfig) -> io::Result<Identity> {
+    let cert = fs::read_to_string(&tls_config.cert)?;
+    let key = fs::read_to_string(&tls_config.key)?;
+    Ok(Identity::from_pem(cert, key))
+}
+
+fn load_ca_certificate(tls_config: &TlsConfig) -> io::Result<Certificate> {
+    let pem = fs::read_to_string(&tls_config.ca_cert)?;
+    Ok(Certificate::from_pem(pem))
+}
+
+pub fn tonic_error_to_io_error(err: tonic::transport::Error) -> io::Error {
+    io::Error::new(io::ErrorKind::Other, err)
+}
+
+#[cfg(test)]
+mod tests {
+    use std::sync::Arc;
+    use std::thread;
+    use std::thread::sleep;
+    use std::time::Duration;
+
+    use collection::common::is_ready::IsReady;
+
+    #[test]
+    fn test_is_ready() {
+        let is_ready = Arc::new(IsReady::default());
+        let is_ready_clone = is_ready.clone();
+        let join = thread::spawn(move || {
+            is_ready_clone.await_ready();
+            eprintln!(
+                "is_ready_clone.check_ready() = {:#?}",
+                is_ready_clone.check_ready()
+            );
+        });
+
+        sleep(Duration::from_millis(500));
+        eprintln!("Making ready");
+        is_ready.make_ready();
+        sleep(Duration::from_millis(500));
+        join.join().unwrap()
+    }
+}

src/common/http_client.rs

@@ -0,0 +1,156 @@
+use std::path::Path;
+use std::{fs, io, result};
+
+use reqwest::header::{HeaderMap, HeaderValue, InvalidHeaderValue};
+use storage::content_manager::errors::StorageError;
+
+use super::auth::HTTP_HEADER_API_KEY;
+use crate::settings::{Settings, TlsConfig};
+
+#[derive(Clone)]
+pub struct HttpClient {
+    tls_config: Option<TlsConfig>,
+    verify_https_client_certificate: bool,
+}
+
+impl HttpClient {
+    pub fn from_settings(settings: &Settings) -> Result<Self> {
+        let tls_config = if settings.service.enable_tls {
+            let Some(tls_config) = settings.tls.clone() else {
+                return Err(Error::TlsConfigUndefined);
+            };
+
+            Some(tls_config)
+        } else {
+            None
+        };
+
+        let verify_https_client_certificate = settings.service.verify_https_client_certificate;
+
+        let http_client = Self {
+            tls_config,
+            verify_https_client_certificate,
+        };
+
+        Ok(http_client)
+    }
+
+    /// Create a new HTTP(S) client
+    ///
+    /// An API key can be optionally provided to be used in this HTTP client. It'll send the API
+    /// key as `Api-key` header in every request.
+    ///
+    /// # Warning
+    ///
+    /// Setting an API key may leak when the client is used to send a request to a malicious
+    /// server. This is potentially dangerous if a user has control over what URL is accessed.
+    ///
+    /// For this reason the API key is not set by default as provided in the configuration. It must
+    /// be explicitly provided when creating the HTTP client.
+    pub fn client(&self, api_key: Option<&str>) -> Result<reqwest::Client> {
+        https_client(
+            api_key,
+            self.tls_config.as_ref(),
+            self.verify_https_client_certificate,
+        )
+    }
+}
+
+fn https_client(
+    api_key: Option<&str>,
+    tls_config: Option<&TlsConfig>,
+    verify_https_client_certificate: bool,
+) -> Result<reqwest::Client> {
+    let mut builder = reqwest::Client::builder();
+
+    // Configure TLS root certificate and validation
+    if let Some(tls_config) = tls_config {
+        builder = builder.add_root_certificate(https_client_ca_cert(tls_config.ca_cert.as_ref())?);
+
+        if verify_https_client_certificate {
+            builder = builder.identity(https_client_identity(
+                tls_config.cert.as_ref(),
+                tls_config.key.as_ref(),
+            )?);
+        }
+    }
+
+    // Attach API key as sensitive header
+    if let Some(api_key) = api_key {
+        let mut headers = HeaderMap::new();
+        let mut api_key_value = HeaderValue::from_str(api_key).map_err(Error::MalformedApiKey)?;
+        api_key_value.set_sensitive(true);
+        headers.insert(HTTP_HEADER_API_KEY, api_key_value);
+        builder = builder.default_headers(headers);
+    }
+
+    let client = builder.build()?;
+
+    Ok(client)
+}
+
+fn https_client_ca_cert(ca_cert: &Path) -> Result<reqwest::tls::Certificate> {
+    let ca_cert_pem =
+        fs::read(ca_cert).map_err(|err| Error::failed_to_read(err, "CA certificate", ca_cert))?;
+
+    let ca_cert = reqwest::Certificate::from_pem(&ca_cert_pem)?;
+
+    Ok(ca_cert)
+}
+
+fn https_client_identity(cert: &Path, key: &Path) -> Result<reqwest::tls::Identity> {
+    let mut identity_pem =
+        fs::read(cert).map_err(|err| Error::failed_to_read(err, "certificate", cert))?;
+
+    let mut key_file = fs::File::open(key).map_err(|err| Error::failed_to_read(err, "key", key))?;
+
+    // Concatenate certificate and key into a single PEM bytes
+    io::copy(&mut key_file, &mut identity_pem)
+        .map_err(|err| Error::failed_to_read(err, "key", key))?;
+
+    let identity = reqwest::Identity::from_pem(&identity_pem)?;
+
+    Ok(identity)
+}
+
+pub type Result<T, E = Error> = result::Result<T, E>;
+
+#[derive(Debug, thiserror::Error)]
+pub enum Error {
+    #[error("TLS config is not defined in the Qdrant config file")]
+    TlsConfigUndefined,
+
+    #[error("{1}: {0}")]
+    Io(#[source] io::Error, String),
+
+    #[error("failed to setup HTTPS client: {0}")]
+    Reqwest(#[from] reqwest::Error),
+
+    #[error("malformed API key")]
+    MalformedApiKey(#[source] InvalidHeaderValue),
+}
+
+impl Error {
+    pub fn io(source: io::Error, context: impl Into<String>) -> Self {
+        Self::Io(source, context.into())
+    }
+
+    pub fn failed_to_read(source: io::Error, file: &str, path: &Path) -> Self {
+        Self::io(
+            source,
+            format!("failed to read HTTPS client {file} file {}", path.display()),
+        )
+    }
+}
+
+impl From<Error> for StorageError {
+    fn from(err: Error) -> Self {
+        StorageError::service_error(format!("failed to initialize HTTP(S) client: {err}"))
+    }
+}
+
+impl From<Error> for io::Error {
+    fn from(err: Error) -> Self {
+        io::Error::new(io::ErrorKind::Other, err)
+    }
+}

src/common/inference/batch_processing.rs

@@ -0,0 +1,370 @@
+use std::collections::HashSet;
+
+use api::rest::{
+    ContextInput, ContextPair, DiscoverInput, Prefetch, Query, QueryGroupsRequestInternal,
+    QueryInterface, QueryRequestInternal, RecommendInput, VectorInput,
+};
+
+use super::service::{InferenceData, InferenceInput, InferenceRequest};
+
+pub struct BatchAccum {
+    pub(crate) objects: HashSet<InferenceData>,
+}
+
+impl BatchAccum {
+    pub fn new() -> Self {
+        Self {
+            objects: HashSet::new(),
+        }
+    }
+
+    pub fn add(&mut self, data: InferenceData) {
+        self.objects.insert(data);
+    }
+
+    pub fn extend(&mut self, other: BatchAccum) {
+        self.objects.extend(other.objects);
+    }
+
+    pub fn is_empty(&self) -> bool {
+        self.objects.is_empty()
+    }
+}
+
+impl From<&BatchAccum> for InferenceRequest {
+    fn from(batch: &BatchAccum) -> Self {
+        Self {
+            inputs: batch
+                .objects
+                .iter()
+                .cloned()
+                .map(InferenceInput::from)
+                .collect(),
+            inference: None,
+            token: None,
+        }
+    }
+}
+
+fn collect_vector_input(vector: &VectorInput, batch: &mut BatchAccum) {
+    match vector {
+        VectorInput::Document(doc) => batch.add(InferenceData::Document(doc.clone())),
+        VectorInput::Image(img) => batch.add(InferenceData::Image(img.clone())),
+        VectorInput::Object(obj) => batch.add(InferenceData::Object(obj.clone())),
+        // types that are not supported in the Inference Service
+        VectorInput::DenseVector(_) => {}
+        VectorInput::SparseVector(_) => {}
+        VectorInput::MultiDenseVector(_) => {}
+        VectorInput::Id(_) => {}
+    }
+}
+
+fn collect_context_pair(pair: &ContextPair, batch: &mut BatchAccum) {
+    collect_vector_input(&pair.positive, batch);
+    collect_vector_input(&pair.negative, batch);
+}
+
+fn collect_discover_input(discover: &DiscoverInput, batch: &mut BatchAccum) {
+    collect_vector_input(&discover.target, batch);
+    if let Some(context) = &discover.context {
+        for pair in context {
+            collect_context_pair(pair, batch);
+        }
+    }
+}
+
+fn collect_recommend_input(recommend: &RecommendInput, batch: &mut BatchAccum) {
+    if let Some(positive) = &recommend.positive {
+        for vector in positive {
+            collect_vector_input(vector, batch);
+        }
+    }
+    if let Some(negative) = &recommend.negative {
+        for vector in negative {
+            collect_vector_input(vector, batch);
+        }
+    }
+}
+
+fn collect_query(query: &Query, batch: &mut BatchAccum) {
+    match query {
+        Query::Nearest(nearest) => collect_vector_input(&nearest.nearest, batch),
+        Query::Recommend(recommend) => collect_recommend_input(&recommend.recommend, batch),
+        Query::Discover(discover) => collect_discover_input(&discover.discover, batch),
+        Query::Context(context) => {
+            if let ContextInput(Some(pairs)) = &context.context {
+                for pair in pairs {
+                    collect_context_pair(pair, batch);
+                }
+            }
+        }
+        Query::OrderBy(_) | Query::Fusion(_) | Query::Sample(_) => {}
+    }
+}
+
+fn collect_query_interface(query: &QueryInterface, batch: &mut BatchAccum) {
+    match query {
+        QueryInterface::Nearest(vector) => collect_vector_input(vector, batch),
+        QueryInterface::Query(query) => collect_query(query, batch),
+    }
+}
+
+fn collect_prefetch(prefetch: &Prefetch, batch: &mut BatchAccum) {
+    let Prefetch {
+        prefetch,
+        query,
+        using: _,
+        filter: _,
+        params: _,
+        score_threshold: _,
+        limit: _,
+        lookup_from: _,
+    } = prefetch;
+
+    if let Some(query) = query {
+        collect_query_interface(query, batch);
+    }
+
+    if let Some(prefetches) = prefetch {
+        for p in prefetches {
+            collect_prefetch(p, batch);
+        }
+    }
+}
+
+pub fn collect_query_groups_request(request: &QueryGroupsRequestInternal) -> BatchAccum {
+    let mut batch = BatchAccum::new();
+
+    let QueryGroupsRequestInternal {
+        query,
+        prefetch,
+        using: _,
+        filter: _,
+        params: _,
+        score_threshold: _,
+        with_vector: _,
+        with_payload: _,
+        lookup_from: _,
+        group_request: _,
+    } = request;
+
+    if let Some(query) = query {
+        collect_query_interface(query, &mut batch);
+    }
+
+    if let Some(prefetches) = prefetch {
+        for prefetch in prefetches {
+            collect_prefetch(prefetch, &mut batch);
+        }
+    }
+
+    batch
+}
+
+pub fn collect_query_request(request: &QueryRequestInternal) -> BatchAccum {
+    let mut batch = BatchAccum::new();
+
+    let QueryRequestInternal {
+        prefetch,
+        query,
+        using: _,
+        filter: _,
+        score_threshold: _,
+        params: _,
+        limit: _,
+        offset: _,
+        with_vector: _,
+        with_payload: _,
+        lookup_from: _,
+    } = request;
+
+    if let Some(query) = query {
+        collect_query_interface(query, &mut batch);
+    }
+
+    if let Some(prefetches) = prefetch {
+        for prefetch in prefetches {
+            collect_prefetch(prefetch, &mut batch);
+        }
+    }
+
+    batch
+}
+
+#[cfg(test)]
+mod tests {
+    use api::rest::schema::{DiscoverQuery, Document, Image, InferenceObject, NearestQuery};
+    use api::rest::QueryBaseGroupRequest;
+    use serde_json::json;
+
+    use super::*;
+
+    fn create_test_document(text: &str) -> Document {
+        Document {
+            text: text.to_string(),
+            model: "test-model".to_string(),
+            options: Default::default(),
+        }
+    }
+
+    fn create_test_image(url: &str) -> Image {
+        Image {
+            image: json!({"data": url.to_string()}),
+            model: "test-model".to_string(),
+            options: Default::default(),
+        }
+    }
+
+    fn create_test_object(data: &str) -> InferenceObject {
+        InferenceObject {
+            object: json!({"data": data}),
+            model: "test-model".to_string(),
+            options: Default::default(),
+        }
+    }
+
+    #[test]
+    fn test_batch_accum_basic() {
+        let mut batch = BatchAccum::new();
+        assert!(batch.objects.is_empty());
+
+        let doc = InferenceData::Document(create_test_document("test"));
+        batch.add(doc.clone());
+        assert_eq!(batch.objects.len(), 1);
+
+        batch.add(doc);
+        assert_eq!(batch.objects.len(), 1);
+    }
+
+    #[test]
+    fn test_batch_accum_extend() {
+        let mut batch1 = BatchAccum::new();
+        let mut batch2 = BatchAccum::new();
+
+        let doc1 = InferenceData::Document(create_test_document("test1"));
+        let doc2 = InferenceData::Document(create_test_document("test2"));
+
+        batch1.add(doc1);
+        batch2.add(doc2);
+
+        batch1.extend(batch2);
+        assert_eq!(batch1.objects.len(), 2);
+    }
+
+    #[test]
+    fn test_deduplication() {
+        let mut batch = BatchAccum::new();
+
+        let doc1 = InferenceData::Document(create_test_document("same"));
+        let doc2 = InferenceData::Document(create_test_document("same"));
+
+        batch.add(doc1);
+        batch.add(doc2);
+
+        assert_eq!(batch.objects.len(), 1);
+    }
+
+    #[test]
+    fn test_collect_vector_input() {
+        let mut batch = BatchAccum::new();
+
+        let doc_input = VectorInput::Document(create_test_document("test"));
+        let img_input = VectorInput::Image(create_test_image("test.jpg"));
+        let obj_input = VectorInput::Object(create_test_object("test"));
+
+        collect_vector_input(&doc_input, &mut batch);
+        collect_vector_input(&img_input, &mut batch);
+        collect_vector_input(&obj_input, &mut batch);
+
+        assert_eq!(batch.objects.len(), 3);
+    }
+
+    #[test]
+    fn test_collect_prefetch() {
+        let prefetch = Prefetch {
+            query: Some(QueryInterface::Nearest(VectorInput::Document(
+                create_test_document("test"),
+            ))),
+            prefetch: Some(vec![Prefetch {
+                query: Some(QueryInterface::Nearest(VectorInput::Image(
+                    create_test_image("nested.jpg"),
+                ))),
+                prefetch: None,
+                using: None,
+                filter: None,
+                params: None,
+                score_threshold: None,
+                limit: None,
+                lookup_from: None,
+            }]),
+            using: None,
+            filter: None,
+            params: None,
+            score_threshold: None,
+            limit: None,
+            lookup_from: None,
+        };
+
+        let mut batch = BatchAccum::new();
+        collect_prefetch(&prefetch, &mut batch);
+        assert_eq!(batch.objects.len(), 2);
+    }
+
+    #[test]
+    fn test_collect_query_groups_request() {
+        let request = QueryGroupsRequestInternal {
+            query: Some(QueryInterface::Query(Query::Nearest(NearestQuery {
+                nearest: VectorInput::Document(create_test_document("test")),
+            }))),
+            prefetch: Some(vec![Prefetch {
+                query: Some(QueryInterface::Query(Query::Discover(DiscoverQuery {
+                    discover: DiscoverInput {
+                        target: VectorInput::Image(create_test_image("test.jpg")),
+                        context: Some(vec![ContextPair {
+                            positive: VectorInput::Document(create_test_document("pos")),
+                            negative: VectorInput::Image(create_test_image("neg.jpg")),
+                        }]),
+                    },
+                }))),
+                prefetch: None,
+                using: None,
+                filter: None,
+                params: None,
+                score_threshold: None,
+                limit: None,
+                lookup_from: None,
+            }]),
+            using: None,
+            filter: None,
+            params: None,
+            score_threshold: None,
+            with_vector: None,
+            with_payload: None,
+            lookup_from: None,
+            group_request: QueryBaseGroupRequest {
+                group_by: "test".parse().unwrap(),
+                group_size: None,
+                limit: None,
+                with_lookup: None,
+            },
+        };
+
+        let batch = collect_query_groups_request(&request);
+        assert_eq!(batch.objects.len(), 4);
+    }
+
+    #[test]
+    fn test_different_model_same_content() {
+        let mut batch = BatchAccum::new();
+
+        let mut doc1 = create_test_document("same");
+        let mut doc2 = create_test_document("same");
+        doc1.model = "model1".to_string();
+        doc2.model = "model2".to_string();
+
+        batch.add(InferenceData::Document(doc1));
+        batch.add(InferenceData::Document(doc2));
+
+        assert_eq!(batch.objects.len(), 2);
+    }
+}

src/common/inference/batch_processing_grpc.rs

@@ -0,0 +1,281 @@
+use std::collections::HashSet;
+
+use api::grpc::qdrant::vector_input::Variant;
+use api::grpc::qdrant::{
+    query, ContextInput, ContextInputPair, DiscoverInput, PrefetchQuery, Query, RecommendInput,
+    VectorInput,
+};
+use api::rest::schema as rest;
+use tonic::Status;
+
+use super::service::{InferenceData, InferenceInput, InferenceRequest};
+
+pub struct BatchAccumGrpc {
+    pub(crate) objects: HashSet<InferenceData>,
+}
+
+impl BatchAccumGrpc {
+    pub fn new() -> Self {
+        Self {
+            objects: HashSet::new(),
+        }
+    }
+
+    pub fn add(&mut self, data: InferenceData) {
+        self.objects.insert(data);
+    }
+
+    pub fn extend(&mut self, other: BatchAccumGrpc) {
+        self.objects.extend(other.objects);
+    }
+
+    pub fn is_empty(&self) -> bool {
+        self.objects.is_empty()
+    }
+}
+
+impl From<&BatchAccumGrpc> for InferenceRequest {
+    fn from(batch: &BatchAccumGrpc) -> Self {
+        Self {
+            inputs: batch
+                .objects
+                .iter()
+                .cloned()
+                .map(InferenceInput::from)
+                .collect(),
+            inference: None,
+            token: None,
+        }
+    }
+}
+
+fn collect_vector_input(vector: &VectorInput, batch: &mut BatchAccumGrpc) -> Result<(), Status> {
+    let Some(variant) = &vector.variant else {
+        return Ok(());
+    };
+
+    match variant {
+        Variant::Id(_) => {}
+        Variant::Dense(_) => {}
+        Variant::Sparse(_) => {}
+        Variant::MultiDense(_) => {}
+        Variant::Document(document) => {
+            let doc = rest::Document::try_from(document.clone())
+                .map_err(|e| Status::internal(format!("Document conversion error: {e:?}")))?;
+            batch.add(InferenceData::Document(doc));
+        }
+        Variant::Image(image) => {
+            let img = rest::Image::try_from(image.clone())
+                .map_err(|e| Status::internal(format!("Image conversion error: {e:?}")))?;
+            batch.add(InferenceData::Image(img));
+        }
+        Variant::Object(object) => {
+            let obj = rest::InferenceObject::try_from(object.clone())
+                .map_err(|e| Status::internal(format!("Object conversion error: {e:?}")))?;
+            batch.add(InferenceData::Object(obj));
+        }
+    }
+    Ok(())
+}
+
+pub(crate) fn collect_context_input(
+    context: &ContextInput,
+    batch: &mut BatchAccumGrpc,
+) -> Result<(), Status> {
+    let ContextInput { pairs } = context;
+
+    for pair in pairs {
+        collect_context_input_pair(pair, batch)?;
+    }
+
+    Ok(())
+}
+
+fn collect_context_input_pair(
+    pair: &ContextInputPair,
+    batch: &mut BatchAccumGrpc,
+) -> Result<(), Status> {
+    let ContextInputPair { positive, negative } = pair;
+
+    if let Some(positive) = positive {
+        collect_vector_input(positive, batch)?;
+    }
+
+    if let Some(negative) = negative {
+        collect_vector_input(negative, batch)?;
+    }
+
+    Ok(())
+}
+
+pub(crate) fn collect_discover_input(
+    discover: &DiscoverInput,
+    batch: &mut BatchAccumGrpc,
+) -> Result<(), Status> {
+    let DiscoverInput { target, context } = discover;
+
+    if let Some(vector) = target {
+        collect_vector_input(vector, batch)?;
+    }
+
+    if let Some(context) = context {
+        for pair in &context.pairs {
+            collect_context_input_pair(pair, batch)?;
+        }
+    }
+
+    Ok(())
+}
+
+pub(crate) fn collect_recommend_input(
+    recommend: &RecommendInput,
+    batch: &mut BatchAccumGrpc,
+) -> Result<(), Status> {
+    let RecommendInput {
+        positive,
+        negative,
+        strategy: _,
+    } = recommend;
+
+    for vector in positive {
+        collect_vector_input(vector, batch)?;
+    }
+
+    for vector in negative {
+        collect_vector_input(vector, batch)?;
+    }
+
+    Ok(())
+}
+
+pub(crate) fn collect_query(query: &Query, batch: &mut BatchAccumGrpc) -> Result<(), Status> {
+    let Some(variant) = &query.variant else {
+        return Ok(());
+    };
+
+    match variant {
+        query::Variant::Nearest(nearest) => collect_vector_input(nearest, batch)?,
+        query::Variant::Recommend(recommend) => collect_recommend_input(recommend, batch)?,
+        query::Variant::Discover(discover) => collect_discover_input(discover, batch)?,
+        query::Variant::Context(context) => collect_context_input(context, batch)?,
+        query::Variant::OrderBy(_) => {}
+        query::Variant::Fusion(_) => {}
+        query::Variant::Sample(_) => {}
+    }
+
+    Ok(())
+}
+
+pub(crate) fn collect_prefetch(
+    prefetch: &PrefetchQuery,
+    batch: &mut BatchAccumGrpc,
+) -> Result<(), Status> {
+    let PrefetchQuery {
+        prefetch,
+        query,
+        using: _,
+        filter: _,
+        params: _,
+        score_threshold: _,
+        limit: _,
+        lookup_from: _,
+    } = prefetch;
+
+    if let Some(query) = query {
+        collect_query(query, batch)?;
+    }
+
+    for p in prefetch {
+        collect_prefetch(p, batch)?;
+    }
+
+    Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+    use api::rest::schema::{Document, Image, InferenceObject};
+    use serde_json::json;
+
+    use super::*;
+
+    fn create_test_document(text: &str) -> Document {
+        Document {
+            text: text.to_string(),
+            model: "test-model".to_string(),
+            options: Default::default(),
+        }
+    }
+
+    fn create_test_image(url: &str) -> Image {
+        Image {
+            image: json!({"data": url.to_string()}),
+            model: "test-model".to_string(),
+            options: Default::default(),
+        }
+    }
+
+    fn create_test_object(data: &str) -> InferenceObject {
+        InferenceObject {
+            object: json!({"data": data}),
+            model: "test-model".to_string(),
+            options: Default::default(),
+        }
+    }
+
+    #[test]
+    fn test_batch_accum_basic() {
+        let mut batch = BatchAccumGrpc::new();
+        assert!(batch.objects.is_empty());
+
+        let doc = InferenceData::Document(create_test_document("test"));
+        batch.add(doc.clone());
+        assert_eq!(batch.objects.len(), 1);
+
+        batch.add(doc);
+        assert_eq!(batch.objects.len(), 1);
+    }
+
+    #[test]
+    fn test_batch_accum_extend() {
+        let mut batch1 = BatchAccumGrpc::new();
+        let mut batch2 = BatchAccumGrpc::new();
+
+        let doc1 = InferenceData::Document(create_test_document("test1"));
+        let doc2 = InferenceData::Document(create_test_document("test2"));
+
+        batch1.add(doc1);
+        batch2.add(doc2);
+
+        batch1.extend(batch2);
+        assert_eq!(batch1.objects.len(), 2);
+    }
+
+    #[test]
+    fn test_deduplication() {
+        let mut batch = BatchAccumGrpc::new();
+
+        let doc1 = InferenceData::Document(create_test_document("same"));
+        let doc2 = InferenceData::Document(create_test_document("same"));
+
+        batch.add(doc1);
+        batch.add(doc2);
+
+        assert_eq!(batch.objects.len(), 1);
+    }
+
+    #[test]
+    fn test_different_model_same_content() {
+        let mut batch = BatchAccumGrpc::new();
+
+        let mut doc1 = create_test_document("same");
+        let mut doc2 = create_test_document("same");
+        doc1.model = "model1".to_string();
+        doc2.model = "model2".to_string();
+
+        batch.add(InferenceData::Document(doc1));
+        batch.add(InferenceData::Document(doc2));
+
+        assert_eq!(batch.objects.len(), 2);
+    }
+}

src/common/inference/config.rs

@@ -0,0 +1,23 @@
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct InferenceConfig {
+    pub address: Option<String>,
+    #[serde(default = "default_inference_timeout")]
+    pub timeout: u64,
+    pub token: Option<String>,
+}
+
+fn default_inference_timeout() -> u64 {
+    10
+}
+
+impl InferenceConfig {
+    pub fn new(address: Option<String>) -> Self {
+        Self {
+            address,
+            timeout: default_inference_timeout(),
+            token: None,
+        }
+    }
+}

src/common/inference/infer_processing.rs

@@ -0,0 +1,72 @@
+use std::collections::{HashMap, HashSet};
+
+use collection::operations::point_ops::VectorPersisted;
+use storage::content_manager::errors::StorageError;
+
+use super::batch_processing::BatchAccum;
+use super::service::{InferenceData, InferenceInput, InferenceService, InferenceType};
+
+pub struct BatchAccumInferred {
+    pub(crate) objects: HashMap<InferenceData, VectorPersisted>,
+}
+
+impl BatchAccumInferred {
+    pub fn new() -> Self {
+        Self {
+            objects: HashMap::new(),
+        }
+    }
+
+    pub async fn from_objects(
+        objects: HashSet<InferenceData>,
+        inference_type: InferenceType,
+    ) -> Result<Self, StorageError> {
+        if objects.is_empty() {
+            return Ok(Self::new());
+        }
+
+        let Some(service) = InferenceService::get_global() else {
+            return Err(StorageError::service_error(
+                "InferenceService is not initialized. Please check if it was properly configured and initialized during startup."
+            ));
+        };
+
+        service.validate()?;
+
+        let objects_serialized: Vec<_> = objects.into_iter().collect();
+        let inference_inputs: Vec<_> = objects_serialized
+            .iter()
+            .cloned()
+            .map(InferenceInput::from)
+            .collect();
+
+        let vectors = service
+            .infer(inference_inputs, inference_type)
+            .await
+            .map_err(|e| StorageError::service_error(
+                format!("Inference request failed. Check if inference service is running and properly configured: {e}")
+            ))?;
+
+        if vectors.is_empty() {
+            return Err(StorageError::service_error(
+                "Inference service returned no vectors. Check if models are properly loaded.",
+            ));
+        }
+
+        let objects = objects_serialized.into_iter().zip(vectors).collect();
+
+        Ok(Self { objects })
+    }
+
+    pub async fn from_batch_accum(
+        batch: BatchAccum,
+        inference_type: InferenceType,
+    ) -> Result<Self, StorageError> {
+        let BatchAccum { objects } = batch;
+        Self::from_objects(objects, inference_type).await
+    }
+
+    pub fn get_vector(&self, data: &InferenceData) -> Option<&VectorPersisted> {
+        self.objects.get(data)
+    }
+}

src/common/inference/mod.rs

@@ -0,0 +1,8 @@
+mod batch_processing;
+mod batch_processing_grpc;
+pub(crate) mod config;
+mod infer_processing;
+pub mod query_requests_grpc;
+pub mod query_requests_rest;
+pub mod service;
+pub mod update_requests;

src/common/inference/query_requests_grpc.rs

@@ -0,0 +1,535 @@
+use api::conversions::json::json_path_from_proto;
+use api::grpc::qdrant as grpc;
+use api::grpc::qdrant::query::Variant;
+use api::grpc::qdrant::RecommendInput;
+use api::rest;
+use api::rest::RecommendStrategy;
+use collection::operations::universal_query::collection_query::{
+    CollectionPrefetch, CollectionQueryGroupsRequest, CollectionQueryRequest, Query,
+    VectorInputInternal, VectorQuery,
+};
+use collection::operations::universal_query::shard_query::{FusionInternal, SampleInternal};
+use segment::data_types::order_by::OrderBy;
+use segment::data_types::vectors::{VectorInternal, DEFAULT_VECTOR_NAME};
+use segment::vector_storage::query::{ContextPair, ContextQuery, DiscoveryQuery, RecoQuery};
+use tonic::Status;
+
+use crate::common::inference::batch_processing_grpc::{
+    collect_prefetch, collect_query, BatchAccumGrpc,
+};
+use crate::common::inference::infer_processing::BatchAccumInferred;
+use crate::common::inference::service::{InferenceData, InferenceType};
+
+/// ToDo: this function is supposed to call an inference endpoint internally
+pub async fn convert_query_point_groups_from_grpc(
+    query: grpc::QueryPointGroups,
+) -> Result<CollectionQueryGroupsRequest, Status> {
+    let grpc::QueryPointGroups {
+        collection_name: _,
+        prefetch,
+        query,
+        using,
+        filter,
+        params,
+        score_threshold,
+        with_payload,
+        with_vectors,
+        lookup_from,
+        limit,
+        group_size,
+        group_by,
+        with_lookup,
+        read_consistency: _,
+        timeout: _,
+        shard_key_selector: _,
+    } = query;
+
+    let mut batch = BatchAccumGrpc::new();
+
+    if let Some(q) = &query {
+        collect_query(q, &mut batch)?;
+    }
+
+    for p in &prefetch {
+        collect_prefetch(p, &mut batch)?;
+    }
+
+    let BatchAccumGrpc { objects } = batch;
+
+    let inferred = BatchAccumInferred::from_objects(objects, InferenceType::Search)
+        .await
+        .map_err(|e| Status::internal(format!("Inference error: {e}")))?;
+
+    let query = if let Some(q) = query {
+        Some(convert_query_with_inferred(q, &inferred)?)
+    } else {
+        None
+    };
+
+    let prefetch = prefetch
+        .into_iter()
+        .map(|p| convert_prefetch_with_inferred(p, &inferred))
+        .collect::<Result<Vec<_>, _>>()?;
+
+    let request = CollectionQueryGroupsRequest {
+        prefetch,
+        query,
+        using: using.unwrap_or(DEFAULT_VECTOR_NAME.to_string()),
+        filter: filter.map(TryFrom::try_from).transpose()?,
+        score_threshold,
+        with_vector: with_vectors
+            .map(From::from)
+            .unwrap_or(CollectionQueryRequest::DEFAULT_WITH_VECTOR),
+        with_payload: with_payload
+            .map(TryFrom::try_from)
+            .transpose()?
+            .unwrap_or(CollectionQueryRequest::DEFAULT_WITH_PAYLOAD),
+        lookup_from: lookup_from.map(From::from),
+        group_by: json_path_from_proto(&group_by)?,
+        group_size: group_size
+            .map(|s| s as usize)
+            .unwrap_or(CollectionQueryRequest::DEFAULT_GROUP_SIZE),
+        limit: limit
+            .map(|l| l as usize)
+            .unwrap_or(CollectionQueryRequest::DEFAULT_LIMIT),
+        params: params.map(From::from),
+        with_lookup: with_lookup.map(TryFrom::try_from).transpose()?,
+    };
+
+    Ok(request)
+}
+
+/// ToDo: this function is supposed to call an inference endpoint internally
+pub async fn convert_query_points_from_grpc(
+    query: grpc::QueryPoints,
+) -> Result<CollectionQueryRequest, Status> {
+    let grpc::QueryPoints {
+        collection_name: _,
+        prefetch,
+        query,
+        using,
+        filter,
+        params,
+        score_threshold,
+        limit,
+        offset,
+        with_payload,
+        with_vectors,
+        read_consistency: _,
+        shard_key_selector: _,
+        lookup_from,
+        timeout: _,
+    } = query;
+
+    let mut batch = BatchAccumGrpc::new();
+
+    if let Some(q) = &query {
+        collect_query(q, &mut batch)?;
+    }
+
+    for p in &prefetch {
+        collect_prefetch(p, &mut batch)?;
+    }
+
+    let BatchAccumGrpc { objects } = batch;
+
+    let inferred = BatchAccumInferred::from_objects(objects, InferenceType::Search)
+        .await
+        .map_err(|e| Status::internal(format!("Inference error: {e}")))?;
+
+    let prefetch = prefetch
+        .into_iter()
+        .map(|p| convert_prefetch_with_inferred(p, &inferred))
+        .collect::<Result<Vec<_>, _>>()?;
+
+    let query = query
+        .map(|q| convert_query_with_inferred(q, &inferred))
+        .transpose()?;
+
+    Ok(CollectionQueryRequest {
+        prefetch,
+        query,
+        using: using.unwrap_or(DEFAULT_VECTOR_NAME.to_string()),
+        filter: filter.map(TryFrom::try_from).transpose()?,
+        score_threshold,
+        limit: limit
+            .map(|l| l as usize)
+            .unwrap_or(CollectionQueryRequest::DEFAULT_LIMIT),
+        offset: offset
+            .map(|o| o as usize)
+            .unwrap_or(CollectionQueryRequest::DEFAULT_OFFSET),
+        params: params.map(From::from),
+        with_vector: with_vectors
+            .map(From::from)
+            .unwrap_or(CollectionQueryRequest::DEFAULT_WITH_VECTOR),
+        with_payload: with_payload
+            .map(TryFrom::try_from)
+            .transpose()?
+            .unwrap_or(CollectionQueryRequest::DEFAULT_WITH_PAYLOAD),
+        lookup_from: lookup_from.map(From::from),
+    })
+}
+
+fn convert_prefetch_with_inferred(
+    prefetch: grpc::PrefetchQuery,
+    inferred: &BatchAccumInferred,
+) -> Result<CollectionPrefetch, Status> {
+    let grpc::PrefetchQuery {
+        prefetch,
+        query,
+        using,
+        filter,
+        params,
+        score_threshold,
+        limit,
+        lookup_from,
+    } = prefetch;
+
+    let nested_prefetches = prefetch
+        .into_iter()
+        .map(|p| convert_prefetch_with_inferred(p, inferred))
+        .collect::<Result<Vec<_>, _>>()?;
+
+    let query = query
+        .map(|q| convert_query_with_inferred(q, inferred))
+        .transpose()?;
+
+    Ok(CollectionPrefetch {
+        prefetch: nested_prefetches,
+        query,
+        using: using.unwrap_or(DEFAULT_VECTOR_NAME.to_string()),
+        filter: filter.map(TryFrom::try_from).transpose()?,
+        score_threshold,
+        limit: limit
+            .map(|l| l as usize)
+            .unwrap_or(CollectionQueryRequest::DEFAULT_LIMIT),
+        params: params.map(From::from),
+        lookup_from: lookup_from.map(From::from),
+    })
+}
+
+fn convert_query_with_inferred(
+    query: grpc::Query,
+    inferred: &BatchAccumInferred,
+) -> Result<Query, Status> {
+    let variant = query
+        .variant
+        .ok_or_else(|| Status::invalid_argument("Query variant is missing"))?;
+
+    let query = match variant {
+        Variant::Nearest(nearest) => {
+            let vector = convert_vector_input_with_inferred(nearest, inferred)?;
+            Query::Vector(VectorQuery::Nearest(vector))
+        }
+        Variant::Recommend(recommend) => {
+            let RecommendInput {
+                positive,
+                negative,
+                strategy,
+            } = recommend;
+
+            let positives = positive
+                .into_iter()
+                .map(|v| convert_vector_input_with_inferred(v, inferred))
+                .collect::<Result<Vec<_>, _>>()?;
+
+            let negatives = negative
+                .into_iter()
+                .map(|v| convert_vector_input_with_inferred(v, inferred))
+                .collect::<Result<Vec<_>, _>>()?;
+
+            let reco_query = RecoQuery::new(positives, negatives);
+
+            let strategy = strategy
+                .and_then(|x| grpc::RecommendStrategy::try_from(x).ok())
+                .map(RecommendStrategy::from)
+                .unwrap_or_default();
+
+            match strategy {
+                RecommendStrategy::AverageVector => {
+                    Query::Vector(VectorQuery::RecommendAverageVector(reco_query))
+                }
+                RecommendStrategy::BestScore => {
+                    Query::Vector(VectorQuery::RecommendBestScore(reco_query))
+                }
+            }
+        }
+        Variant::Discover(discover) => {
+            let grpc::DiscoverInput { target, context } = discover;
+
+            let target = target
+                .map(|t| convert_vector_input_with_inferred(t, inferred))
+                .transpose()?
+                .ok_or_else(|| Status::invalid_argument("DiscoverInput target is missing"))?;
+
+            let grpc::ContextInput { pairs } = context
+                .ok_or_else(|| Status::invalid_argument("DiscoverInput context is missing"))?;
+
+            let context = pairs
+                .into_iter()
+                .map(|pair| context_pair_from_grpc_with_inferred(pair, inferred))
+                .collect::<Result<_, _>>()?;
+
+            Query::Vector(VectorQuery::Discover(DiscoveryQuery::new(target, context)))
+        }
+        Variant::Context(context) => {
+            let context_query = context_query_from_grpc_with_inferred(context, inferred)?;
+            Query::Vector(VectorQuery::Context(context_query))
+        }
+        Variant::OrderBy(order_by) => Query::OrderBy(OrderBy::try_from(order_by)?),
+        Variant::Fusion(fusion) => Query::Fusion(FusionInternal::try_from(fusion)?),
+        Variant::Sample(sample) => Query::Sample(SampleInternal::try_from(sample)?),
+    };
+
+    Ok(query)
+}
+
+fn convert_vector_input_with_inferred(
+    vector: grpc::VectorInput,
+    inferred: &BatchAccumInferred,
+) -> Result<VectorInputInternal, Status> {
+    use api::grpc::qdrant::vector_input::Variant;
+
+    let variant = vector
+        .variant
+        .ok_or_else(|| Status::invalid_argument("VectorInput variant is missing"))?;
+
+    match variant {
+        Variant::Id(id) => Ok(VectorInputInternal::Id(TryFrom::try_from(id)?)),
+        Variant::Dense(dense) => Ok(VectorInputInternal::Vector(VectorInternal::Dense(
+            From::from(dense),
+        ))),
+        Variant::Sparse(sparse) => Ok(VectorInputInternal::Vector(VectorInternal::Sparse(
+            From::from(sparse),
+        ))),
+        Variant::MultiDense(multi_dense) => Ok(VectorInputInternal::Vector(
+            VectorInternal::MultiDense(From::from(multi_dense)),
+        )),
+        Variant::Document(doc) => {
+            let doc: rest::Document = doc
+                .try_into()
+                .map_err(|e| Status::internal(format!("Document conversion error: {e}")))?;
+            let data = InferenceData::Document(doc);
+            let vector = inferred
+                .get_vector(&data)
+                .ok_or_else(|| Status::internal("Missing inferred vector for document"))?;
+
+            Ok(VectorInputInternal::Vector(VectorInternal::from(
+                vector.clone(),
+            )))
+        }
+        Variant::Image(img) => {
+            let img: rest::Image = img
+                .try_into()
+                .map_err(|e| Status::internal(format!("Image conversion error: {e}",)))?;
+            let data = InferenceData::Image(img);
+
+            let vector = inferred
+                .get_vector(&data)
+                .ok_or_else(|| Status::internal("Missing inferred vector for image"))?;
+
+            Ok(VectorInputInternal::Vector(VectorInternal::from(
+                vector.clone(),
+            )))
+        }
+        Variant::Object(obj) => {
+            let obj: rest::InferenceObject = obj
+                .try_into()
+                .map_err(|e| Status::internal(format!("Object conversion error: {e}")))?;
+            let data = InferenceData::Object(obj);
+            let vector = inferred
+                .get_vector(&data)
+                .ok_or_else(|| Status::internal("Missing inferred vector for object"))?;
+
+            Ok(VectorInputInternal::Vector(VectorInternal::from(
+                vector.clone(),
+            )))
+        }
+    }
+}
+
+fn context_query_from_grpc_with_inferred(
+    value: grpc::ContextInput,
+    inferred: &BatchAccumInferred,
+) -> Result<ContextQuery<VectorInputInternal>, Status> {
+    let grpc::ContextInput { pairs } = value;
+
+    Ok(ContextQuery {
+        pairs: pairs
+            .into_iter()
+            .map(|pair| context_pair_from_grpc_with_inferred(pair, inferred))
+            .collect::<Result<_, _>>()?,
+    })
+}
+
+fn context_pair_from_grpc_with_inferred(
+    value: grpc::ContextInputPair,
+    inferred: &BatchAccumInferred,
+) -> Result<ContextPair<VectorInputInternal>, Status> {
+    let grpc::ContextInputPair { positive, negative } = value;
+
+    let positive =
+        positive.ok_or_else(|| Status::invalid_argument("ContextPair positive is missing"))?;
+    let negative =
+        negative.ok_or_else(|| Status::invalid_argument("ContextPair negative is missing"))?;
+
+    Ok(ContextPair {
+        positive: convert_vector_input_with_inferred(positive, inferred)?,
+        negative: convert_vector_input_with_inferred(negative, inferred)?,
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use std::collections::HashMap;
+
+    use api::grpc::qdrant::value::Kind;
+    use api::grpc::qdrant::vector_input::Variant;
+    use api::grpc::qdrant::Value;
+    use collection::operations::point_ops::VectorPersisted;
+
+    use super::*;
+
+    fn create_test_document() -> api::grpc::qdrant::Document {
+        api::grpc::qdrant::Document {
+            text: "test".to_string(),
+            model: "test-model".to_string(),
+            options: HashMap::new(),
+        }
+    }
+
+    fn create_test_image() -> api::grpc::qdrant::Image {
+        api::grpc::qdrant::Image {
+            image: Some(Value {
+                kind: Some(Kind::StringValue("test.jpg".to_string())),
+            }),
+            model: "test-model".to_string(),
+            options: HashMap::new(),
+        }
+    }
+
+    fn create_test_object() -> api::grpc::qdrant::InferenceObject {
+        api::grpc::qdrant::InferenceObject {
+            object: Some(Value {
+                kind: Some(Kind::StringValue("test".to_string())),
+            }),
+            model: "test-model".to_string(),
+            options: HashMap::new(),
+        }
+    }
+
+    fn create_test_inferred_batch() -> BatchAccumInferred {
+        let mut objects = HashMap::new();
+
+        let grpc_doc = create_test_document();
+        let grpc_img = create_test_image();
+        let grpc_obj = create_test_object();
+
+        let doc: rest::Document = grpc_doc.try_into().unwrap();
+        let img: rest::Image = grpc_img.try_into().unwrap();
+        let obj: rest::InferenceObject = grpc_obj.try_into().unwrap();
+
+        let doc_data = InferenceData::Document(doc);
+        let img_data = InferenceData::Image(img);
+        let obj_data = InferenceData::Object(obj);
+
+        let dense_vector = vec![1.0, 2.0, 3.0];
+        let vector_persisted = VectorPersisted::Dense(dense_vector);
+
+        objects.insert(doc_data, vector_persisted.clone());
+        objects.insert(img_data, vector_persisted.clone());
+        objects.insert(obj_data, vector_persisted);
+
+        BatchAccumInferred { objects }
+    }
+
+    #[test]
+    fn test_convert_vector_input_with_inferred_dense() {
+        let inferred = create_test_inferred_batch();
+        let vector = grpc::VectorInput {
+            variant: Some(Variant::Dense(grpc::DenseVector {
+                data: vec![1.0, 2.0, 3.0],
+            })),
+        };
+
+        let result = convert_vector_input_with_inferred(vector, &inferred).unwrap();
+        match result {
+            VectorInputInternal::Vector(VectorInternal::Dense(values)) => {
+                assert_eq!(values, vec![1.0, 2.0, 3.0]);
+            }
+            _ => panic!("Expected dense vector"),
+        }
+    }
+
+    #[test]
+    fn test_convert_vector_input_with_inferred_document() {
+        let inferred = create_test_inferred_batch();
+        let doc = create_test_document();
+        let vector = grpc::VectorInput {
+            variant: Some(Variant::Document(doc)),
+        };
+
+        let result = convert_vector_input_with_inferred(vector, &inferred).unwrap();
+        match result {
+            VectorInputInternal::Vector(VectorInternal::Dense(values)) => {
+                assert_eq!(values, vec![1.0, 2.0, 3.0]);
+            }
+            _ => panic!("Expected dense vector from inference"),
+        }
+    }
+
+    #[test]
+    fn test_convert_vector_input_missing_variant() {
+        let inferred = create_test_inferred_batch();
+        let vector = grpc::VectorInput { variant: None };
+
+        let result = convert_vector_input_with_inferred(vector, &inferred);
+        assert!(result.is_err());
+        assert!(result.unwrap_err().message().contains("variant is missing"));
+    }
+
+    #[test]
+    fn test_context_pair_from_grpc_with_inferred() {
+        let inferred = create_test_inferred_batch();
+        let pair = grpc::ContextInputPair {
+            positive: Some(grpc::VectorInput {
+                variant: Some(Variant::Dense(grpc::DenseVector {
+                    data: vec![1.0, 2.0, 3.0],
+                })),
+            }),
+            negative: Some(grpc::VectorInput {
+                variant: Some(Variant::Document(create_test_document())),
+            }),
+        };
+
+        let result = context_pair_from_grpc_with_inferred(pair, &inferred).unwrap();
+        match (result.positive, result.negative) {
+            (
+                VectorInputInternal::Vector(VectorInternal::Dense(pos)),
+                VectorInputInternal::Vector(VectorInternal::Dense(neg)),
+            ) => {
+                assert_eq!(pos, vec![1.0, 2.0, 3.0]);
+                assert_eq!(neg, vec![1.0, 2.0, 3.0]);
+            }
+            _ => panic!("Expected dense vectors"),
+        }
+    }
+
+    #[test]
+    fn test_context_pair_missing_vectors() {
+        let inferred = create_test_inferred_batch();
+        let pair = grpc::ContextInputPair {
+            positive: None,
+            negative: Some(grpc::VectorInput {
+                variant: Some(Variant::Document(create_test_document())),
+            }),
+        };
+
+        let result = context_pair_from_grpc_with_inferred(pair, &inferred);
+        assert!(result.is_err());
+        assert!(result
+            .unwrap_err()
+            .message()
+            .contains("positive is missing"));
+    }
+}

src/common/inference/query_requests_rest.rs

@@ -0,0 +1,415 @@
+use api::rest::schema as rest;
+use collection::lookup::WithLookup;
+use collection::operations::universal_query::collection_query::{
+    CollectionPrefetch, CollectionQueryGroupsRequest, CollectionQueryRequest, Query,
+    VectorInputInternal, VectorQuery,
+};
+use collection::operations::universal_query::shard_query::{FusionInternal, SampleInternal};
+use segment::data_types::order_by::OrderBy;
+use segment::data_types::vectors::{MultiDenseVectorInternal, VectorInternal, DEFAULT_VECTOR_NAME};
+use segment::vector_storage::query::{ContextPair, ContextQuery, DiscoveryQuery, RecoQuery};
+use storage::content_manager::errors::StorageError;
+
+use crate::common::inference::batch_processing::{
+    collect_query_groups_request, collect_query_request,
+};
+use crate::common::inference::infer_processing::BatchAccumInferred;
+use crate::common::inference::service::{InferenceData, InferenceType};
+
+pub async fn convert_query_groups_request_from_rest(
+    request: rest::QueryGroupsRequestInternal,
+) -> Result<CollectionQueryGroupsRequest, StorageError> {
+    let batch = collect_query_groups_request(&request);
+    let rest::QueryGroupsRequestInternal {
+        prefetch,
+        query,
+        using,
+        filter,
+        score_threshold,
+        params,
+        with_vector,
+        with_payload,
+        lookup_from,
+        group_request,
+    } = request;
+
+    let inferred = BatchAccumInferred::from_batch_accum(batch, InferenceType::Search).await?;
+    let query = query
+        .map(|q| convert_query_with_inferred(q, &inferred))
+        .transpose()?;
+
+    let prefetch = prefetch
+        .map(|prefetches| {
+            prefetches
+                .into_iter()
+                .map(|p| convert_prefetch_with_inferred(p, &inferred))
+                .collect::<Result<Vec<_>, _>>()
+        })
+        .transpose()?
+        .unwrap_or_default();
+
+    Ok(CollectionQueryGroupsRequest {
+        prefetch,
+        query,
+        using: using.unwrap_or(DEFAULT_VECTOR_NAME.to_string()),
+        filter,
+        score_threshold,
+        params,
+        with_vector: with_vector.unwrap_or(CollectionQueryRequest::DEFAULT_WITH_VECTOR),
+        with_payload: with_payload.unwrap_or(CollectionQueryRequest::DEFAULT_WITH_PAYLOAD),
+        lookup_from,
+        limit: group_request
+            .limit
+            .unwrap_or(CollectionQueryRequest::DEFAULT_LIMIT),
+        group_by: group_request.group_by,
+        group_size: group_request
+            .group_size
+            .unwrap_or(CollectionQueryRequest::DEFAULT_GROUP_SIZE),
+        with_lookup: group_request.with_lookup.map(WithLookup::from),
+    })
+}
+
+pub async fn convert_query_request_from_rest(
+    request: rest::QueryRequestInternal,
+) -> Result<CollectionQueryRequest, StorageError> {
+    let batch = collect_query_request(&request);
+    let inferred = BatchAccumInferred::from_batch_accum(batch, InferenceType::Search).await?;
+    let rest::QueryRequestInternal {
+        prefetch,
+        query,
+        using,
+        filter,
+        score_threshold,
+        params,
+        limit,
+        offset,
+        with_vector,
+        with_payload,
+        lookup_from,
+    } = request;
+
+    let prefetch = prefetch
+        .map(|prefetches| {
+            prefetches
+                .into_iter()
+                .map(|p| convert_prefetch_with_inferred(p, &inferred))
+                .collect::<Result<Vec<_>, _>>()
+        })
+        .transpose()?
+        .unwrap_or_default();
+
+    let query = query
+        .map(|q| convert_query_with_inferred(q, &inferred))
+        .transpose()?;
+
+    Ok(CollectionQueryRequest {
+        prefetch,
+        query,
+        using: using.unwrap_or(DEFAULT_VECTOR_NAME.to_string()),
+        filter,
+        score_threshold,
+        limit: limit.unwrap_or(CollectionQueryRequest::DEFAULT_LIMIT),
+        offset: offset.unwrap_or(CollectionQueryRequest::DEFAULT_OFFSET),
+        params,
+        with_vector: with_vector.unwrap_or(CollectionQueryRequest::DEFAULT_WITH_VECTOR),
+        with_payload: with_payload.unwrap_or(CollectionQueryRequest::DEFAULT_WITH_PAYLOAD),
+        lookup_from,
+    })
+}
+
+fn convert_vector_input_with_inferred(
+    vector: rest::VectorInput,
+    inferred: &BatchAccumInferred,
+) -> Result<VectorInputInternal, StorageError> {
+    match vector {
+        rest::VectorInput::Id(id) => Ok(VectorInputInternal::Id(id)),
+        rest::VectorInput::DenseVector(dense) => {
+            Ok(VectorInputInternal::Vector(VectorInternal::Dense(dense)))
+        }
+        rest::VectorInput::SparseVector(sparse) => {
+            Ok(VectorInputInternal::Vector(VectorInternal::Sparse(sparse)))
+        }
+        rest::VectorInput::MultiDenseVector(multi_dense) => Ok(VectorInputInternal::Vector(
+            VectorInternal::MultiDense(MultiDenseVectorInternal::new_unchecked(multi_dense)),
+        )),
+        rest::VectorInput::Document(doc) => {
+            let data = InferenceData::Document(doc);
+            let vector = inferred.get_vector(&data).ok_or_else(|| {
+                StorageError::inference_error("Missing inferred vector for document")
+            })?;
+            Ok(VectorInputInternal::Vector(VectorInternal::from(
+                vector.clone(),
+            )))
+        }
+        rest::VectorInput::Image(img) => {
+            let data = InferenceData::Image(img);
+            let vector = inferred.get_vector(&data).ok_or_else(|| {
+                StorageError::inference_error("Missing inferred vector for image")
+            })?;
+            Ok(VectorInputInternal::Vector(VectorInternal::from(
+                vector.clone(),
+            )))
+        }
+        rest::VectorInput::Object(obj) => {
+            let data = InferenceData::Object(obj);
+            let vector = inferred.get_vector(&data).ok_or_else(|| {
+                StorageError::inference_error("Missing inferred vector for object")
+            })?;
+            Ok(VectorInputInternal::Vector(VectorInternal::from(
+                vector.clone(),
+            )))
+        }
+    }
+}
+
+fn convert_query_with_inferred(
+    query: rest::QueryInterface,
+    inferred: &BatchAccumInferred,
+) -> Result<Query, StorageError> {
+    let query = rest::Query::from(query);
+    match query {
+        rest::Query::Nearest(nearest) => {
+            let vector = convert_vector_input_with_inferred(nearest.nearest, inferred)?;
+            Ok(Query::Vector(VectorQuery::Nearest(vector)))
+        }
+        rest::Query::Recommend(recommend) => {
+            let rest::RecommendInput {
+                positive,
+                negative,
+                strategy,
+            } = recommend.recommend;
+            let positives = positive
+                .into_iter()
+                .flatten()
+                .map(|v| convert_vector_input_with_inferred(v, inferred))
+                .collect::<Result<Vec<_>, _>>()?;
+            let negatives = negative
+                .into_iter()
+                .flatten()
+                .map(|v| convert_vector_input_with_inferred(v, inferred))
+                .collect::<Result<Vec<_>, _>>()?;
+            let reco_query = RecoQuery::new(positives, negatives);
+            match strategy.unwrap_or_default() {
+                rest::RecommendStrategy::AverageVector => Ok(Query::Vector(
+                    VectorQuery::RecommendAverageVector(reco_query),
+                )),
+                rest::RecommendStrategy::BestScore => {
+                    Ok(Query::Vector(VectorQuery::RecommendBestScore(reco_query)))
+                }
+            }
+        }
+        rest::Query::Discover(discover) => {
+            let rest::DiscoverInput { target, context } = discover.discover;
+            let target = convert_vector_input_with_inferred(target, inferred)?;
+            let context = context
+                .into_iter()
+                .flatten()
+                .map(|pair| context_pair_from_rest_with_inferred(pair, inferred))
+                .collect::<Result<Vec<_>, _>>()?;
+            Ok(Query::Vector(VectorQuery::Discover(DiscoveryQuery::new(
+                target, context,
+            ))))
+        }
+        rest::Query::Context(context) => {
+            let rest::ContextInput(context) = context.context;
+            let context = context
+                .into_iter()
+                .flatten()
+                .map(|pair| context_pair_from_rest_with_inferred(pair, inferred))
+                .collect::<Result<Vec<_>, _>>()?;
+            Ok(Query::Vector(VectorQuery::Context(ContextQuery::new(
+                context,
+            ))))
+        }
+        rest::Query::OrderBy(order_by) => Ok(Query::OrderBy(OrderBy::from(order_by.order_by))),
+        rest::Query::Fusion(fusion) => Ok(Query::Fusion(FusionInternal::from(fusion.fusion))),
+        rest::Query::Sample(sample) => Ok(Query::Sample(SampleInternal::from(sample.sample))),
+    }
+}
+
+fn convert_prefetch_with_inferred(
+    prefetch: rest::Prefetch,
+    inferred: &BatchAccumInferred,
+) -> Result<CollectionPrefetch, StorageError> {
+    let rest::Prefetch {
+        prefetch,
+        query,
+        using,
+        filter,
+        score_threshold,
+        params,
+        limit,
+        lookup_from,
+    } = prefetch;
+
+    let query = query
+        .map(|q| convert_query_with_inferred(q, inferred))
+        .transpose()?;
+    let nested_prefetches = prefetch
+        .map(|prefetches| {
+            prefetches
+                .into_iter()
+                .map(|p| convert_prefetch_with_inferred(p, inferred))
+                .collect::<Result<Vec<_>, _>>()
+        })
+        .transpose()?
+        .unwrap_or_default();
+
+    Ok(CollectionPrefetch {
+        prefetch: nested_prefetches,
+        query,
+        using: using.unwrap_or(DEFAULT_VECTOR_NAME.to_string()),
+        filter,
+        score_threshold,
+        limit: limit.unwrap_or(CollectionQueryRequest::DEFAULT_LIMIT),
+        params,
+        lookup_from,
+    })
+}
+
+fn context_pair_from_rest_with_inferred(
+    value: rest::ContextPair,
+    inferred: &BatchAccumInferred,
+) -> Result<ContextPair<VectorInputInternal>, StorageError> {
+    let rest::ContextPair { positive, negative } = value;
+    Ok(ContextPair {
+        positive: convert_vector_input_with_inferred(positive, inferred)?,
+        negative: convert_vector_input_with_inferred(negative, inferred)?,
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use std::collections::HashMap;
+
+    use api::rest::schema::{Document, Image, InferenceObject, NearestQuery};
+    use collection::operations::point_ops::VectorPersisted;
+    use serde_json::json;
+
+    use super::*;
+
+    fn create_test_document(text: &str) -> Document {
+        Document {
+            text: text.to_string(),
+            model: "test-model".to_string(),
+            options: Default::default(),
+        }
+    }
+
+    fn create_test_image(url: &str) -> Image {
+        Image {
+            image: json!({"data": url.to_string()}),
+            model: "test-model".to_string(),
+            options: Default::default(),
+        }
+    }
+
+    fn create_test_object(data: &str) -> InferenceObject {
+        InferenceObject {
+            object: json!({"data": data}),
+            model: "test-model".to_string(),
+            options: Default::default(),
+        }
+    }
+
+    fn create_test_inferred_batch() -> BatchAccumInferred {
+        let mut objects = HashMap::new();
+
+        let doc = InferenceData::Document(create_test_document("test"));
+        let img = InferenceData::Image(create_test_image("test.jpg"));
+        let obj = InferenceData::Object(create_test_object("test"));
+
+        let dense_vector = vec![1.0, 2.0, 3.0];
+        let vector_persisted = VectorPersisted::Dense(dense_vector);
+
+        objects.insert(doc, vector_persisted.clone());
+        objects.insert(img, vector_persisted.clone());
+        objects.insert(obj, vector_persisted);
+
+        BatchAccumInferred { objects }
+    }
+
+    #[test]
+    fn test_convert_vector_input_with_inferred_dense() {
+        let inferred = create_test_inferred_batch();
+        let vector = rest::VectorInput::DenseVector(vec![1.0, 2.0, 3.0]);
+
+        let result = convert_vector_input_with_inferred(vector, &inferred).unwrap();
+        match result {
+            VectorInputInternal::Vector(VectorInternal::Dense(values)) => {
+                assert_eq!(values, vec![1.0, 2.0, 3.0]);
+            }
+            _ => panic!("Expected dense vector"),
+        }
+    }
+
+    #[test]
+    fn test_convert_vector_input_with_inferred_document() {
+        let inferred = create_test_inferred_batch();
+        let doc = create_test_document("test");
+        let vector = rest::VectorInput::Document(doc);
+
+        let result = convert_vector_input_with_inferred(vector, &inferred).unwrap();
+        match result {
+            VectorInputInternal::Vector(VectorInternal::Dense(values)) => {
+                assert_eq!(values, vec![1.0, 2.0, 3.0]);
+            }
+            _ => panic!("Expected dense vector from inference"),
+        }
+    }
+
+    #[test]
+    fn test_convert_vector_input_with_inferred_missing() {
+        let inferred = create_test_inferred_batch();
+        let doc = create_test_document("missing");
+        let vector = rest::VectorInput::Document(doc);
+
+        let result = convert_vector_input_with_inferred(vector, &inferred);
+        assert!(result.is_err());
+        assert!(result
+            .unwrap_err()
+            .to_string()
+            .contains("Missing inferred vector"));
+    }
+
+    #[test]
+    fn test_context_pair_from_rest_with_inferred() {
+        let inferred = create_test_inferred_batch();
+        let pair = rest::ContextPair {
+            positive: rest::VectorInput::DenseVector(vec![1.0, 2.0, 3.0]),
+            negative: rest::VectorInput::Document(create_test_document("test")),
+        };
+
+        let result = context_pair_from_rest_with_inferred(pair, &inferred).unwrap();
+        match (result.positive, result.negative) {
+            (
+                VectorInputInternal::Vector(VectorInternal::Dense(pos)),
+                VectorInputInternal::Vector(VectorInternal::Dense(neg)),
+            ) => {
+                assert_eq!(pos, vec![1.0, 2.0, 3.0]);
+                assert_eq!(neg, vec![1.0, 2.0, 3.0]);
+            }
+            _ => panic!("Expected dense vectors"),
+        }
+    }
+
+    #[test]
+    fn test_convert_query_with_inferred_nearest() {
+        let inferred = create_test_inferred_batch();
+        let nearest = NearestQuery {
+            nearest: rest::VectorInput::Document(create_test_document("test")),
+        };
+        let query = rest::QueryInterface::Query(rest::Query::Nearest(nearest));
+
+        let result = convert_query_with_inferred(query, &inferred).unwrap();
+        match result {
+            Query::Vector(VectorQuery::Nearest(vector)) => match vector {
+                VectorInputInternal::Vector(VectorInternal::Dense(values)) => {
+                    assert_eq!(values, vec![1.0, 2.0, 3.0]);
+                }
+                _ => panic!("Expected dense vector"),
+            },
+            _ => panic!("Expected nearest query"),
+        }
+    }
+}

src/common/inference/service.rs

@@ -0,0 +1,266 @@
+use std::collections::HashMap;
+use std::fmt::Display;
+use std::hash::Hash;
+use std::sync::Arc;
+use std::time::Duration;
+
+use api::rest::{Document, Image, InferenceObject};
+use collection::operations::point_ops::VectorPersisted;
+use parking_lot::RwLock;
+use reqwest::Client;
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+use storage::content_manager::errors::StorageError;
+
+use crate::common::inference::config::InferenceConfig;
+
+const DOCUMENT_DATA_TYPE: &str = "text";
+const IMAGE_DATA_TYPE: &str = "image";
+const OBJECT_DATA_TYPE: &str = "object";
+
+#[derive(Debug, Serialize, Default, Clone, Copy)]
+#[serde(rename_all = "lowercase")]
+pub enum InferenceType {
+    #[default]
+    Update,
+    Search,
+}
+
+impl Display for InferenceType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "{}", format!("{self:?}").to_lowercase())
+    }
+}
+
+#[derive(Debug, Serialize)]
+pub struct InferenceRequest {
+    pub(crate) inputs: Vec<InferenceInput>,
+    pub(crate) inference: Option<InferenceType>,
+    #[serde(default)]
+    pub(crate) token: Option<String>,
+}
+
+#[derive(Debug, Serialize)]
+pub struct InferenceInput {
+    data: Value,
+    data_type: String,
+    model: String,
+    options: Option<HashMap<String, Value>>,
+}
+
+#[derive(Debug, Deserialize)]
+pub(crate) struct InferenceResponse {
+    pub(crate) embeddings: Vec<VectorPersisted>,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone, PartialEq, Eq, Hash)]
+pub enum InferenceData {
+    Document(Document),
+    Image(Image),
+    Object(InferenceObject),
+}
+
+impl InferenceData {
+    pub(crate) fn type_name(&self) -> &'static str {
+        match self {
+            InferenceData::Document(_) => "document",
+            InferenceData::Image(_) => "image",
+            InferenceData::Object(_) => "object",
+        }
+    }
+}
+
+impl From<InferenceData> for InferenceInput {
+    fn from(value: InferenceData) -> Self {
+        match value {
+            InferenceData::Document(doc) => {
+                let Document {
+                    text,
+                    model,
+                    options,
+                } = doc;
+                InferenceInput {
+                    data: Value::String(text),
+                    data_type: DOCUMENT_DATA_TYPE.to_string(),
+                    model: model.to_string(),
+                    options: options.options,
+                }
+            }
+            InferenceData::Image(img) => {
+                let Image {
+                    image,
+                    model,
+                    options,
+                } = img;
+                InferenceInput {
+                    data: image,
+                    data_type: IMAGE_DATA_TYPE.to_string(),
+                    model: model.to_string(),
+                    options: options.options,
+                }
+            }
+            InferenceData::Object(obj) => {
+                let InferenceObject {
+                    object,
+                    model,
+                    options,
+                } = obj;
+                InferenceInput {
+                    data: object,
+                    data_type: OBJECT_DATA_TYPE.to_string(),
+                    model: model.to_string(),
+                    options: options.options,
+                }
+            }
+        }
+    }
+}
+
+pub struct InferenceService {
+    pub(crate) config: InferenceConfig,
+    pub(crate) client: Client,
+}
+
+static INFERENCE_SERVICE: RwLock<Option<Arc<InferenceService>>> = RwLock::new(None);
+
+impl InferenceService {
+    pub fn new(config: InferenceConfig) -> Self {
+        let timeout = Duration::from_secs(config.timeout);
+        Self {
+            config,
+            client: Client::builder()
+                .timeout(timeout)
+                .build()
+                .expect("Invalid timeout value for HTTP client"),
+        }
+    }
+
+    pub fn init_global(config: InferenceConfig) -> Result<(), StorageError> {
+        let mut inference_service = INFERENCE_SERVICE.write();
+
+        if config.token.is_none() {
+            return Err(StorageError::service_error(
+                "Cannot initialize InferenceService: token is required but not provided in config",
+            ));
+        }
+
+        if config.address.is_none() || config.address.as_ref().unwrap().is_empty() {
+            return Err(StorageError::service_error(
+                "Cannot initialize InferenceService: address is required but not provided or empty in config"
+            ));
+        }
+
+        *inference_service = Some(Arc::new(Self::new(config)));
+        Ok(())
+    }
+
+    pub fn get_global() -> Option<Arc<InferenceService>> {
+        INFERENCE_SERVICE.read().as_ref().cloned()
+    }
+
+    pub(crate) fn validate(&self) -> Result<(), StorageError> {
+        if self
+            .config
+            .address
+            .as_ref()
+            .map_or(true, |url| url.is_empty())
+        {
+            return Err(StorageError::service_error(
+                "InferenceService configuration error: address is missing or empty",
+            ));
+        }
+        Ok(())
+    }
+
+    pub async fn infer(
+        &self,
+        inference_inputs: Vec<InferenceInput>,
+        inference_type: InferenceType,
+    ) -> Result<Vec<VectorPersisted>, StorageError> {
+        let request = InferenceRequest {
+            inputs: inference_inputs,
+            inference: Some(inference_type),
+            token: self.config.token.clone(),
+        };
+
+        let url = self.config.address.as_ref().ok_or_else(|| {
+            StorageError::service_error(
+                "InferenceService URL not configured - please provide valid address in config",
+            )
+        })?;
+
+        let response = self
+            .client
+            .post(url)
+            .json(&request)
+            .send()
+            .await
+            .map_err(|e| {
+                let error_body = e.to_string();
+                StorageError::service_error(format!(
+                    "Failed to send inference request to {url}: {e}, error details: {error_body}",
+                ))
+            })?;
+
+        let status = response.status();
+        let response_body = response.text().await.map_err(|e| {
+            StorageError::service_error(format!("Failed to read inference response body: {e}",))
+        })?;
+
+        Self::handle_inference_response(status, &response_body)
+    }
+
+    pub(crate) fn handle_inference_response(
+        status: reqwest::StatusCode,
+        response_body: &str,
+    ) -> Result<Vec<VectorPersisted>, StorageError> {
+        match status {
+            reqwest::StatusCode::OK => {
+                let inference_response: InferenceResponse = serde_json::from_str(response_body)
+                    .map_err(|e| {
+                        StorageError::service_error(format!(
+                            "Failed to parse successful inference response: {e}. Response body: {response_body}",
+                        ))
+                    })?;
+
+                if inference_response.embeddings.is_empty() {
+                    Err(StorageError::service_error(
+                        "Inference response contained no embeddings - this may indicate an issue with the model or input"
+                    ))
+                } else {
+                    Ok(inference_response.embeddings)
+                }
+            }
+            reqwest::StatusCode::BAD_REQUEST => {
+                let error_json: Value = serde_json::from_str(response_body).map_err(|e| {
+                    StorageError::service_error(format!(
+                        "Failed to parse error response: {e}. Raw response: {response_body}",
+                    ))
+                })?;
+
+                if let Some(error_message) = error_json["error"].as_str() {
+                    Err(StorageError::bad_request(format!(
+                        "Inference request validation failed: {error_message}",
+                    )))
+                } else {
+                    Err(StorageError::bad_request(format!(
+                        "Invalid inference request: {response_body}",
+                    )))
+                }
+            }
+            status @ (reqwest::StatusCode::UNAUTHORIZED | reqwest::StatusCode::FORBIDDEN) => {
+                Err(StorageError::service_error(format!(
+                    "Authentication failed for inference service ({status}): {response_body}",
+                )))
+            }
+            status @ (reqwest::StatusCode::INTERNAL_SERVER_ERROR
+            | reqwest::StatusCode::SERVICE_UNAVAILABLE
+            | reqwest::StatusCode::GATEWAY_TIMEOUT) => Err(StorageError::service_error(format!(
+                "Inference service error ({status}): {response_body}",
+            ))),
+            _ => Err(StorageError::service_error(format!(
+                "Unexpected inference service response ({status}): {response_body}"
+            ))),
+        }
+    }
+}

src/common/inference/update_requests.rs

@@ -0,0 +1,409 @@
+use std::collections::HashMap;
+
+use api::rest::{Batch, BatchVectorStruct, PointStruct, PointVectors, Vector, VectorStruct};
+use collection::operations::point_ops::{
+    BatchPersisted, BatchVectorStructPersisted, PointStructPersisted, VectorPersisted,
+    VectorStructPersisted,
+};
+use collection::operations::vector_ops::PointVectorsPersisted;
+use storage::content_manager::errors::StorageError;
+
+use crate::common::inference::batch_processing::BatchAccum;
+use crate::common::inference::infer_processing::BatchAccumInferred;
+use crate::common::inference::service::{InferenceData, InferenceType};
+
+pub async fn convert_point_struct(
+    point_structs: Vec<PointStruct>,
+    inference_type: InferenceType,
+) -> Result<Vec<PointStructPersisted>, StorageError> {
+    let mut batch_accum = BatchAccum::new();
+
+    for point_struct in &point_structs {
+        match &point_struct.vector {
+            VectorStruct::Named(named) => {
+                for vector in named.values() {
+                    match vector {
+                        Vector::Document(doc) => {
+                            batch_accum.add(InferenceData::Document(doc.clone()))
+                        }
+                        Vector::Image(img) => batch_accum.add(InferenceData::Image(img.clone())),
+                        Vector::Object(obj) => batch_accum.add(InferenceData::Object(obj.clone())),
+                        Vector::Dense(_) | Vector::Sparse(_) | Vector::MultiDense(_) => {}
+                    }
+                }
+            }
+            VectorStruct::Document(doc) => batch_accum.add(InferenceData::Document(doc.clone())),
+            VectorStruct::Image(img) => batch_accum.add(InferenceData::Image(img.clone())),
+            VectorStruct::Object(obj) => batch_accum.add(InferenceData::Object(obj.clone())),
+            VectorStruct::MultiDense(_) | VectorStruct::Single(_) => {}
+        }
+    }
+
+    let inferred = if !batch_accum.objects.is_empty() {
+        Some(BatchAccumInferred::from_batch_accum(batch_accum, inference_type).await?)
+    } else {
+        None
+    };
+
+    let mut converted_points: Vec<PointStructPersisted> = Vec::new();
+    for point_struct in point_structs {
+        let PointStruct {
+            id,
+            vector,
+            payload,
+        } = point_struct;
+
+        let converted_vector_struct = match vector {
+            VectorStruct::Single(single) => VectorStructPersisted::Single(single),
+            VectorStruct::MultiDense(multi) => VectorStructPersisted::MultiDense(multi),
+            VectorStruct::Named(named) => {
+                let mut named_vectors = HashMap::new();
+                for (name, vector) in named {
+                    let converted_vector = match &inferred {
+                        Some(inferred) => convert_vector_with_inferred(vector, inferred)?,
+                        None => match vector {
+                            Vector::Dense(dense) => VectorPersisted::Dense(dense),
+                            Vector::Sparse(sparse) => VectorPersisted::Sparse(sparse),
+                            Vector::MultiDense(multi) => VectorPersisted::MultiDense(multi),
+                            Vector::Document(_) | Vector::Image(_) | Vector::Object(_) => {
+                                return Err(StorageError::inference_error(
+                                    "Inference required but service returned no results",
+                                ))
+                            }
+                        },
+                    };
+                    named_vectors.insert(name, converted_vector);
+                }
+                VectorStructPersisted::Named(named_vectors)
+            }
+            VectorStruct::Document(doc) => {
+                let vector = match &inferred {
+                    Some(inferred) => {
+                        convert_vector_with_inferred(Vector::Document(doc), inferred)?
+                    }
+                    None => {
+                        return Err(StorageError::inference_error(
+                            "Inference required but service returned no results",
+                        ))
+                    }
+                };
+                match vector {
+                    VectorPersisted::Dense(dense) => VectorStructPersisted::Single(dense),
+                    VectorPersisted::Sparse(_) => {
+                        return Err(StorageError::bad_request("Sparse vector should be named"));
+                    }
+                    VectorPersisted::MultiDense(multi) => VectorStructPersisted::MultiDense(multi),
+                }
+            }
+            VectorStruct::Image(img) => {
+                let vector = match &inferred {
+                    Some(inferred) => convert_vector_with_inferred(Vector::Image(img), inferred)?,
+                    None => {
+                        return Err(StorageError::inference_error(
+                            "Inference required but service returned no results",
+                        ))
+                    }
+                };
+                match vector {
+                    VectorPersisted::Dense(dense) => VectorStructPersisted::Single(dense),
+                    VectorPersisted::Sparse(_) => {
+                        return Err(StorageError::bad_request("Sparse vector should be named"));
+                    }
+                    VectorPersisted::MultiDense(multi) => VectorStructPersisted::MultiDense(multi),
+                }
+            }
+            VectorStruct::Object(obj) => {
+                let vector = match &inferred {
+                    Some(inferred) => convert_vector_with_inferred(Vector::Object(obj), inferred)?,
+                    None => {
+                        return Err(StorageError::inference_error(
+                            "Inference required but service returned no results",
+                        ))
+                    }
+                };
+                match vector {
+                    VectorPersisted::Dense(dense) => VectorStructPersisted::Single(dense),
+                    VectorPersisted::Sparse(_) => {
+                        return Err(StorageError::bad_request("Sparse vector should be named"));
+                    }
+                    VectorPersisted::MultiDense(multi) => VectorStructPersisted::MultiDense(multi),
+                }
+            }
+        };
+
+        let converted = PointStructPersisted {
+            id,
+            vector: converted_vector_struct,
+            payload,
+        };
+
+        converted_points.push(converted);
+    }
+
+    Ok(converted_points)
+}
+
+pub async fn convert_batch(batch: Batch) -> Result<BatchPersisted, StorageError> {
+    let Batch {
+        ids,
+        vectors,
+        payloads,
+    } = batch;
+
+    let batch_persisted = BatchPersisted {
+        ids,
+        vectors: match vectors {
+            BatchVectorStruct::Single(single) => BatchVectorStructPersisted::Single(single),
+            BatchVectorStruct::MultiDense(multi) => BatchVectorStructPersisted::MultiDense(multi),
+            BatchVectorStruct::Named(named) => {
+                let mut named_vectors = HashMap::new();
+
+                for (name, vectors) in named {
+                    let converted_vectors = convert_vectors(vectors, InferenceType::Update).await?;
+                    named_vectors.insert(name, converted_vectors);
+                }
+
+                BatchVectorStructPersisted::Named(named_vectors)
+            }
+            BatchVectorStruct::Document(_) => {
+                return Err(StorageError::inference_error(
+                    "Document processing is not supported in batch operations.",
+                ))
+            }
+            BatchVectorStruct::Image(_) => {
+                return Err(StorageError::inference_error(
+                    "Image processing is not supported in batch operations.",
+                ))
+            }
+            BatchVectorStruct::Object(_) => {
+                return Err(StorageError::inference_error(
+                    "Object processing is not supported in batch operations.",
+                ))
+            }
+        },
+        payloads,
+    };
+
+    Ok(batch_persisted)
+}
+
+pub async fn convert_point_vectors(
+    point_vectors_list: Vec<PointVectors>,
+    inference_type: InferenceType,
+) -> Result<Vec<PointVectorsPersisted>, StorageError> {
+    let mut converted_point_vectors = Vec::new();
+    let mut batch_accum = BatchAccum::new();
+
+    for point_vectors in &point_vectors_list {
+        if let VectorStruct::Named(named) = &point_vectors.vector {
+            for vector in named.values() {
+                match vector {
+                    Vector::Document(doc) => batch_accum.add(InferenceData::Document(doc.clone())),
+                    Vector::Image(img) => batch_accum.add(InferenceData::Image(img.clone())),
+                    Vector::Object(obj) => batch_accum.add(InferenceData::Object(obj.clone())),
+                    Vector::Dense(_) | Vector::Sparse(_) | Vector::MultiDense(_) => {}
+                }
+            }
+        }
+    }
+
+    let inferred = if !batch_accum.objects.is_empty() {
+        Some(BatchAccumInferred::from_batch_accum(batch_accum, inference_type).await?)
+    } else {
+        None
+    };
+
+    for point_vectors in point_vectors_list {
+        let PointVectors { id, vector } = point_vectors;
+
+        let converted_vector = match vector {
+            VectorStruct::Single(dense) => VectorStructPersisted::Single(dense),
+            VectorStruct::MultiDense(multi) => VectorStructPersisted::MultiDense(multi),
+            VectorStruct::Named(named) => {
+                let mut converted = HashMap::new();
+
+                for (name, vec) in named {
+                    let converted_vec = match &inferred {
+                        Some(inferred) => convert_vector_with_inferred(vec, inferred)?,
+                        None => match vec {
+                            Vector::Dense(dense) => VectorPersisted::Dense(dense),
+                            Vector::Sparse(sparse) => VectorPersisted::Sparse(sparse),
+                            Vector::MultiDense(multi) => VectorPersisted::MultiDense(multi),
+                            Vector::Document(_) | Vector::Image(_) | Vector::Object(_) => {
+                                return Err(StorageError::inference_error(
+                                    "Inference required but service returned no results",
+                                ))
+                            }
+                        },
+                    };
+                    converted.insert(name, converted_vec);
+                }
+
+                VectorStructPersisted::Named(converted)
+            }
+            VectorStruct::Document(_) => {
+                return Err(StorageError::inference_error(
+                    "Document processing is not supported for point vectors.",
+                ))
+            }
+            VectorStruct::Image(_) => {
+                return Err(StorageError::inference_error(
+                    "Image processing is not supported for point vectors.",
+                ))
+            }
+            VectorStruct::Object(_) => {
+                return Err(StorageError::inference_error(
+                    "Object processing is not supported for point vectors.",
+                ))
+            }
+        };
+
+        let converted_point_vector = PointVectorsPersisted {
+            id,
+            vector: converted_vector,
+        };
+
+        converted_point_vectors.push(converted_point_vector);
+    }
+
+    Ok(converted_point_vectors)
+}
+
+fn convert_point_struct_with_inferred(
+    point_structs: Vec<PointStruct>,
+    inferred: &BatchAccumInferred,
+) -> Result<Vec<PointStructPersisted>, StorageError> {
+    point_structs
+        .into_iter()
+        .map(|point_struct| {
+            let PointStruct {
+                id,
+                vector,
+                payload,
+            } = point_struct;
+            let converted_vector_struct = match vector {
+                VectorStruct::Single(single) => VectorStructPersisted::Single(single),
+                VectorStruct::MultiDense(multi) => VectorStructPersisted::MultiDense(multi),
+                VectorStruct::Named(named) => {
+                    let mut named_vectors = HashMap::new();
+                    for (name, vector) in named {
+                        let converted_vector = convert_vector_with_inferred(vector, inferred)?;
+                        named_vectors.insert(name, converted_vector);
+                    }
+                    VectorStructPersisted::Named(named_vectors)
+                }
+                VectorStruct::Document(doc) => {
+                    let vector = convert_vector_with_inferred(Vector::Document(doc), inferred)?;
+                    match vector {
+                        VectorPersisted::Dense(dense) => VectorStructPersisted::Single(dense),
+                        VectorPersisted::Sparse(_) => {
+                            return Err(StorageError::bad_request("Sparse vector should be named"))
+                        }
+                        VectorPersisted::MultiDense(multi) => {
+                            VectorStructPersisted::MultiDense(multi)
+                        }
+                    }
+                }
+                VectorStruct::Image(img) => {
+                    let vector = convert_vector_with_inferred(Vector::Image(img), inferred)?;
+                    match vector {
+                        VectorPersisted::Dense(dense) => VectorStructPersisted::Single(dense),
+                        VectorPersisted::Sparse(_) => {
+                            return Err(StorageError::bad_request("Sparse vector should be named"))
+                        }
+                        VectorPersisted::MultiDense(multi) => {
+                            VectorStructPersisted::MultiDense(multi)
+                        }
+                    }
+                }
+                VectorStruct::Object(obj) => {
+                    let vector = convert_vector_with_inferred(Vector::Object(obj), inferred)?;
+                    match vector {
+                        VectorPersisted::Dense(dense) => VectorStructPersisted::Single(dense),
+                        VectorPersisted::Sparse(_) => {
+                            return Err(StorageError::bad_request("Sparse vector should be named"))
+                        }
+                        VectorPersisted::MultiDense(multi) => {
+                            VectorStructPersisted::MultiDense(multi)
+                        }
+                    }
+                }
+            };
+
+            Ok(PointStructPersisted {
+                id,
+                vector: converted_vector_struct,
+                payload,
+            })
+        })
+        .collect()
+}
+
+pub async fn convert_vectors(
+    vectors: Vec<Vector>,
+    inference_type: InferenceType,
+) -> Result<Vec<VectorPersisted>, StorageError> {
+    let mut batch_accum = BatchAccum::new();
+    for vector in &vectors {
+        match vector {
+            Vector::Document(doc) => batch_accum.add(InferenceData::Document(doc.clone())),
+            Vector::Image(img) => batch_accum.add(InferenceData::Image(img.clone())),
+            Vector::Object(obj) => batch_accum.add(InferenceData::Object(obj.clone())),
+            Vector::Dense(_) | Vector::Sparse(_) | Vector::MultiDense(_) => {}
+        }
+    }
+
+    let inferred = if !batch_accum.objects.is_empty() {
+        Some(BatchAccumInferred::from_batch_accum(batch_accum, inference_type).await?)
+    } else {
+        None
+    };
+
+    vectors
+        .into_iter()
+        .map(|vector| match &inferred {
+            Some(inferred) => convert_vector_with_inferred(vector, inferred),
+            None => match vector {
+                Vector::Dense(dense) => Ok(VectorPersisted::Dense(dense)),
+                Vector::Sparse(sparse) => Ok(VectorPersisted::Sparse(sparse)),
+                Vector::MultiDense(multi) => Ok(VectorPersisted::MultiDense(multi)),
+                Vector::Document(_) | Vector::Image(_) | Vector::Object(_) => {
+                    Err(StorageError::inference_error(
+                        "Inference required but service returned no results",
+                    ))
+                }
+            },
+        })
+        .collect()
+}
+
+fn convert_vector_with_inferred(
+    vector: Vector,
+    inferred: &BatchAccumInferred,
+) -> Result<VectorPersisted, StorageError> {
+    match vector {
+        Vector::Dense(dense) => Ok(VectorPersisted::Dense(dense)),
+        Vector::Sparse(sparse) => Ok(VectorPersisted::Sparse(sparse)),
+        Vector::MultiDense(multi) => Ok(VectorPersisted::MultiDense(multi)),
+        Vector::Document(doc) => {
+            let data = InferenceData::Document(doc);
+            inferred.get_vector(&data).cloned().ok_or_else(|| {
+                StorageError::inference_error("Missing inferred vector for document")
+            })
+        }
+        Vector::Image(img) => {
+            let data = InferenceData::Image(img);
+            inferred
+                .get_vector(&data)
+                .cloned()
+                .ok_or_else(|| StorageError::inference_error("Missing inferred vector for image"))
+        }
+        Vector::Object(obj) => {
+            let data = InferenceData::Object(obj);
+            inferred
+                .get_vector(&data)
+                .cloned()
+                .ok_or_else(|| StorageError::inference_error("Missing inferred vector for object"))
+        }
+    }
+}

src/common/metrics.rs

@@ -0,0 +1,505 @@
+use prometheus::proto::{Counter, Gauge, LabelPair, Metric, MetricFamily, MetricType};
+use prometheus::TextEncoder;
+use segment::common::operation_time_statistics::OperationDurationStatistics;
+
+use crate::common::telemetry::TelemetryData;
+use crate::common::telemetry_ops::app_telemetry::{AppBuildTelemetry, AppFeaturesTelemetry};
+use crate::common::telemetry_ops::cluster_telemetry::{ClusterStatusTelemetry, ClusterTelemetry};
+use crate::common::telemetry_ops::collections_telemetry::{
+    CollectionTelemetryEnum, CollectionsTelemetry,
+};
+use crate::common::telemetry_ops::memory_telemetry::MemoryTelemetry;
+use crate::common::telemetry_ops::requests_telemetry::{
+    GrpcTelemetry, RequestsTelemetry, WebApiTelemetry,
+};
+
+/// Whitelist for REST endpoints in metrics output.
+///
+/// Contains selection of search, recommend, scroll and upsert endpoints.
+///
+/// This array *must* be sorted.
+const REST_ENDPOINT_WHITELIST: &[&str] = &[
+    "/collections/{name}/index",
+    "/collections/{name}/points",
+    "/collections/{name}/points/batch",
+    "/collections/{name}/points/count",
+    "/collections/{name}/points/delete",
+    "/collections/{name}/points/discover",
+    "/collections/{name}/points/discover/batch",
+    "/collections/{name}/points/facet",
+    "/collections/{name}/points/payload",
+    "/collections/{name}/points/payload/clear",
+    "/collections/{name}/points/payload/delete",
+    "/collections/{name}/points/query",
+    "/collections/{name}/points/query/batch",
+    "/collections/{name}/points/query/groups",
+    "/collections/{name}/points/recommend",
+    "/collections/{name}/points/recommend/batch",
+    "/collections/{name}/points/recommend/groups",
+    "/collections/{name}/points/scroll",
+    "/collections/{name}/points/search",
+    "/collections/{name}/points/search/batch",
+    "/collections/{name}/points/search/groups",
+    "/collections/{name}/points/search/matrix/offsets",
+    "/collections/{name}/points/search/matrix/pairs",
+    "/collections/{name}/points/vectors",
+    "/collections/{name}/points/vectors/delete",
+];
+
+/// Whitelist for GRPC endpoints in metrics output.
+///
+/// Contains selection of search, recommend, scroll and upsert endpoints.
+///
+/// This array *must* be sorted.
+const GRPC_ENDPOINT_WHITELIST: &[&str] = &[
+    "/qdrant.Points/ClearPayload",
+    "/qdrant.Points/Count",
+    "/qdrant.Points/Delete",
+    "/qdrant.Points/DeletePayload",
+    "/qdrant.Points/Discover",
+    "/qdrant.Points/DiscoverBatch",
+    "/qdrant.Points/Facet",
+    "/qdrant.Points/Get",
+    "/qdrant.Points/OverwritePayload",
+    "/qdrant.Points/Query",
+    "/qdrant.Points/QueryBatch",
+    "/qdrant.Points/QueryGroups",
+    "/qdrant.Points/Recommend",
+    "/qdrant.Points/RecommendBatch",
+    "/qdrant.Points/RecommendGroups",
+    "/qdrant.Points/Scroll",
+    "/qdrant.Points/Search",
+    "/qdrant.Points/SearchBatch",
+    "/qdrant.Points/SearchGroups",
+    "/qdrant.Points/SetPayload",
+    "/qdrant.Points/UpdateBatch",
+    "/qdrant.Points/UpdateVectors",
+    "/qdrant.Points/Upsert",
+];
+
+/// For REST requests, only report timings when having this HTTP response status.
+const REST_TIMINGS_FOR_STATUS: u16 = 200;
+
+/// Encapsulates metrics data in Prometheus format.
+pub struct MetricsData {
+    metrics: Vec<MetricFamily>,
+}
+
+impl MetricsData {
+    pub fn format_metrics(&self) -> String {
+        TextEncoder::new().encode_to_string(&self.metrics).unwrap()
+    }
+}
+
+impl From<TelemetryData> for MetricsData {
+    fn from(telemetry_data: TelemetryData) -> Self {
+        let mut metrics = vec![];
+        telemetry_data.add_metrics(&mut metrics);
+        Self { metrics }
+    }
+}
+
+trait MetricsProvider {
+    /// Add metrics definitions for this.
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>);
+}
+
+impl MetricsProvider for TelemetryData {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        self.app.add_metrics(metrics);
+        self.collections.add_metrics(metrics);
+        self.cluster.add_metrics(metrics);
+        self.requests.add_metrics(metrics);
+        if let Some(mem) = &self.memory {
+            mem.add_metrics(metrics);
+        }
+    }
+}
+
+impl MetricsProvider for AppBuildTelemetry {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        metrics.push(metric_family(
+            "app_info",
+            "information about qdrant server",
+            MetricType::GAUGE,
+            vec![gauge(
+                1.0,
+                &[("name", &self.name), ("version", &self.version)],
+            )],
+        ));
+        self.features.iter().for_each(|f| f.add_metrics(metrics));
+    }
+}
+
+impl MetricsProvider for AppFeaturesTelemetry {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        metrics.push(metric_family(
+            "app_status_recovery_mode",
+            "features enabled in qdrant server",
+            MetricType::GAUGE,
+            vec![gauge(if self.recovery_mode { 1.0 } else { 0.0 }, &[])],
+        ))
+    }
+}
+
+impl MetricsProvider for CollectionsTelemetry {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        let vector_count = self
+            .collections
+            .iter()
+            .flatten()
+            .map(|p| match p {
+                CollectionTelemetryEnum::Aggregated(a) => a.vectors,
+                CollectionTelemetryEnum::Full(c) => c.count_vectors(),
+            })
+            .sum::<usize>();
+        metrics.push(metric_family(
+            "collections_total",
+            "number of collections",
+            MetricType::GAUGE,
+            vec![gauge(self.number_of_collections as f64, &[])],
+        ));
+        metrics.push(metric_family(
+            "collections_vector_total",
+            "total number of vectors in all collections",
+            MetricType::GAUGE,
+            vec![gauge(vector_count as f64, &[])],
+        ));
+    }
+}
+
+impl MetricsProvider for ClusterTelemetry {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        let ClusterTelemetry {
+            enabled,
+            status,
+            config: _,
+            peers: _,
+            metadata: _,
+        } = self;
+
+        metrics.push(metric_family(
+            "cluster_enabled",
+            "is cluster support enabled",
+            MetricType::GAUGE,
+            vec![gauge(if *enabled { 1.0 } else { 0.0 }, &[])],
+        ));
+
+        if let Some(ref status) = status {
+            status.add_metrics(metrics);
+        }
+    }
+}
+
+impl MetricsProvider for ClusterStatusTelemetry {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        metrics.push(metric_family(
+            "cluster_peers_total",
+            "total number of cluster peers",
+            MetricType::GAUGE,
+            vec![gauge(self.number_of_peers as f64, &[])],
+        ));
+        metrics.push(metric_family(
+            "cluster_term",
+            "current cluster term",
+            MetricType::COUNTER,
+            vec![counter(self.term as f64, &[])],
+        ));
+
+        if let Some(ref peer_id) = self.peer_id.map(|p| p.to_string()) {
+            metrics.push(metric_family(
+                "cluster_commit",
+                "index of last committed (finalized) operation cluster peer is aware of",
+                MetricType::COUNTER,
+                vec![counter(self.commit as f64, &[("peer_id", peer_id)])],
+            ));
+            metrics.push(metric_family(
+                "cluster_pending_operations_total",
+                "total number of pending operations for cluster peer",
+                MetricType::GAUGE,
+                vec![gauge(self.pending_operations as f64, &[])],
+            ));
+            metrics.push(metric_family(
+                "cluster_voter",
+                "is cluster peer a voter or learner",
+                MetricType::GAUGE,
+                vec![gauge(if self.is_voter { 1.0 } else { 0.0 }, &[])],
+            ));
+        }
+    }
+}
+
+impl MetricsProvider for RequestsTelemetry {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        self.rest.add_metrics(metrics);
+        self.grpc.add_metrics(metrics);
+    }
+}
+
+impl MetricsProvider for WebApiTelemetry {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        let mut builder = OperationDurationMetricsBuilder::default();
+        for (endpoint, responses) in &self.responses {
+            let Some((method, endpoint)) = endpoint.split_once(' ') else {
+                continue;
+            };
+            // Endpoint must be whitelisted
+            if REST_ENDPOINT_WHITELIST.binary_search(&endpoint).is_err() {
+                continue;
+            }
+            for (status, stats) in responses {
+                builder.add(
+                    stats,
+                    &[
+                        ("method", method),
+                        ("endpoint", endpoint),
+                        ("status", &status.to_string()),
+                    ],
+                    *status == REST_TIMINGS_FOR_STATUS,
+                );
+            }
+        }
+        builder.build("rest", metrics);
+    }
+}
+
+impl MetricsProvider for GrpcTelemetry {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        let mut builder = OperationDurationMetricsBuilder::default();
+        for (endpoint, stats) in &self.responses {
+            // Endpoint must be whitelisted
+            if GRPC_ENDPOINT_WHITELIST
+                .binary_search(&endpoint.as_str())
+                .is_err()
+            {
+                continue;
+            }
+            builder.add(stats, &[("endpoint", endpoint.as_str())], true);
+        }
+        builder.build("grpc", metrics);
+    }
+}
+
+impl MetricsProvider for MemoryTelemetry {
+    fn add_metrics(&self, metrics: &mut Vec<MetricFamily>) {
+        metrics.push(metric_family(
+            "memory_active_bytes",
+            "Total number of bytes in active pages allocated by the application",
+            MetricType::GAUGE,
+            vec![gauge(self.active_bytes as f64, &[])],
+        ));
+        metrics.push(metric_family(
+            "memory_allocated_bytes",
+            "Total number of bytes allocated by the application",
+            MetricType::GAUGE,
+            vec![gauge(self.allocated_bytes as f64, &[])],
+        ));
+        metrics.push(metric_family(
+            "memory_metadata_bytes",
+            "Total number of bytes dedicated to metadata",
+            MetricType::GAUGE,
+            vec![gauge(self.metadata_bytes as f64, &[])],
+        ));
+        metrics.push(metric_family(
+            "memory_resident_bytes",
+            "Maximum number of bytes in physically resident data pages mapped",
+            MetricType::GAUGE,
+            vec![gauge(self.resident_bytes as f64, &[])],
+        ));
+        metrics.push(metric_family(
+            "memory_retained_bytes",
+            "Total number of bytes in virtual memory mappings",
+            MetricType::GAUGE,
+            vec![gauge(self.retained_bytes as f64, &[])],
+        ));
+    }
+}
+
+/// A helper struct to build a vector of [`MetricFamily`] out of a collection of
+/// [`OperationDurationStatistics`].
+#[derive(Default)]
+struct OperationDurationMetricsBuilder {
+    total: Vec<Metric>,
+    fail_total: Vec<Metric>,
+    avg_secs: Vec<Metric>,
+    min_secs: Vec<Metric>,
+    max_secs: Vec<Metric>,
+    duration_histogram_secs: Vec<Metric>,
+}
+
+impl OperationDurationMetricsBuilder {
+    /// Add metrics for the provided statistics.
+    /// If `add_timings` is `false`, only the total and fail_total counters will be added.
+    pub fn add(
+        &mut self,
+        stat: &OperationDurationStatistics,
+        labels: &[(&str, &str)],
+        add_timings: bool,
+    ) {
+        self.total.push(counter(stat.count as f64, labels));
+        self.fail_total
+            .push(counter(stat.fail_count as f64, labels));
+
+        if !add_timings {
+            return;
+        }
+
+        self.avg_secs.push(gauge(
+            f64::from(stat.avg_duration_micros.unwrap_or(0.0)) / 1_000_000.0,
+            labels,
+        ));
+        self.min_secs.push(gauge(
+            f64::from(stat.min_duration_micros.unwrap_or(0.0)) / 1_000_000.0,
+            labels,
+        ));
+        self.max_secs.push(gauge(
+            f64::from(stat.max_duration_micros.unwrap_or(0.0)) / 1_000_000.0,
+            labels,
+        ));
+        self.duration_histogram_secs.push(histogram(
+            stat.count as u64,
+            stat.total_duration_micros as f64 / 1_000_000.0,
+            &stat
+                .duration_micros_histogram
+                .iter()
+                .map(|&(b, c)| (f64::from(b) / 1_000_000.0, c as u64))
+                .collect::<Vec<_>>(),
+            labels,
+        ));
+    }
+
+    /// Build metrics and add them to the provided vector.
+    pub fn build(self, prefix: &str, metrics: &mut Vec<MetricFamily>) {
+        if !self.total.is_empty() {
+            metrics.push(metric_family(
+                &format!("{prefix}_responses_total"),
+                "total number of responses",
+                MetricType::COUNTER,
+                self.total,
+            ));
+        }
+        if !self.fail_total.is_empty() {
+            metrics.push(metric_family(
+                &format!("{prefix}_responses_fail_total"),
+                "total number of failed responses",
+                MetricType::COUNTER,
+                self.fail_total,
+            ));
+        }
+        if !self.avg_secs.is_empty() {
+            metrics.push(metric_family(
+                &format!("{prefix}_responses_avg_duration_seconds"),
+                "average response duration",
+                MetricType::GAUGE,
+                self.avg_secs,
+            ));
+        }
+        if !self.min_secs.is_empty() {
+            metrics.push(metric_family(
+                &format!("{prefix}_responses_min_duration_seconds"),
+                "minimum response duration",
+                MetricType::GAUGE,
+                self.min_secs,
+            ));
+        }
+        if !self.max_secs.is_empty() {
+            metrics.push(metric_family(
+                &format!("{prefix}_responses_max_duration_seconds"),
+                "maximum response duration",
+                MetricType::GAUGE,
+                self.max_secs,
+            ));
+        }
+        if !self.duration_histogram_secs.is_empty() {
+            metrics.push(metric_family(
+                &format!("{prefix}_responses_duration_seconds"),
+                "response duration histogram",
+                MetricType::HISTOGRAM,
+                self.duration_histogram_secs,
+            ));
+        }
+    }
+}
+
+fn metric_family(name: &str, help: &str, r#type: MetricType, metrics: Vec<Metric>) -> MetricFamily {
+    let mut metric_family = MetricFamily::default();
+    metric_family.set_name(name.into());
+    metric_family.set_help(help.into());
+    metric_family.set_field_type(r#type);
+    metric_family.set_metric(metrics);
+    metric_family
+}
+
+fn counter(value: f64, labels: &[(&str, &str)]) -> Metric {
+    let mut metric = Metric::default();
+    metric.set_label(labels.iter().map(|(n, v)| label_pair(n, v)).collect());
+    metric.set_counter({
+        let mut counter = Counter::default();
+        counter.set_value(value);
+        counter
+    });
+    metric
+}
+
+fn gauge(value: f64, labels: &[(&str, &str)]) -> Metric {
+    let mut metric = Metric::default();
+    metric.set_label(labels.iter().map(|(n, v)| label_pair(n, v)).collect());
+    metric.set_gauge({
+        let mut gauge = Gauge::default();
+        gauge.set_value(value);
+        gauge
+    });
+    metric
+}
+
+fn histogram(
+    sample_count: u64,
+    sample_sum: f64,
+    buckets: &[(f64, u64)],
+    labels: &[(&str, &str)],
+) -> Metric {
+    let mut metric = Metric::default();
+    metric.set_label(labels.iter().map(|(n, v)| label_pair(n, v)).collect());
+    metric.set_histogram({
+        let mut histogram = prometheus::proto::Histogram::default();
+        histogram.set_sample_count(sample_count);
+        histogram.set_sample_sum(sample_sum);
+        histogram.set_bucket(
+            buckets
+                .iter()
+                .map(|&(upper_bound, cumulative_count)| {
+                    let mut bucket = prometheus::proto::Bucket::default();
+                    bucket.set_cumulative_count(cumulative_count);
+                    bucket.set_upper_bound(upper_bound);
+                    bucket
+                })
+                .collect(),
+        );
+        histogram
+    });
+    metric
+}
+
+fn label_pair(name: &str, value: &str) -> LabelPair {
+    let mut label = LabelPair::default();
+    label.set_name(name.into());
+    label.set_value(value.into());
+    label
+}
+
+#[cfg(test)]
+mod tests {
+    #[test]
+    fn test_endpoint_whitelists_sorted() {
+        use super::{GRPC_ENDPOINT_WHITELIST, REST_ENDPOINT_WHITELIST};
+
+        assert!(
+            REST_ENDPOINT_WHITELIST.windows(2).all(|n| n[0] <= n[1]),
+            "REST_ENDPOINT_WHITELIST must be sorted in code to allow binary search"
+        );
+        assert!(
+            GRPC_ENDPOINT_WHITELIST.windows(2).all(|n| n[0] <= n[1]),
+            "GRPC_ENDPOINT_WHITELIST must be sorted in code to allow binary search"
+        );
+    }
+}

src/common/mod.rs

@@ -0,0 +1,31 @@
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod collections;
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod error_reporting;
+#[allow(dead_code)]
+pub mod health;
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod helpers;
+pub mod http_client;
+pub mod metrics;
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod points;
+pub mod snapshots;
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod stacktrace;
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod telemetry;
+pub mod telemetry_ops;
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod telemetry_reporting;
+
+pub mod auth;
+
+pub mod strings;
+
+pub mod debugger;
+
+#[allow(dead_code)] // May contain functions used in different binaries. Not actually dead
+pub mod inference;
+
+pub mod pyroscope_state;

src/common/points.rs

@@ -0,0 +1,1175 @@
+use std::sync::Arc;
+use std::time::Duration;
+
+use api::rest::schema::{PointInsertOperations, PointsBatch, PointsList};
+use api::rest::{SearchGroupsRequestInternal, ShardKeySelector, UpdateVectors};
+use collection::collection::distance_matrix::{
+    CollectionSearchMatrixRequest, CollectionSearchMatrixResponse,
+};
+use collection::collection::Collection;
+use collection::common::batching::batch_requests;
+use collection::grouping::group_by::GroupRequest;
+use collection::operations::consistency_params::ReadConsistency;
+use collection::operations::payload_ops::{
+    DeletePayload, DeletePayloadOp, PayloadOps, SetPayload, SetPayloadOp,
+};
+use collection::operations::point_ops::{
+    FilterSelector, PointIdsList, PointInsertOperationsInternal, PointOperations, PointsSelector,
+    WriteOrdering,
+};
+use collection::operations::shard_selector_internal::ShardSelectorInternal;
+use collection::operations::types::{
+    CollectionError, CoreSearchRequest, CoreSearchRequestBatch, CountRequestInternal, CountResult,
+    DiscoverRequestBatch, GroupsResult, PointRequestInternal, RecommendGroupsRequestInternal,
+    RecordInternal, ScrollRequestInternal, ScrollResult, UpdateResult,
+};
+use collection::operations::universal_query::collection_query::{
+    CollectionQueryGroupsRequest, CollectionQueryRequest,
+};
+use collection::operations::vector_ops::{DeleteVectors, UpdateVectorsOp, VectorOperations};
+use collection::operations::verification::{
+    new_unchecked_verification_pass, StrictModeVerification,
+};
+use collection::operations::{
+    ClockTag, CollectionUpdateOperations, CreateIndex, FieldIndexOperations, OperationWithClockTag,
+};
+use collection::shards::shard::ShardId;
+use common::counter::hardware_accumulator::HwMeasurementAcc;
+use schemars::JsonSchema;
+use segment::json_path::JsonPath;
+use segment::types::{PayloadFieldSchema, PayloadKeyType, ScoredPoint, StrictModeConfig};
+use serde::{Deserialize, Serialize};
+use storage::content_manager::collection_meta_ops::{
+    CollectionMetaOperations, CreatePayloadIndex, DropPayloadIndex,
+};
+use storage::content_manager::errors::StorageError;
+use storage::content_manager::toc::TableOfContent;
+use storage::dispatcher::Dispatcher;
+use storage::rbac::Access;
+use validator::Validate;
+
+use crate::common::inference::service::InferenceType;
+use crate::common::inference::update_requests::{
+    convert_batch, convert_point_struct, convert_point_vectors,
+};
+
+#[derive(Debug, Deserialize, Serialize, JsonSchema, Validate)]
+pub struct CreateFieldIndex {
+    pub field_name: PayloadKeyType,
+    #[serde(alias = "field_type")]
+    pub field_schema: Option<PayloadFieldSchema>,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct UpsertOperation {
+    #[validate(nested)]
+    upsert: PointInsertOperations,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct DeleteOperation {
+    #[validate(nested)]
+    delete: PointsSelector,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct SetPayloadOperation {
+    #[validate(nested)]
+    set_payload: SetPayload,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct OverwritePayloadOperation {
+    #[validate(nested)]
+    overwrite_payload: SetPayload,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct DeletePayloadOperation {
+    #[validate(nested)]
+    delete_payload: DeletePayload,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct ClearPayloadOperation {
+    #[validate(nested)]
+    clear_payload: PointsSelector,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct UpdateVectorsOperation {
+    #[validate(nested)]
+    update_vectors: UpdateVectors,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct DeleteVectorsOperation {
+    #[validate(nested)]
+    delete_vectors: DeleteVectors,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema)]
+#[serde(rename_all = "snake_case")]
+#[serde(untagged)]
+pub enum UpdateOperation {
+    Upsert(UpsertOperation),
+    Delete(DeleteOperation),
+    SetPayload(SetPayloadOperation),
+    OverwritePayload(OverwritePayloadOperation),
+    DeletePayload(DeletePayloadOperation),
+    ClearPayload(ClearPayloadOperation),
+    UpdateVectors(UpdateVectorsOperation),
+    DeleteVectors(DeleteVectorsOperation),
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Validate)]
+pub struct UpdateOperations {
+    pub operations: Vec<UpdateOperation>,
+}
+
+impl Validate for UpdateOperation {
+    fn validate(&self) -> Result<(), validator::ValidationErrors> {
+        match self {
+            UpdateOperation::Upsert(op) => op.validate(),
+            UpdateOperation::Delete(op) => op.validate(),
+            UpdateOperation::SetPayload(op) => op.validate(),
+            UpdateOperation::OverwritePayload(op) => op.validate(),
+            UpdateOperation::DeletePayload(op) => op.validate(),
+            UpdateOperation::ClearPayload(op) => op.validate(),
+            UpdateOperation::UpdateVectors(op) => op.validate(),
+            UpdateOperation::DeleteVectors(op) => op.validate(),
+        }
+    }
+}
+
+impl StrictModeVerification for UpdateOperation {
+    fn query_limit(&self) -> Option<usize> {
+        None
+    }
+
+    fn indexed_filter_read(&self) -> Option<&segment::types::Filter> {
+        None
+    }
+
+    fn indexed_filter_write(&self) -> Option<&segment::types::Filter> {
+        None
+    }
+
+    fn request_exact(&self) -> Option<bool> {
+        None
+    }
+
+    fn request_search_params(&self) -> Option<&segment::types::SearchParams> {
+        None
+    }
+
+    fn check_strict_mode(
+        &self,
+        collection: &Collection,
+        strict_mode_config: &StrictModeConfig,
+    ) -> Result<(), CollectionError> {
+        match self {
+            UpdateOperation::Delete(delete_op) => delete_op
+                .delete
+                .check_strict_mode(collection, strict_mode_config),
+            UpdateOperation::SetPayload(set_payload) => set_payload
+                .set_payload
+                .check_strict_mode(collection, strict_mode_config),
+            UpdateOperation::OverwritePayload(overwrite_payload) => overwrite_payload
+                .overwrite_payload
+                .check_strict_mode(collection, strict_mode_config),
+            UpdateOperation::DeletePayload(delete_payload) => delete_payload
+                .delete_payload
+                .check_strict_mode(collection, strict_mode_config),
+            UpdateOperation::ClearPayload(clear_payload) => clear_payload
+                .clear_payload
+                .check_strict_mode(collection, strict_mode_config),
+            UpdateOperation::DeleteVectors(delete_op) => delete_op
+                .delete_vectors
+                .check_strict_mode(collection, strict_mode_config),
+            UpdateOperation::UpdateVectors(_) | UpdateOperation::Upsert(_) => Ok(()),
+        }
+    }
+}
+
+/// Converts a pair of parameters into a shard selector
+/// suitable for update operations.
+///
+/// The key difference from selector for search operations is that
+/// empty shard selector in case of update means default shard,
+/// while empty shard selector in case of search means all shards.
+///
+/// Parameters:
+/// - shard_selection: selection of the exact shard ID, always have priority over shard_key
+/// - shard_key: selection of the shard key, can be a single key or a list of keys
+///
+/// Returns:
+/// - ShardSelectorInternal - resolved shard selector
+fn get_shard_selector_for_update(
+    shard_selection: Option<ShardId>,
+    shard_key: Option<ShardKeySelector>,
+) -> ShardSelectorInternal {
+    match (shard_selection, shard_key) {
+        (Some(shard_selection), None) => ShardSelectorInternal::ShardId(shard_selection),
+        (Some(shard_selection), Some(_)) => {
+            debug_assert!(
+                false,
+                "Shard selection and shard key are mutually exclusive"
+            );
+            ShardSelectorInternal::ShardId(shard_selection)
+        }
+        (None, Some(shard_key)) => ShardSelectorInternal::from(shard_key),
+        (None, None) => ShardSelectorInternal::Empty,
+    }
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_upsert_points(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    operation: PointInsertOperations,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    let (shard_key, operation) = match operation {
+        PointInsertOperations::PointsBatch(PointsBatch { batch, shard_key }) => (
+            shard_key,
+            PointInsertOperationsInternal::PointsBatch(convert_batch(batch).await?),
+        ),
+        PointInsertOperations::PointsList(PointsList { points, shard_key }) => (
+            shard_key,
+            PointInsertOperationsInternal::PointsList(
+                convert_point_struct(points, InferenceType::Update).await?,
+            ),
+        ),
+    };
+
+    let collection_operation =
+        CollectionUpdateOperations::PointOperation(PointOperations::UpsertPoints(operation));
+
+    let shard_selector = get_shard_selector_for_update(shard_selection, shard_key);
+
+    toc.update(
+        &collection_name,
+        OperationWithClockTag::new(collection_operation, clock_tag),
+        wait,
+        ordering,
+        shard_selector,
+        access,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_delete_points(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    points: PointsSelector,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    let (point_operation, shard_key) = match points {
+        PointsSelector::PointIdsSelector(PointIdsList { points, shard_key }) => {
+            (PointOperations::DeletePoints { ids: points }, shard_key)
+        }
+        PointsSelector::FilterSelector(FilterSelector { filter, shard_key }) => {
+            (PointOperations::DeletePointsByFilter(filter), shard_key)
+        }
+    };
+    let collection_operation = CollectionUpdateOperations::PointOperation(point_operation);
+    let shard_selector = get_shard_selector_for_update(shard_selection, shard_key);
+
+    toc.update(
+        &collection_name,
+        OperationWithClockTag::new(collection_operation, clock_tag),
+        wait,
+        ordering,
+        shard_selector,
+        access,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_update_vectors(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    operation: UpdateVectors,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    let UpdateVectors { points, shard_key } = operation;
+
+    let persisted_points = convert_point_vectors(points, InferenceType::Update).await?;
+
+    let collection_operation = CollectionUpdateOperations::VectorOperation(
+        VectorOperations::UpdateVectors(UpdateVectorsOp {
+            points: persisted_points,
+        }),
+    );
+
+    let shard_selector = get_shard_selector_for_update(shard_selection, shard_key);
+
+    toc.update(
+        &collection_name,
+        OperationWithClockTag::new(collection_operation, clock_tag),
+        wait,
+        ordering,
+        shard_selector,
+        access,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_delete_vectors(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    operation: DeleteVectors,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    // TODO: Is this cancel safe!?
+
+    let DeleteVectors {
+        vector,
+        filter,
+        points,
+        shard_key,
+    } = operation;
+
+    let vector_names: Vec<_> = vector.into_iter().collect();
+    let shard_selector = get_shard_selector_for_update(shard_selection, shard_key);
+
+    let mut result = None;
+
+    if let Some(filter) = filter {
+        let vectors_operation =
+            VectorOperations::DeleteVectorsByFilter(filter, vector_names.clone());
+
+        let collection_operation = CollectionUpdateOperations::VectorOperation(vectors_operation);
+
+        result = Some(
+            toc.update(
+                &collection_name,
+                OperationWithClockTag::new(collection_operation, clock_tag),
+                wait,
+                ordering,
+                shard_selector.clone(),
+                access.clone(),
+            )
+            .await?,
+        );
+    }
+
+    if let Some(points) = points {
+        let vectors_operation = VectorOperations::DeleteVectors(points.into(), vector_names);
+        let collection_operation = CollectionUpdateOperations::VectorOperation(vectors_operation);
+        result = Some(
+            toc.update(
+                &collection_name,
+                OperationWithClockTag::new(collection_operation, clock_tag),
+                wait,
+                ordering,
+                shard_selector,
+                access,
+            )
+            .await?,
+        );
+    }
+
+    result.ok_or_else(|| StorageError::bad_request("No filter or points provided"))
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_set_payload(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    operation: SetPayload,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    let SetPayload {
+        points,
+        payload,
+        filter,
+        shard_key,
+        key,
+    } = operation;
+
+    let collection_operation =
+        CollectionUpdateOperations::PayloadOperation(PayloadOps::SetPayload(SetPayloadOp {
+            payload,
+            points,
+            filter,
+            key,
+        }));
+
+    let shard_selector = get_shard_selector_for_update(shard_selection, shard_key);
+
+    toc.update(
+        &collection_name,
+        OperationWithClockTag::new(collection_operation, clock_tag),
+        wait,
+        ordering,
+        shard_selector,
+        access,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_overwrite_payload(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    operation: SetPayload,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    let SetPayload {
+        points,
+        payload,
+        filter,
+        shard_key,
+        ..
+    } = operation;
+
+    let collection_operation =
+        CollectionUpdateOperations::PayloadOperation(PayloadOps::OverwritePayload(SetPayloadOp {
+            payload,
+            points,
+            filter,
+            // overwrite operation doesn't support payload selector
+            key: None,
+        }));
+
+    let shard_selector = get_shard_selector_for_update(shard_selection, shard_key);
+
+    toc.update(
+        &collection_name,
+        OperationWithClockTag::new(collection_operation, clock_tag),
+        wait,
+        ordering,
+        shard_selector,
+        access,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_delete_payload(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    operation: DeletePayload,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    let DeletePayload {
+        keys,
+        points,
+        filter,
+        shard_key,
+    } = operation;
+
+    let collection_operation =
+        CollectionUpdateOperations::PayloadOperation(PayloadOps::DeletePayload(DeletePayloadOp {
+            keys,
+            points,
+            filter,
+        }));
+
+    let shard_selector = get_shard_selector_for_update(shard_selection, shard_key);
+
+    toc.update(
+        &collection_name,
+        OperationWithClockTag::new(collection_operation, clock_tag),
+        wait,
+        ordering,
+        shard_selector,
+        access,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_clear_payload(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    points: PointsSelector,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    let (point_operation, shard_key) = match points {
+        PointsSelector::PointIdsSelector(PointIdsList { points, shard_key }) => {
+            (PayloadOps::ClearPayload { points }, shard_key)
+        }
+        PointsSelector::FilterSelector(FilterSelector { filter, shard_key }) => {
+            (PayloadOps::ClearPayloadByFilter(filter), shard_key)
+        }
+    };
+
+    let collection_operation = CollectionUpdateOperations::PayloadOperation(point_operation);
+
+    let shard_selector = get_shard_selector_for_update(shard_selection, shard_key);
+
+    toc.update(
+        &collection_name,
+        OperationWithClockTag::new(collection_operation, clock_tag),
+        wait,
+        ordering,
+        shard_selector,
+        access,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_batch_update_points(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    operations: Vec<UpdateOperation>,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<Vec<UpdateResult>, StorageError> {
+    let mut results = Vec::with_capacity(operations.len());
+    for operation in operations {
+        let result = match operation {
+            UpdateOperation::Upsert(operation) => {
+                do_upsert_points(
+                    toc.clone(),
+                    collection_name.clone(),
+                    operation.upsert,
+                    clock_tag,
+                    shard_selection,
+                    wait,
+                    ordering,
+                    access.clone(),
+                )
+                .await
+            }
+            UpdateOperation::Delete(operation) => {
+                do_delete_points(
+                    toc.clone(),
+                    collection_name.clone(),
+                    operation.delete,
+                    clock_tag,
+                    shard_selection,
+                    wait,
+                    ordering,
+                    access.clone(),
+                )
+                .await
+            }
+            UpdateOperation::SetPayload(operation) => {
+                do_set_payload(
+                    toc.clone(),
+                    collection_name.clone(),
+                    operation.set_payload,
+                    clock_tag,
+                    shard_selection,
+                    wait,
+                    ordering,
+                    access.clone(),
+                )
+                .await
+            }
+            UpdateOperation::OverwritePayload(operation) => {
+                do_overwrite_payload(
+                    toc.clone(),
+                    collection_name.clone(),
+                    operation.overwrite_payload,
+                    clock_tag,
+                    shard_selection,
+                    wait,
+                    ordering,
+                    access.clone(),
+                )
+                .await
+            }
+            UpdateOperation::DeletePayload(operation) => {
+                do_delete_payload(
+                    toc.clone(),
+                    collection_name.clone(),
+                    operation.delete_payload,
+                    clock_tag,
+                    shard_selection,
+                    wait,
+                    ordering,
+                    access.clone(),
+                )
+                .await
+            }
+            UpdateOperation::ClearPayload(operation) => {
+                do_clear_payload(
+                    toc.clone(),
+                    collection_name.clone(),
+                    operation.clear_payload,
+                    clock_tag,
+                    shard_selection,
+                    wait,
+                    ordering,
+                    access.clone(),
+                )
+                .await
+            }
+            UpdateOperation::UpdateVectors(operation) => {
+                do_update_vectors(
+                    toc.clone(),
+                    collection_name.clone(),
+                    operation.update_vectors,
+                    clock_tag,
+                    shard_selection,
+                    wait,
+                    ordering,
+                    access.clone(),
+                )
+                .await
+            }
+            UpdateOperation::DeleteVectors(operation) => {
+                do_delete_vectors(
+                    toc.clone(),
+                    collection_name.clone(),
+                    operation.delete_vectors,
+                    clock_tag,
+                    shard_selection,
+                    wait,
+                    ordering,
+                    access.clone(),
+                )
+                .await
+            }
+        }?;
+        results.push(result);
+    }
+    Ok(results)
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_create_index_internal(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    field_name: PayloadKeyType,
+    field_schema: Option<PayloadFieldSchema>,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+) -> Result<UpdateResult, StorageError> {
+    let collection_operation = CollectionUpdateOperations::FieldIndexOperation(
+        FieldIndexOperations::CreateIndex(CreateIndex {
+            field_name,
+            field_schema,
+        }),
+    );
+
+    let shard_selector = if let Some(shard_selection) = shard_selection {
+        ShardSelectorInternal::ShardId(shard_selection)
+    } else {
+        ShardSelectorInternal::All
+    };
+
+    toc.update(
+        &collection_name,
+        OperationWithClockTag::new(collection_operation, clock_tag),
+        wait,
+        ordering,
+        shard_selector,
+        Access::full("Internal API"),
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_create_index(
+    dispatcher: Arc<Dispatcher>,
+    collection_name: String,
+    operation: CreateFieldIndex,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    // TODO: Is this cancel safe!?
+
+    let Some(field_schema) = operation.field_schema else {
+        return Err(StorageError::bad_request(
+            "Can't auto-detect field type, please specify `field_schema` in the request",
+        ));
+    };
+
+    let consensus_op = CollectionMetaOperations::CreatePayloadIndex(CreatePayloadIndex {
+        collection_name: collection_name.to_string(),
+        field_name: operation.field_name.clone(),
+        field_schema: field_schema.clone(),
+    });
+
+    // Default consensus timeout will be used
+    let wait_timeout = None; // ToDo: make it configurable
+
+    // Nothing to verify here.
+    let pass = new_unchecked_verification_pass();
+
+    let toc = dispatcher.toc(&access, &pass).clone();
+
+    // TODO: Is `submit_collection_meta_op` cancel-safe!? Should be, I think?.. 🤔
+    dispatcher
+        .submit_collection_meta_op(consensus_op, access, wait_timeout)
+        .await?;
+
+    // This function is required as long as we want to maintain interface compatibility
+    // for `wait` parameter and return type.
+    // The idea is to migrate from the point-like interface to consensus-like interface in the next few versions
+
+    do_create_index_internal(
+        toc,
+        collection_name,
+        operation.field_name,
+        Some(field_schema),
+        clock_tag,
+        shard_selection,
+        wait,
+        ordering,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_delete_index_internal(
+    toc: Arc<TableOfContent>,
+    collection_name: String,
+    index_name: JsonPath,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+) -> Result<UpdateResult, StorageError> {
+    let collection_operation = CollectionUpdateOperations::FieldIndexOperation(
+        FieldIndexOperations::DeleteIndex(index_name),
+    );
+
+    let shard_selector = if let Some(shard_selection) = shard_selection {
+        ShardSelectorInternal::ShardId(shard_selection)
+    } else {
+        ShardSelectorInternal::All
+    };
+
+    toc.update(
+        &collection_name,
+        OperationWithClockTag::new(collection_operation, clock_tag),
+        wait,
+        ordering,
+        shard_selector,
+        Access::full("Internal API"),
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_delete_index(
+    dispatcher: Arc<Dispatcher>,
+    collection_name: String,
+    index_name: JsonPath,
+    clock_tag: Option<ClockTag>,
+    shard_selection: Option<ShardId>,
+    wait: bool,
+    ordering: WriteOrdering,
+    access: Access,
+) -> Result<UpdateResult, StorageError> {
+    // TODO: Is this cancel safe!?
+
+    let consensus_op = CollectionMetaOperations::DropPayloadIndex(DropPayloadIndex {
+        collection_name: collection_name.to_string(),
+        field_name: index_name.clone(),
+    });
+
+    // Default consensus timeout will be used
+    let wait_timeout = None; // ToDo: make it configurable
+
+    // Nothing to verify here.
+    let pass = new_unchecked_verification_pass();
+
+    let toc = dispatcher.toc(&access, &pass).clone();
+
+    // TODO: Is `submit_collection_meta_op` cancel-safe!? Should be, I think?.. 🤔
+    dispatcher
+        .submit_collection_meta_op(consensus_op, access, wait_timeout)
+        .await?;
+
+    do_delete_index_internal(
+        toc,
+        collection_name,
+        index_name,
+        clock_tag,
+        shard_selection,
+        wait,
+        ordering,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_core_search_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: CoreSearchRequest,
+    read_consistency: Option<ReadConsistency>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<Vec<ScoredPoint>, StorageError> {
+    let batch_res = do_core_search_batch_points(
+        toc,
+        collection_name,
+        CoreSearchRequestBatch {
+            searches: vec![request],
+        },
+        read_consistency,
+        shard_selection,
+        access,
+        timeout,
+        hw_measurement_acc,
+    )
+    .await?;
+    batch_res
+        .into_iter()
+        .next()
+        .ok_or_else(|| StorageError::service_error("Empty search result"))
+}
+
+pub async fn do_search_batch_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    requests: Vec<(CoreSearchRequest, ShardSelectorInternal)>,
+    read_consistency: Option<ReadConsistency>,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<Vec<Vec<ScoredPoint>>, StorageError> {
+    let requests = batch_requests::<
+        (CoreSearchRequest, ShardSelectorInternal),
+        ShardSelectorInternal,
+        Vec<CoreSearchRequest>,
+        Vec<_>,
+    >(
+        requests,
+        |(_, shard_selector)| shard_selector,
+        |(request, _), core_reqs| {
+            core_reqs.push(request);
+            Ok(())
+        },
+        |shard_selector, core_requests, res| {
+            if core_requests.is_empty() {
+                return Ok(());
+            }
+
+            let core_batch = CoreSearchRequestBatch {
+                searches: core_requests,
+            };
+
+            let req = toc.core_search_batch(
+                collection_name,
+                core_batch,
+                read_consistency,
+                shard_selector,
+                access.clone(),
+                timeout,
+                hw_measurement_acc,
+            );
+            res.push(req);
+            Ok(())
+        },
+    )?;
+
+    let results = futures::future::try_join_all(requests).await?;
+    let flatten_results: Vec<Vec<_>> = results.into_iter().flatten().collect();
+    Ok(flatten_results)
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_core_search_batch_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: CoreSearchRequestBatch,
+    read_consistency: Option<ReadConsistency>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<Vec<Vec<ScoredPoint>>, StorageError> {
+    toc.core_search_batch(
+        collection_name,
+        request,
+        read_consistency,
+        shard_selection,
+        access,
+        timeout,
+        hw_measurement_acc,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_search_point_groups(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: SearchGroupsRequestInternal,
+    read_consistency: Option<ReadConsistency>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<GroupsResult, StorageError> {
+    toc.group(
+        collection_name,
+        GroupRequest::from(request),
+        read_consistency,
+        shard_selection,
+        access,
+        timeout,
+        hw_measurement_acc,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_recommend_point_groups(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: RecommendGroupsRequestInternal,
+    read_consistency: Option<ReadConsistency>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<GroupsResult, StorageError> {
+    toc.group(
+        collection_name,
+        GroupRequest::from(request),
+        read_consistency,
+        shard_selection,
+        access,
+        timeout,
+        hw_measurement_acc,
+    )
+    .await
+}
+
+pub async fn do_discover_batch_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: DiscoverRequestBatch,
+    read_consistency: Option<ReadConsistency>,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<Vec<Vec<ScoredPoint>>, StorageError> {
+    let requests = request
+        .searches
+        .into_iter()
+        .map(|req| {
+            let shard_selector = match req.shard_key {
+                None => ShardSelectorInternal::All,
+                Some(shard_key) => ShardSelectorInternal::from(shard_key),
+            };
+
+            (req.discover_request, shard_selector)
+        })
+        .collect();
+
+    toc.discover_batch(
+        collection_name,
+        requests,
+        read_consistency,
+        access,
+        timeout,
+        hw_measurement_acc,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_count_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: CountRequestInternal,
+    read_consistency: Option<ReadConsistency>,
+    timeout: Option<Duration>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<CountResult, StorageError> {
+    toc.count(
+        collection_name,
+        request,
+        read_consistency,
+        timeout,
+        shard_selection,
+        access,
+        hw_measurement_acc,
+    )
+    .await
+}
+
+pub async fn do_get_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: PointRequestInternal,
+    read_consistency: Option<ReadConsistency>,
+    timeout: Option<Duration>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+) -> Result<Vec<RecordInternal>, StorageError> {
+    toc.retrieve(
+        collection_name,
+        request,
+        read_consistency,
+        timeout,
+        shard_selection,
+        access,
+    )
+    .await
+}
+
+pub async fn do_scroll_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: ScrollRequestInternal,
+    read_consistency: Option<ReadConsistency>,
+    timeout: Option<Duration>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+) -> Result<ScrollResult, StorageError> {
+    toc.scroll(
+        collection_name,
+        request,
+        read_consistency,
+        timeout,
+        shard_selection,
+        access,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_query_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: CollectionQueryRequest,
+    read_consistency: Option<ReadConsistency>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<Vec<ScoredPoint>, StorageError> {
+    let requests = vec![(request, shard_selection)];
+    let batch_res = toc
+        .query_batch(
+            collection_name,
+            requests,
+            read_consistency,
+            access,
+            timeout,
+            hw_measurement_acc,
+        )
+        .await?;
+    batch_res
+        .into_iter()
+        .next()
+        .ok_or_else(|| StorageError::service_error("Empty query result"))
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_query_batch_points(
+    toc: &TableOfContent,
+    collection_name: &str,
+    requests: Vec<(CollectionQueryRequest, ShardSelectorInternal)>,
+    read_consistency: Option<ReadConsistency>,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<Vec<Vec<ScoredPoint>>, StorageError> {
+    toc.query_batch(
+        collection_name,
+        requests,
+        read_consistency,
+        access,
+        timeout,
+        hw_measurement_acc,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_query_point_groups(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: CollectionQueryGroupsRequest,
+    read_consistency: Option<ReadConsistency>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<GroupsResult, StorageError> {
+    toc.group(
+        collection_name,
+        GroupRequest::from(request),
+        read_consistency,
+        shard_selection,
+        access,
+        timeout,
+        hw_measurement_acc,
+    )
+    .await
+}
+
+#[allow(clippy::too_many_arguments)]
+pub async fn do_search_points_matrix(
+    toc: &TableOfContent,
+    collection_name: &str,
+    request: CollectionSearchMatrixRequest,
+    read_consistency: Option<ReadConsistency>,
+    shard_selection: ShardSelectorInternal,
+    access: Access,
+    timeout: Option<Duration>,
+    hw_measurement_acc: &HwMeasurementAcc,
+) -> Result<CollectionSearchMatrixResponse, StorageError> {
+    toc.search_points_matrix(
+        collection_name,
+        request,
+        read_consistency,
+        shard_selection,
+        access,
+        timeout,
+        hw_measurement_acc,
+    )
+    .await
+}

src/common/pyroscope_state.rs

@@ -0,0 +1,93 @@
+#[cfg(target_os = "linux")]
+pub mod pyro {
+
+    use pyroscope::pyroscope::PyroscopeAgentRunning;
+    use pyroscope::{PyroscopeAgent, PyroscopeError};
+    use pyroscope_pprofrs::{pprof_backend, PprofConfig};
+
+    use crate::common::debugger::PyroscopeConfig;
+
+    pub struct PyroscopeState {
+        pub config: PyroscopeConfig,
+        pub agent: Option<PyroscopeAgent<PyroscopeAgentRunning>>,
+    }
+
+    impl PyroscopeState {
+        fn build_agent(
+            config: &PyroscopeConfig,
+        ) -> Result<PyroscopeAgent<PyroscopeAgentRunning>, PyroscopeError> {
+            let pprof_config = PprofConfig::new().sample_rate(config.sampling_rate.unwrap_or(100));
+            let backend_impl = pprof_backend(pprof_config);
+
+            log::info!(
+                "Starting pyroscope agent with identifier {}",
+                &config.identifier
+            );
+            // TODO: Add more tags like peerId and peerUrl
+            let agent = PyroscopeAgent::builder(config.url.to_string(), "qdrant".to_string())
+                .backend(backend_impl)
+                .tags(vec![("app", "Qdrant"), ("identifier", &config.identifier)])
+                .build()?;
+            let running_agent = agent.start()?;
+
+            Ok(running_agent)
+        }
+
+        pub fn from_config(config: Option<PyroscopeConfig>) -> Option<Self> {
+            match config {
+                Some(pyro_config) => {
+                    let agent = PyroscopeState::build_agent(&pyro_config);
+                    match agent {
+                        Ok(agent) => Some(PyroscopeState {
+                            config: pyro_config,
+                            agent: Some(agent),
+                        }),
+                        Err(err) => {
+                            log::warn!("Pyroscope agent failed to start {}", err);
+                            None
+                        }
+                    }
+                }
+                None => None,
+            }
+        }
+
+        pub fn stop_agent(&mut self) -> bool {
+            log::info!("Stopping pyroscope agent");
+            if let Some(agent) = self.agent.take() {
+                match agent.stop() {
+                    Ok(stopped_agent) => {
+                        log::info!("Stopped pyroscope agent. Shutting it down");
+                        stopped_agent.shutdown();
+                        log::info!("Pyroscope agent shut down completed.");
+                        return true;
+                    }
+                    Err(err) => {
+                        log::warn!("Pyroscope agent failed to stop {}", err);
+                        return false;
+                    }
+                }
+            }
+            true
+        }
+    }
+
+    impl Drop for PyroscopeState {
+        fn drop(&mut self) {
+            self.stop_agent();
+        }
+    }
+}
+
+#[cfg(not(target_os = "linux"))]
+pub mod pyro {
+    use crate::common::debugger::PyroscopeConfig;
+
+    pub struct PyroscopeState {}
+
+    impl PyroscopeState {
+        pub fn from_config(_config: Option<PyroscopeConfig>) -> Option<Self> {
+            None
+        }
+    }
+}

src/common/snapshots.rs

@@ -0,0 +1,284 @@
+use std::sync::Arc;
+
+use collection::collection::Collection;
+use collection::common::sha_256::hash_file;
+use collection::common::snapshot_stream::SnapshotStream;
+use collection::operations::snapshot_ops::{
+    ShardSnapshotLocation, SnapshotDescription, SnapshotPriority,
+};
+use collection::shards::replica_set::ReplicaState;
+use collection::shards::shard::ShardId;
+use storage::content_manager::errors::StorageError;
+use storage::content_manager::snapshots;
+use storage::content_manager::toc::TableOfContent;
+use storage::rbac::{Access, AccessRequirements};
+
+use super::http_client::HttpClient;
+
+/// # Cancel safety
+///
+/// This function is cancel safe.
+pub async fn create_shard_snapshot(
+    toc: Arc<TableOfContent>,
+    access: Access,
+    collection_name: String,
+    shard_id: ShardId,
+) -> Result<SnapshotDescription, StorageError> {
+    let collection_pass = access
+        .check_collection_access(&collection_name, AccessRequirements::new().write().whole())?;
+    let collection = toc.get_collection(&collection_pass).await?;
+
+    let snapshot = collection
+        .create_shard_snapshot(shard_id, &toc.optional_temp_or_snapshot_temp_path()?)
+        .await?;
+
+    Ok(snapshot)
+}
+
+/// # Cancel safety
+///
+/// This function is cancel safe.
+pub async fn stream_shard_snapshot(
+    toc: Arc<TableOfContent>,
+    access: Access,
+    collection_name: String,
+    shard_id: ShardId,
+) -> Result<SnapshotStream, StorageError> {
+    let collection_pass = access
+        .check_collection_access(&collection_name, AccessRequirements::new().write().whole())?;
+    let collection = toc.get_collection(&collection_pass).await?;
+
+    Ok(collection
+        .stream_shard_snapshot(shard_id, &toc.optional_temp_or_snapshot_temp_path()?)
+        .await?)
+}
+
+/// # Cancel safety
+///
+/// This function is cancel safe.
+pub async fn list_shard_snapshots(
+    toc: Arc<TableOfContent>,
+    access: Access,
+    collection_name: String,
+    shard_id: ShardId,
+) -> Result<Vec<SnapshotDescription>, StorageError> {
+    let collection_pass =
+        access.check_collection_access(&collection_name, AccessRequirements::new().whole())?;
+    let collection = toc.get_collection(&collection_pass).await?;
+    let snapshots = collection.list_shard_snapshots(shard_id).await?;
+    Ok(snapshots)
+}
+
+/// # Cancel safety
+///
+/// This function is cancel safe.
+pub async fn delete_shard_snapshot(
+    toc: Arc<TableOfContent>,
+    access: Access,
+    collection_name: String,
+    shard_id: ShardId,
+    snapshot_name: String,
+) -> Result<(), StorageError> {
+    let collection_pass = access
+        .check_collection_access(&collection_name, AccessRequirements::new().write().whole())?;
+    let collection = toc.get_collection(&collection_pass).await?;
+    let snapshot_manager = collection.get_snapshots_storage_manager()?;
+
+    let snapshot_path = collection
+        .shards_holder()
+        .read()
+        .await
+        .get_shard_snapshot_path(collection.snapshots_path(), shard_id, &snapshot_name)
+        .await?;
+
+    tokio::spawn(async move { snapshot_manager.delete_snapshot(&snapshot_path).await }).await??;
+
+    Ok(())
+}
+
+/// # Cancel safety
+///
+/// This function is cancel safe.
+#[allow(clippy::too_many_arguments)]
+pub async fn recover_shard_snapshot(
+    toc: Arc<TableOfContent>,
+    access: Access,
+    collection_name: String,
+    shard_id: ShardId,
+    snapshot_location: ShardSnapshotLocation,
+    snapshot_priority: SnapshotPriority,
+    checksum: Option<String>,
+    client: HttpClient,
+    api_key: Option<String>,
+) -> Result<(), StorageError> {
+    let collection_pass = access
+        .check_global_access(AccessRequirements::new().manage())?
+        .issue_pass(&collection_name)
+        .into_static();
+
+    // - `recover_shard_snapshot_impl` is *not* cancel safe
+    //   - but the task is *spawned* on the runtime and won't be cancelled, if request is cancelled
+
+    cancel::future::spawn_cancel_on_drop(move |cancel| async move {
+        let future = async {
+            let collection = toc.get_collection(&collection_pass).await?;
+            collection.assert_shard_exists(shard_id).await?;
+
+            let download_dir = toc.optional_temp_or_snapshot_temp_path()?;
+
+            let snapshot_path = match snapshot_location {
+                ShardSnapshotLocation::Url(url) => {
+                    if !matches!(url.scheme(), "http" | "https") {
+                        let description = format!(
+                            "Invalid snapshot URL {url}: URLs with {} scheme are not supported",
+                            url.scheme(),
+                        );
+
+                        return Err(StorageError::bad_input(description));
+                    }
+
+                    let client = client.client(api_key.as_deref())?;
+
+                    snapshots::download::download_snapshot(&client, url, &download_dir).await?
+                }
+
+                ShardSnapshotLocation::Path(snapshot_file_name) => {
+                    let snapshot_path = collection
+                        .shards_holder()
+                        .read()
+                        .await
+                        .get_shard_snapshot_path(
+                            collection.snapshots_path(),
+                            shard_id,
+                            &snapshot_file_name,
+                        )
+                        .await?;
+
+                    collection
+                        .get_snapshots_storage_manager()?
+                        .get_snapshot_file(&snapshot_path, &download_dir)
+                        .await?
+                }
+            };
+
+            if let Some(checksum) = checksum {
+                let snapshot_checksum = hash_file(&snapshot_path).await?;
+                if snapshot_checksum != checksum {
+                    return Err(StorageError::bad_input(format!(
+                        "Snapshot checksum mismatch: expected {checksum}, got {snapshot_checksum}"
+                    )));
+                }
+            }
+
+            Result::<_, StorageError>::Ok((collection, snapshot_path))
+        };
+
+        let (collection, snapshot_path) =
+            cancel::future::cancel_on_token(cancel.clone(), future).await??;
+
+        // `recover_shard_snapshot_impl` is *not* cancel safe
+        let result = recover_shard_snapshot_impl(
+            &toc,
+            &collection,
+            shard_id,
+            &snapshot_path,
+            snapshot_priority,
+            cancel,
+        )
+        .await;
+
+        // Remove snapshot after recovery if downloaded
+        if let Err(err) = snapshot_path.close() {
+            log::error!("Failed to remove downloaded shards snapshot after recovery: {err}");
+        }
+
+        result
+    })
+    .await??;
+
+    Ok(())
+}
+
+/// # Cancel safety
+///
+/// This function is *not* cancel safe.
+pub async fn recover_shard_snapshot_impl(
+    toc: &TableOfContent,
+    collection: &Collection,
+    shard: ShardId,
+    snapshot_path: &std::path::Path,
+    priority: SnapshotPriority,
+    cancel: cancel::CancellationToken,
+) -> Result<(), StorageError> {
+    // `Collection::restore_shard_snapshot` and `activate_shard` calls *have to* be executed as a
+    // single transaction
+    //
+    // It is *possible* to make this function to be cancel safe, but it is *extremely tedious* to do so
+
+    // `Collection::restore_shard_snapshot` is *not* cancel safe
+    // (see `ShardReplicaSet::restore_local_replica_from`)
+    collection
+        .restore_shard_snapshot(
+            shard,
+            snapshot_path,
+            toc.this_peer_id,
+            toc.is_distributed(),
+            &toc.optional_temp_or_snapshot_temp_path()?,
+            cancel,
+        )
+        .await?;
+
+    let state = collection.state().await;
+    let shard_info = state.shards.get(&shard).unwrap(); // TODO: Handle `unwrap`?..
+
+    // TODO: Unify (and de-duplicate) "recovered shard state notification" logic in `_do_recover_from_snapshot` with this one!
+
+    let other_active_replicas: Vec<_> = shard_info
+        .replicas
+        .iter()
+        .map(|(&peer, &state)| (peer, state))
+        .filter(|&(peer, state)| peer != toc.this_peer_id && state == ReplicaState::Active)
+        .collect();
+
+    if other_active_replicas.is_empty() {
+        snapshots::recover::activate_shard(toc, collection, toc.this_peer_id, &shard).await?;
+    } else {
+        match priority {
+            SnapshotPriority::NoSync => {
+                snapshots::recover::activate_shard(toc, collection, toc.this_peer_id, &shard)
+                    .await?;
+            }
+
+            SnapshotPriority::Snapshot => {
+                snapshots::recover::activate_shard(toc, collection, toc.this_peer_id, &shard)
+                    .await?;
+
+                for &(peer, _) in other_active_replicas.iter() {
+                    toc.send_set_replica_state_proposal(
+                        collection.name(),
+                        peer,
+                        shard,
+                        ReplicaState::Dead,
+                        None,
+                    )?;
+                }
+            }
+
+            SnapshotPriority::Replica => {
+                toc.send_set_replica_state_proposal(
+                    collection.name(),
+                    toc.this_peer_id,
+                    shard,
+                    ReplicaState::Dead,
+                    None,
+                )?;
+            }
+
+            // `ShardTransfer` is only used during snapshot *shard transfer*.
+            // State transitions are performed as part of shard transfer *later*, so this simply does *nothing*.
+            SnapshotPriority::ShardTransfer => (),
+        }
+    }
+
+    Ok(())
+}

src/common/stacktrace.rs

@@ -0,0 +1,86 @@
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+#[derive(Deserialize, Serialize, JsonSchema, Debug)]
+struct StackTraceSymbol {
+    name: Option<String>,
+    file: Option<String>,
+    line: Option<u32>,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Debug)]
+struct StackTraceFrame {
+    symbols: Vec<StackTraceSymbol>,
+}
+
+impl StackTraceFrame {
+    pub fn render(&self) -> String {
+        let mut result = String::new();
+        for symbol in &self.symbols {
+            let symbol_string = format!(
+                "{}:{} - {} ",
+                symbol.file.as_deref().unwrap_or_default(),
+                symbol.line.unwrap_or_default(),
+                symbol.name.as_deref().unwrap_or_default(),
+            );
+            result.push_str(&symbol_string);
+        }
+        result
+    }
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Debug)]
+pub struct ThreadStackTrace {
+    id: u32,
+    name: String,
+    frames: Vec<String>,
+}
+
+#[derive(Deserialize, Serialize, JsonSchema, Debug)]
+pub struct StackTrace {
+    threads: Vec<ThreadStackTrace>,
+}
+
+pub fn get_stack_trace() -> StackTrace {
+    #[cfg(not(all(target_os = "linux", feature = "stacktrace")))]
+    {
+        StackTrace { threads: vec![] }
+    }
+
+    #[cfg(all(target_os = "linux", feature = "stacktrace"))]
+    {
+        let exe = std::env::current_exe().unwrap();
+        let trace =
+            rstack_self::trace(std::process::Command::new(exe).arg("--stacktrace")).unwrap();
+        StackTrace {
+            threads: trace
+                .threads()
+                .iter()
+                .map(|thread| ThreadStackTrace {
+                    id: thread.id(),
+                    name: thread.name().to_string(),
+                    frames: thread
+                        .frames()
+                        .iter()
+                        .map(|frame| {
+                            let frame = StackTraceFrame {
+                                symbols: frame
+                                    .symbols()
+                                    .iter()
+                                    .map(|symbol| StackTraceSymbol {
+                                        name: symbol.name().map(|name| name.to_string()),
+                                        file: symbol.file().map(|file| {
+                                            file.to_str().unwrap_or_default().to_string()
+                                        }),
+                                        line: symbol.line(),
+                                    })
+                                    .collect(),
+                            };
+                            frame.render()
+                        })
+                        .collect(),
+                })
+                .collect(),
+        }
+    }
+}

src/common/strings.rs

@@ -0,0 +1,5 @@
+/// Constant-time equality for String types
+#[inline]
+pub fn ct_eq(lhs: impl AsRef<str>, rhs: impl AsRef<str>) -> bool {
+    constant_time_eq::constant_time_eq(lhs.as_ref().as_bytes(), rhs.as_ref().as_bytes())
+}

src/common/telemetry.rs

@@ -0,0 +1,101 @@
+use std::sync::Arc;
+
+use collection::operations::verification::new_unchecked_verification_pass;
+use common::types::{DetailsLevel, TelemetryDetail};
+use parking_lot::Mutex;
+use schemars::JsonSchema;
+use segment::common::anonymize::Anonymize;
+use serde::Serialize;
+use storage::dispatcher::Dispatcher;
+use storage::rbac::Access;
+use uuid::Uuid;
+
+use crate::common::telemetry_ops::app_telemetry::{AppBuildTelemetry, AppBuildTelemetryCollector};
+use crate::common::telemetry_ops::cluster_telemetry::ClusterTelemetry;
+use crate::common::telemetry_ops::collections_telemetry::CollectionsTelemetry;
+use crate::common::telemetry_ops::memory_telemetry::MemoryTelemetry;
+use crate::common::telemetry_ops::requests_telemetry::{
+    ActixTelemetryCollector, RequestsTelemetry, TonicTelemetryCollector,
+};
+use crate::settings::Settings;
+
+pub struct TelemetryCollector {
+    process_id: Uuid,
+    settings: Settings,
+    dispatcher: Arc<Dispatcher>,
+    pub app_telemetry_collector: AppBuildTelemetryCollector,
+    pub actix_telemetry_collector: Arc<Mutex<ActixTelemetryCollector>>,
+    pub tonic_telemetry_collector: Arc<Mutex<TonicTelemetryCollector>>,
+}
+
+// Whole telemetry data
+#[derive(Serialize, Clone, Debug, JsonSchema)]
+pub struct TelemetryData {
+    id: String,
+    pub(crate) app: AppBuildTelemetry,
+    pub(crate) collections: CollectionsTelemetry,
+    pub(crate) cluster: ClusterTelemetry,
+    pub(crate) requests: RequestsTelemetry,
+    pub(crate) memory: Option<MemoryTelemetry>,
+}
+
+impl Anonymize for TelemetryData {
+    fn anonymize(&self) -> Self {
+        TelemetryData {
+            id: self.id.clone(),
+            app: self.app.anonymize(),
+            collections: self.collections.anonymize(),
+            cluster: self.cluster.anonymize(),
+            requests: self.requests.anonymize(),
+            memory: self.memory.anonymize(),
+        }
+    }
+}
+
+impl TelemetryCollector {
+    pub fn reporting_id(&self) -> String {
+        self.process_id.to_string()
+    }
+
+    pub fn generate_id() -> Uuid {
+        Uuid::new_v4()
+    }
+
+    pub fn new(settings: Settings, dispatcher: Arc<Dispatcher>, id: Uuid) -> Self {
+        Self {
+            process_id: id,
+            settings,
+            dispatcher,
+            app_telemetry_collector: AppBuildTelemetryCollector::new(),
+            actix_telemetry_collector: Arc::new(Mutex::new(ActixTelemetryCollector {
+                workers: Vec::new(),
+            })),
+            tonic_telemetry_collector: Arc::new(Mutex::new(TonicTelemetryCollector {
+                workers: Vec::new(),
+            })),
+        }
+    }
+
+    pub async fn prepare_data(&self, access: &Access, detail: TelemetryDetail) -> TelemetryData {
+        TelemetryData {
+            id: self.process_id.to_string(),
+            collections: CollectionsTelemetry::collect(
+                detail,
+                access,
+                self.dispatcher
+                    .toc(access, &new_unchecked_verification_pass()),
+            )
+            .await,
+            app: AppBuildTelemetry::collect(detail, &self.app_telemetry_collector, &self.settings),
+            cluster: ClusterTelemetry::collect(detail, &self.dispatcher, &self.settings),
+            requests: RequestsTelemetry::collect(
+                &self.actix_telemetry_collector.lock(),
+                &self.tonic_telemetry_collector.lock(),
+                detail,
+            ),
+            memory: (detail.level > DetailsLevel::Level0)
+                .then(MemoryTelemetry::collect)
+                .flatten(),
+        }
+    }
+}