feat(BA-5380): seed RBAC permissions for vfolder:data and session:app#11457
Open
feat(BA-5380): seed RBAC permissions for vfolder:data and session:app#11457
Conversation
github-actions
Bot
added
size:L
Contributor
There was a problem hiding this comment.
Pull request overview
Adds forward-only Alembic data migrations to backfill RBAC permissions rows for two sub-entity permission domains (vfolder:data and a session app-related entity type), including mapping legacy vfolder invitation mount permissions into per-vfolder entity-as-scope grants.
Changes:
- Seed
vfolder:dataowner operations for non-member roles across domain/project/user scopes. - Backfill
vfolder_permissionsinvitation records intopermissions(scope_type='vfolder', scope_id=<vfolder_id>, entity_type='vfolder:data', ...)using a mount-permission→operation mapping. - Seed a read-only session app-related entity-type permission for non-member roles across domain/project/user scopes.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/ai/backend/manager/models/alembic/versions/6e5a7a62a687_migrate_vfolder_data_to_rbac.py |
Seeds vfolder:data permissions for org scopes and migrates legacy vfolder invitations to per-vfolder RBAC grants. |
src/ai/backend/manager/models/alembic/versions/3632aad9d5d9_migrate_session_app_to_rbac.py |
Seeds a read-only session app-related entity-type permission for org scopes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
fregataa
added a commit
that referenced
this pull request
May 1, 2026
fregataa
added a commit
that referenced
this pull request
May 2, 2026
fregataa
force-pushed
the
feat/BA-5380-BA-5383-rbac-data-migration
branch
from
1126c18 to
ba36f51
Compare
jopemachine
reviewed
May 4, 2026
seedspirit
previously approved these changes
May 4, 2026
seedspirit
reviewed
May 4, 2026
|
|
||
| # Constants | ||
| MEMBER_ROLE_PATTERN = "%member" | ||
| ENTITY_TYPE = "session:app" |
Contributor
There was a problem hiding this comment.
The entity type enum is defined as SESSION_APP_SERVICE = "session:app_service". Does it matter if there is a mismatch?
Member
There was a problem hiding this comment.
Also, vfolder:data does not appear to exist in the EntityType (or anywhere in the codebase).
fregataa
added a commit
that referenced
this pull request
May 6, 2026
fregataa
force-pushed
the
feat/BA-5380-BA-5383-rbac-data-migration
branch
from
ba36f51 to
70eeb09
Compare
fregataa
added a commit
that referenced
this pull request
May 6, 2026
fregataa
force-pushed
the
feat/BA-5380-BA-5383-rbac-data-migration
branch
from
70eeb09 to
d55509f
Compare
Forward-only Alembic migrations that backfill owner/admin permissions for the new sub-entity types in domain/project/user scopes, and migrate vfolder_permissions invitations to per-entity `vfolder:data` grants. Sub-entity scope-entity edges are intentionally omitted — the resolver walks parent edges via `permission_entity_type`. Downgrade is a no-op. Resolves BA-5380 Resolves BA-5383
- Remove unused `REF_RELATION_TYPE` constant from the vfolder:data migration. - Clarify the 11457 news fragment.
The earlier broad scope-wide seed granted vfolder:data and session:app operations on domain/project/user scopes for non-member roles. The RBAC resolver's scope-chain walker traverses user → project → domain via the membership edges in association_scopes_entities, so a project- or domain-scoped grant on these owner-only sub-entities would let project admins (or domain admins) reach user-owned vfolders and sessions inside their scope — violating the owner-only intent. Replace with per-entity (entity-as-scope) grants: - user-owned vfolders → owner's system role only - project-owned vfolders → project's non-member roles only - vfolder_permissions invitations → invitee's system role with mount-permission-mapped ops (already entity-as-scope) - live sessions → creator's system role + project non-member roles - dead sessions (TERMINATING/TERMINATED/CANCELLED/ERROR) excluded These rows match the resolver's self-scope branch only; the walker never visits them, so no upward leak.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Repoint the vfolder:data data migration onto the current main head to resolve divergent alembic heads, and replace the silent skip for unknown vfolder_permissions.permission values with a warning log so operators can investigate stray rows. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Rename `session:app` to `session:app_service` in the data migration seed and changelog to match `EntityType.SESSION_APP_SERVICE` defined in `common/data/permission/types.py`. Without this, seeded permission rows would never resolve at runtime. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fregataa
force-pushed
the
feat/BA-5380-BA-5383-rbac-data-migration
branch
from
d55509f to
ab38733
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vfolder:data(CRUD) andsession:app(read) permissions for owner/admin roles in domain/project/user scopes.vfolder_permissionsinvitations to per-entityvfolder:datagrants using the entity-as-scope pattern (permissions(scope_type='vfolder', scope_id=vfolder_id, ...)); mount perms mapro→{read},rw→{read,update},wd→{read,update,hard-delete}(no soft-delete on data).association_scopes_entitiesare intentionally omitted: the resolver walks parent vfolder/session edges viapermission_entity_type, and the existinguq_scope_id_entity_idconstraint would conflict with parent edges anyway. Downgrade is a no-op to protect operator-managed grants.Test plan
pants fmt fix lint checkon the two new migration filesvfolder,model_deploymentscopes) excluded from broad seed — invitee gets exactly mount-perm-mapped ops, no over-grantON CONFLICT DO NOTHING)Resolves BA-5380
Resolves BA-5383