Skip to content

feat(BA-5797): add effective permissions resolver for entities#11236

Open
fregataa wants to merge 3 commits intomainfrom
feat/BA-5797-effective-permissions-resolver
Open

feat(BA-5797): add effective permissions resolver for entities#11236
fregataa wants to merge 3 commits intomainfrom
feat/BA-5797-effective-permissions-resolver

Conversation

@fregataa
Copy link
Copy Markdown
Member

@fregataa fregataa commented Apr 22, 2026

Summary

  • Add resolve_effective_permissions across the full stack (data types → DB source → repository → service/action) to answer "what operations can user X perform on entities [A, B, C]?"
  • Reuses the existing scope chain CTE from BA-5776, removing the operation filter and collecting all permitted operations via UNION of scope-chain and self-scope queries
  • Returns dict[str, set[OperationType]] mapping entity ID → permitted operations

Test plan

  • Component tests for DB source query (scope chain + self-scope union)
  • Repository method integration test with resilience policy

Resolves BA-5797

Copilot AI review requested due to automatic review settings April 22, 2026 07:49
@github-actions github-actions Bot added the size:L 100~500 LoC label Apr 22, 2026
@github-actions github-actions Bot added the comp:manager Related to Manager component label Apr 22, 2026
fregataa added a commit that referenced this pull request Apr 22, 2026
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds a new full-stack API to resolve a user’s effective RBAC operations per target entity by traversing the scope-chain and self-scope permissions.

Changes:

  • Introduces ResolveEffectivePermissionsAction / result and wires it into the service layer.
  • Adds repository + DB source support to compute effective permissions using scope-chain CTE + self-scope union.
  • Adds new data types (EffectivePermissionsInput/Result) and a changelog entry.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
src/ai/backend/manager/services/permission_contoller/service.py Adds service entrypoint that calls repository resolver and returns action result.
src/ai/backend/manager/services/permission_contoller/actions/resolve_effective_permissions.py Defines action + result DTOs for effective permission resolution.
src/ai/backend/manager/services/permission_contoller/actions/init.py Exposes the new action/result via package exports.
src/ai/backend/manager/repositories/permission_controller/repository.py Adds repository method with resilience policy to call DB source resolver.
src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py Implements resolver by unioning scope-chain and self-scope queries.
src/ai/backend/manager/data/permission/role.py Adds input/output dataclasses for the new resolver.
changes/11236.feature.md Documents the new feature in the changelog.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py Outdated
Comment thread src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py Outdated
Comment thread src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py Outdated
Comment thread src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py Outdated
Comment thread src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py Outdated
@fregataa fregataa marked this pull request as draft April 22, 2026 08:14
@fregataa fregataa force-pushed the feat/BA-5797-effective-permissions-resolver branch 2 times, most recently from a34eac6 to 291c723 Compare April 22, 2026 17:12
@fregataa fregataa added this to the 26.5 milestone Apr 22, 2026
@github-actions github-actions Bot added size:XL 500~ LoC and removed size:L 100~500 LoC labels Apr 22, 2026
@fregataa fregataa force-pushed the feat/BA-5797-effective-permissions-resolver branch from bd48aef to 8f1b576 Compare April 22, 2026 18:19
@fregataa fregataa marked this pull request as ready for review April 22, 2026 18:33
@fregataa fregataa requested a review from a team April 22, 2026 18:33
@fregataa fregataa force-pushed the feat/BA-5797-effective-permissions-resolver branch from 8f1b576 to fb2b637 Compare April 22, 2026 19:01
Comment thread changes/11236.feature.md Outdated

@override
@classmethod
def entity_type(cls) -> EntityType:
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it intentional that entity_id is a user_id even though entity_type is not USER?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We decided to not expand/use entity type enum anymore and this abstract method is also deprecated. it is implemented to avoid type check for now

@fregataa fregataa requested a review from jopemachine April 23, 2026 13:05
fregataa and others added 3 commits April 23, 2026 22:05
Add resolve_effective_permissions across the full stack
(data types → DB source → repository → service/action) to answer
"what operations can user X perform on entities [A, B, C]?"

Uses a single batched query with the existing scope chain CTE,
eliminating N+1 by processing all entity IDs in one DB roundtrip.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…sions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Clarify that this branch only ships the permission controller service
and repository implementations, without the API surface.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@fregataa fregataa requested a review from a team April 23, 2026 13:05
@fregataa fregataa force-pushed the feat/BA-5797-effective-permissions-resolver branch from fb2b637 to 3510a48 Compare April 23, 2026 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:manager Related to Manager component size:XL 500~ LoC

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants