feat(BA-5378): add sub-entity RBAC element types for split permissions#11456
Merged
feat(BA-5378): add sub-entity RBAC element types for split permissions#11456
Conversation
github-actions
Bot
added
size:S
fregataa
added a commit
that referenced
this pull request
May 1, 2026
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new RBAC element-type enum members to support “split permissions” for sub-aspects of existing entities (vfolder internal data, session app endpoints, and user name exposure), keeping the manager DTO and internal permission/type bridges in sync.
Changes:
- Added
VFOLDER_DATA,SESSION_APP, andUSER_NAMEtoRBACElementTypeDTO(DTO/GQL-facing enum surface). - Added corresponding
EntityTypeandRBACElementTypemembers soRBACElementType.to_entity_type()and related value-based conversions remain valid.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/ai/backend/common/dto/manager/v2/rbac/types.py |
Adds new DTO/GQL RBAC element type values for the new sub-entity permission targets. |
src/ai/backend/common/data/permission/types.py |
Adds matching internal RBACElementType values and corresponding EntityType entries to keep bridge conversions working. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-actions
Bot
added
comp:manager
jopemachine
reviewed
May 4, 2026
jopemachine
reviewed
May 4, 2026
5 tasks
fregataa
added a commit
that referenced
this pull request
May 6, 2026
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fregataa
force-pushed
the
feat/BA-5378-rbac-sub-entity-element-types
branch
from
4672b6b to
8a79f2e
Compare
Adds vfolder:data, session:app, and user:name as new RBACElementType values so that admins can be granted entity metadata access without implicit access to internal data, app endpoints, or user identity discovery. - BA-5378: SESSION_APP — separates session app access from session metadata. - BA-5381: VFOLDER_DATA — separates vfolder file/dir access from listings. - BA-5611: USER_NAME — gates project-admin scoped user identity discovery. Mirrored to RBACElementTypeDTO so GQL schema stays in sync, and corresponding EntityType members are added to keep to_entity_type() bridge conversions valid. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add VFOLDER_DATA, SESSION_APP, and USER_NAME to the catch-all arm of the scope resolver match statement so the function remains exhaustive and mypy stops failing with a missing-return error. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: octodog <mu001@lablup.com>
…new RBAC types
vfolder:data and session:app are sub-entity permissions intended only
for the resource owner — admins and members of the parent scope have
no access by design.
- _ADMIN_OPS_OVERRIDES / _MEMBER_OPS_OVERRIDES: empty frozensets for
both new types so the helper-derived sets match this contract.
- _OWNER_OPS_OVERRIDES:
vfolder:data → {create, read, update, hard-delete}
(no soft-delete; vfolder data has no two-stage delete)
session:app → {read}
- example-roles.json: 25 user-scope owner permission rows generated with
stable UUIDv5 IDs across the 5 existing user-scope roles.
USER_NAME is intentionally excluded from fixtures and predefined types
overrides — its grant model is decided per-deployment by project admins,
not by default seed data.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…n:app The default-fallback parametrized tests previously asserted that EVERY RBACElementType falls back to STANDARD_OPS for admin/owner. With vfolder:data and session:app being owner-only, those expectations no longer hold for those two members. - Exclude the owner-only types from the default-fallback parametrize list. - Add TestOwnerOnlyOverrides covering: admin/member empty, vfolder:data owner CRUD-without-soft-delete, session:app owner READ-only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…e → user:email Align the new sub-entity element types with their final names: - session:app_service: drops the redundant SESSION_APP addition to EntityType (SESSION_APP_SERVICE was already defined) and renames the RBACElementType / RBACElementTypeDTO members. - user:email: replaces user:name throughout EntityType, RBACElementType, RBACElementTypeDTO, and the owner-only override references. Updated owner-only override maps, PermissionGQL.scope match arms, graphql schema dumps, fixtures (entity_type field only — UUIDv5 IDs left untouched), tests, and the news fragment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fregataa
force-pushed
the
feat/BA-5378-rbac-sub-entity-element-types
branch
from
8a79f2e to
9e24f7b
Compare
jopemachine
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vfolder:data,session:app, anduser:nameas newRBACElementTypevalues so entity metadata access can be granted without implicit access to internal data, app endpoints, or user identity discovery.RBACElementTypeDTO(keeps GQLRBACElementTypeGQLschema in sync viagql_enum) and adds matchingEntityTypemembers soRBACElementType.to_entity_type()bridge conversions stay valid.Test plan
pants test tests/unit/manager/api/gql/rbac/test_rbac_element_type_sync.py— enum-sync guard passespants fmt fix lint check— no issuespants test --changed-since=HEAD --changed-dependents=transitive— all transitively affected tests passResolves BA-5378
Resolves BA-5381
Resolves BA-5611
🤖 Generated with Claude Code
📚 Documentation preview 📚: https://sorna--11456.org.readthedocs.build/en/11456/
📚 Documentation preview 📚: https://sorna-ko--11456.org.readthedocs.build/ko/11456/