Skip to content

Fix: Role model should use composite primary key (name, project)#937

Open
cuixiaojun001 wants to merge 1 commit into
kubevela:mainfrom
cuixiaojun001:fix/role-composite-primary-key
Open

Fix: Role model should use composite primary key (name, project)#937
cuixiaojun001 wants to merge 1 commit into
kubevela:mainfrom
cuixiaojun001:fix/role-composite-primary-key

Conversation

@cuixiaojun001

@cuixiaojun001 cuixiaojun001 commented Jul 9, 2026

Copy link
Copy Markdown

Description of your changes

Fixes #936

The Role model was missing gorm:"primaryKey" on its Project field, so the vela_role table only enforced uniqueness on the name column under the SQL (MySQL/PostgreSQL) datastore. This contradicts the intended composite key of (name, project) and causes project-scoped roles with the same name (project-admin / app-developer / project-viewer, seeded for each project) to collide at the SQL level: the second project's insert is silently skipped by BatchAdd and ends up referencing another project's role row.

This PR adds gorm:"primaryKey" to Role.Project to align with the sibling Permission model (which already uses this composite key) and with the logic already encoded in Role.PrimaryKey() and the kubeapi backend's ConfigMap naming.

I have:

  • Read and followed KubeVela's contribution process.
  • Related Docs updated properly. In a new feature or configuration option, an update to the documentation is necessary. (N/A — bug fix, no API/config change)
  • Run yarn lint to ensure the frontend changes are ready for review. (N/A — no frontend change)
  • Run make reviewable to ensure the server changes are ready for review.
  • Added backport release-x.y labels to auto-backport this PR if necessary.

Special notes for your reviewer

  • This fix only affects schema generation (GORM AutoMigrate); it takes effect for fresh deployments. Existing MySQL/PostgreSQL deployments need a manual DDL migration:
    ALTER TABLE vela_role DROP PRIMARY KEY, ADD PRIMARY KEY (name, project);
  • The kubeapi datastore backend is unaffected; the inconsistency only manifests on MySQL/PostgreSQL.

Review in cubic

The Role model was missing gorm:"primaryKey" on its Project field, so the
vela_role table only enforced uniqueness on the name column under the
SQL (MySQL/PostgreSQL) datastore. This contradicts the intended composite
key of (name, project) and causes project-scoped roles with the same name
(e.g. project-admin/app-developer/project-viewer seeded for each project)
to collide at the SQL level, where the second project's insert is silently
skipped by BatchAdd and ends up referencing another project's role row.

Add gorm:"primaryKey" to Role.Project to align with the sibling Permission
model (which already uses this composite key) and with the logic already
encoded in Role.PrimaryKey() / the kubeapi backend's ConfigMap naming.

Existing deployments need a manual DDL migration:
  ALTER TABLE vela_role DROP PRIMARY KEY, ADD PRIMARY KEY (name, project);

Signed-off-by: cuixiaojun002 <cuixiaojun002@ke.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug] Role model missing composite primary key (name, project) — project-scoped roles collide on SQL datastore

1 participant