feat: limit project group creation to admins (#1331)

Make it so that (if configured) admins are the only one allowed to
create projects and groups. By default we have the old behavior so that
everyone who is logged in can create a group or project. The limits are
applied in addition to all other authorization schemes and regardless of
where the project will be created (username or group).

Author: olevski

bases/renku_data_services/data_api/app.py

@@ -242,6 +242,7 @@ def register_all_handlers(app: Sanic, dm: DependencyManager) -> Sanic:
         url_prefix=url_prefix,
         platform_repo=dm.platform_repo,
         authenticator=dm.authenticator,
+        authz=dm.authz,
     )
     platform_redirects = PlatformUrlRedirectBP(
         name="platform_redirects",

components/renku_data_services/authz/authz.py

@@ -41,6 +41,7 @@
     CheckPermissionItem,
     Member,
     MembershipChange,
+    PlatformRole,
     Role,
     Scope,
     Visibility,
@@ -69,6 +70,7 @@
     ProjectNamespace,
     UserNamespace,
 )
+from renku_data_services.platform.models import AuthzFlag
 from renku_data_services.project.models import DeletedProject, Project, ProjectUpdate
 from renku_data_services.users.models import DeletedUser, UserInfo, UserInfoUpdate
 
@@ -1477,6 +1479,7 @@ async def _get_admin_user_ids(self) -> list[str]:
             resource_type=platform.object_type,
             optional_resource_id=platform.object_id,
             optional_subject_filter=sub_filter,
+            optional_relation=_Relation.admin.value,
         )
         existing_admins: AsyncIterable[ReadRelationshipsResponse] = self.client.ReadRelationships(
             ReadRelationshipsRequest(
@@ -2396,3 +2399,89 @@ async def _remove_data_connector_to_project_link(
             updates=[RelationshipUpdate(operation=RelationshipUpdate.OPERATION_TOUCH, relationship=i) for i in rels]
         )
         return _AuthzChange(apply=apply, undo=undo)
+
+    async def _relationship_exists(
+        self,
+        resource_type: str,
+        id: ULID | int | str,
+        relation: str,
+        subject: SubjectFilter,
+        zed_token: ZedToken | None = None,
+    ) -> tuple[bool, ZedToken | None]:
+        """If the filter conditions match multiple relationships then True is returned."""
+
+        consistency = Consistency(at_least_as_fresh=zed_token) if zed_token else Consistency(fully_consistent=True)
+        req = ReadRelationshipsRequest(
+            consistency=consistency,
+            relationship_filter=RelationshipFilter(
+                resource_type=resource_type,
+                optional_relation=relation,
+                optional_resource_id=str(id),
+                optional_subject_filter=subject,
+            ),
+            optional_limit=1,
+        )
+
+        async for res in self.client.ReadRelationships(req):
+            return True, res.read_at
+        return False, zed_token
+
+    async def group_creation_allowed(self, zed_token: ZedToken | None = None) -> tuple[AuthzFlag, ZedToken | None]:
+        """Indicates whether users are allowed to create groups."""
+        platform = _AuthzConverter.platform()
+        all_users = _AuthzConverter.all_users()
+        groups_allowed, new_zed_token = await self._relationship_exists(
+            resource_type=platform.object_type,
+            id=platform.object_id,
+            relation=PlatformRole.group_creator.value,
+            subject=SubjectFilter(subject_type=ResourceType.user.value, optional_subject_id=all_users.object_id),
+            zed_token=zed_token,
+        )
+        return AuthzFlag.registered_users if groups_allowed else AuthzFlag.only_admins, new_zed_token
+
+    async def project_creation_allowed(self, zed_token: ZedToken | None = None) -> tuple[AuthzFlag, ZedToken | None]:
+        """Indicates whether users are allowed to create projects."""
+        platform = _AuthzConverter.platform()
+        all_users = _AuthzConverter.all_users()
+        projects_allowed, new_zed_token = await self._relationship_exists(
+            resource_type=platform.object_type,
+            id=platform.object_id,
+            relation=PlatformRole.project_creator.value,
+            subject=SubjectFilter(subject_type=ResourceType.user.value, optional_subject_id=all_users.object_id),
+            zed_token=zed_token,
+        )
+        return AuthzFlag.registered_users if projects_allowed else AuthzFlag.only_admins, new_zed_token
+
+    async def set_project_creation_permission(self, allowed: AuthzFlag) -> ZedToken:
+        """Controls whether any user or only admins are able to create projects."""
+        platform = _AuthzConverter.platform()
+        all_users = _AuthzConverter.all_users()
+        update = RelationshipUpdate(
+            operation=RelationshipUpdate.OPERATION_DELETE
+            if allowed == AuthzFlag.only_admins
+            else RelationshipUpdate.OPERATION_TOUCH,
+            relationship=Relationship(
+                resource=platform,
+                relation=PlatformRole.project_creator.value,
+                subject=SubjectReference(object=all_users),
+            ),
+        )
+        res = await self.client.WriteRelationships(WriteRelationshipsRequest(updates=[update]))
+        return cast(ZedToken, res.written_at)
+
+    async def set_group_creation_permission(self, allowed: AuthzFlag) -> ZedToken:
+        """Controls whether any user or only admins are able to create groups."""
+        platform = _AuthzConverter.platform()
+        all_users = _AuthzConverter.all_users()
+        update = RelationshipUpdate(
+            operation=RelationshipUpdate.OPERATION_DELETE
+            if allowed == AuthzFlag.only_admins
+            else RelationshipUpdate.OPERATION_TOUCH,
+            relationship=Relationship(
+                resource=platform,
+                relation=PlatformRole.group_creator.value,
+                subject=SubjectReference(object=all_users),
+            ),
+        )
+        res = await self.client.WriteRelationships(WriteRelationshipsRequest(updates=[update]))
+        return cast(ZedToken, res.written_at)

components/renku_data_services/authz/models.py

@@ -1,7 +1,7 @@
 """Models for authorization."""
 
 from dataclasses import dataclass
-from enum import Enum
+from enum import Enum, StrEnum
 
 from ulid import ULID
 
@@ -44,6 +44,13 @@ def to_group_role(self) -> GroupRole:
                 raise errors.ProgrammingError(message=f"Could not convert role {self} into a group role")
 
 
+class PlatformRole(StrEnum):
+    """Roles specific to the platform resource in Authzed."""
+
+    project_creator = "project_creator"
+    group_creator = "group_creator"
+
+
 class Scope(Enum):
     """Types of permissions - i.e. scope."""
 
@@ -59,6 +66,8 @@ class Scope(Enum):
     EXCLUSIVE_EDITOR = "exclusive_editor"
     EXCLUSIVE_OWNER = "exclusive_owner"
     DIRECT_MEMBER = "direct_member"
+    CREATE_GROUPS = "create_groups"
+    CREATE_PROJECTS = "create_projects"
 
 
 @dataclass

components/renku_data_services/authz/schemas.py

@@ -981,3 +981,149 @@ def generate_v4(public_project_ids: Iterable[str]) -> AuthzSchemaMigration:
         WriteSchemaRequest(schema=_v9),
     ],
 )
+
+_v11 = """\
+definition user {}
+
+definition group {
+    relation group_platform: platform
+    relation owner: user
+    relation editor: user
+    relation viewer: user
+    relation public_viewer: user:* | anonymous_user:*
+    permission read = public_viewer + read_children
+    permission read_children = viewer + write
+    permission write = editor + delete
+    permission change_membership = delete
+    permission delete = owner + group_platform->is_admin
+    permission non_public_read = owner + editor + viewer - public_viewer
+    permission exclusive_owner = owner
+    permission exclusive_editor = editor
+    permission exclusive_member = viewer + editor + owner
+    permission direct_member = owner + editor + viewer
+}
+
+definition user_namespace {
+    relation user_namespace_platform: platform
+    relation owner: user
+    relation public_viewer: user:* | anonymous_user:*
+    permission read = public_viewer + read_children
+    permission read_children = delete
+    permission write = delete
+    permission delete = owner + user_namespace_platform->is_admin
+    permission non_public_read = owner - public_viewer
+    permission exclusive_owner = owner
+    permission exclusive_member = owner
+    permission direct_member = owner
+}
+
+definition anonymous_user {}
+
+definition platform {
+    relation admin: user
+    relation project_creator: user:*
+    relation group_creator: user:*
+    permission is_admin = admin
+    permission create_projects = is_admin + project_creator
+    permission create_groups = is_admin + group_creator
+}
+
+definition project {
+    relation project_platform: platform
+    relation project_namespace: user_namespace | group
+    relation owner: user
+    relation editor: user
+    relation viewer: user
+    relation public_viewer: user:* | anonymous_user:*
+    permission read = public_viewer + read_children
+    permission read_children = viewer + write + project_namespace->read_children
+    permission write = editor + delete
+    permission change_membership = delete
+    permission delete = owner + project_platform->is_admin + project_namespace->delete
+    permission non_public_read = owner + editor + viewer + project_namespace->read_children - public_viewer
+    permission exclusive_owner = owner + project_namespace->exclusive_owner
+    permission exclusive_editor = editor
+    permission exclusive_member = owner + editor + viewer + project_namespace->exclusive_member
+    permission direct_member = owner + editor + viewer
+}
+
+definition data_connector {
+    relation data_connector_platform: platform
+    relation data_connector_namespace: user_namespace | group | project
+    relation linked_to: project
+    relation owner: user
+    relation editor: user
+    relation viewer: user
+    relation public_viewer: user:* | anonymous_user:*
+    permission read = public_viewer + viewer + write + data_connector_namespace->read_children
+    permission write = editor + delete
+    permission change_membership = delete
+    permission delete = owner + data_connector_platform->is_admin + data_connector_namespace->delete
+    permission non_public_read = owner + editor + viewer + data_connector_namespace->read_children - public_viewer
+    permission exclusive_owner = owner + data_connector_namespace->exclusive_owner
+    permission exclusive_editor = editor
+    permission exclusive_member = owner + editor + viewer + data_connector_namespace->exclusive_member
+    permission direct_member = owner + editor + viewer
+}
+
+definition resource_pool {
+    relation resource_pool_platform: platform
+    relation viewer: user
+    relation group_viewer: group
+    relation project_viewer: project
+    relation prohibited: user
+    relation public_viewer: user:* | anonymous_user:*
+    permission read = ( \
+            viewer \
+            + group_viewer->direct_member\
+            + project_viewer->direct_member \
+            + public_viewer \
+            - prohibited \
+            ) \
+            + resource_pool_platform->is_admin
+    permission write = resource_pool_platform->is_admin
+}"""
+"""Adds the resource_pool definition for Authzed authorization."""
+
+v11 = AuthzSchemaMigration(
+    up=[
+        WriteSchemaRequest(schema=_v11),
+        WriteRelationshipsRequest(
+            updates=[
+                RelationshipUpdate(
+                    operation=RelationshipUpdate.OPERATION_TOUCH,
+                    relationship=Relationship(
+                        resource=_AuthzConverter.platform(),
+                        relation="project_creator",
+                        subject=SubjectReference(object=_AuthzConverter.all_users()),
+                    ),
+                ),
+                RelationshipUpdate(
+                    operation=RelationshipUpdate.OPERATION_TOUCH,
+                    relationship=Relationship(
+                        resource=_AuthzConverter.platform(),
+                        relation="group_creator",
+                        subject=SubjectReference(object=_AuthzConverter.all_users()),
+                    ),
+                ),
+            ]
+        ),
+    ],
+    down=[
+        DeleteRelationshipsRequest(
+            relationship_filter=RelationshipFilter(
+                resource_type=_AuthzConverter.platform().object_type,
+                optional_resource_id=_AuthzConverter.platform().object_id,
+                optional_relation="project_creator",
+            ),
+        ),
+        DeleteRelationshipsRequest(
+            relationship_filter=RelationshipFilter(
+                resource_type=_AuthzConverter.platform().object_type,
+                optional_resource_id=_AuthzConverter.platform().object_id,
+                optional_relation="group_creator",
+            ),
+        ),
+        WriteSchemaRequest(schema=_v10),
+    ],
+)

components/renku_data_services/migrations/versions/f2d4841e924b_upgrade_authzed_schema_to_v10.py

@@ -0,0 +1,37 @@
+"""upgrade authzed schema to v11
+
+Revision ID: f2d4841e924b
+Revises: 65f8330c4d25
+Create Date: 2026-05-27 14:32:12.144808
+
+"""
+
+from renku_data_services.app_config import logging
+from renku_data_services.authz.config import AuthzConfig
+from renku_data_services.authz.schemas import v11
+
+logger = logging.getLogger(__name__)
+
+# revision identifiers, used by Alembic.
+revision = "f2d4841e924b"
+down_revision = "65f8330c4d25"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    config = AuthzConfig.from_env()
+    client = config.authz_client()
+    responses = v11.upgrade(client)
+    logger.info(
+        f"Finished upgrading the Authz schema to version 11 in Alembic revision {revision}, response: {responses}"
+    )
+
+
+def downgrade() -> None:
+    config = AuthzConfig.from_env()
+    client = config.authz_client()
+    responses = v11.downgrade(client)
+    logger.info(
+        f"Finished downgrading the Authz schema from version 11 in Alembic revision {revision}, response: {responses}"
+    )

components/renku_data_services/namespace/db.py

@@ -19,7 +19,7 @@
 import renku_data_services.base_models as base_models
 from renku_data_services import errors
 from renku_data_services.app_config import logging
-from renku_data_services.authz.authz import Authz, AuthzOperation, ResourceType
+from renku_data_services.authz.authz import Authz, AuthzOperation, ResourceType, _AuthzConverter
 from renku_data_services.authz.models import CheckPermissionItem, Member, MembershipChange, Role, Scope, UnsavedMember
 from renku_data_services.base_api.pagination import PaginationRequest, paginate_queries
 from renku_data_services.base_models.core import (
@@ -379,6 +379,15 @@ async def insert_group(
             raise errors.ProgrammingError(message="A database session is required")
         if not user.id:
             raise errors.UnauthorizedError(message="Users need to be authenticated in order to create groups.")
+        allowed = await self.authz.has_permission(
+            user, ResourceType.platform, _AuthzConverter.platform().object_id, Scope.CREATE_GROUPS
+        )
+        if not allowed:
+            raise errors.ForbiddenError(
+                message="Your administrator has limited who can create groups in the "
+                "platform and you are not allowed to create groups.",
+            )
+
         creation_date = datetime.now(UTC).replace(microsecond=0)
         group = schemas.GroupORM(
             name=payload.name,