[OPIK-5200] [BE] feat: add P3 workspace permission annotations#5785
[OPIK-5200] [BE] feat: add P3 workspace permission annotations#5785LifeXplorer wants to merge 2 commits intomainfrom
Conversation
Add 8 new P3 workspace permissions (project_create, project_data_view, comment_write, trace_span_thread_annotate, trace_tag, online_evaluation_rule_update, alert_update, annotation_queue_create) and annotate ~30 endpoints across 7 resource classes with @RequiredPermissions. Includes 403 permission denial tests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
github-actions
bot
added
java
📋 PR Linter Failed❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the |
LifeXplorer
changed the title
📋 PR Linter Failed❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the |
Backend Tests - Integration Group 11 35 files 35 suites 2m 31s ⏱️ For more details on these failures, see this check. Results for commit d3003cc. ♻️ This comment has been updated with latest results. |
Backend Tests - Integration Group 9321 tests 319 ✅ 7m 28s ⏱️ For more details on these failures, see this check. Results for commit d3003cc. ♻️ This comment has been updated with latest results. |
![baz-reviewer[bot]](https://avatars.githubusercontent.com/in/933528?s=60&v=4){kind=small}
| ANNOTATION_QUEUE_ANNOTATE("annotation_queue_annotate"), | ||
| PROJECT_CREATE("project_create"), | ||
| PROJECT_DATA_VIEW("project_data_view"), | ||
| COMMENT_WRITE("comment_write"), | ||
| TRACE_SPAN_THREAD_ANNOTATE("trace_span_thread_annotate"), | ||
| TRACE_TAG("trace_tag"), | ||
| ONLINE_EVALUATION_RULE_UPDATE("online_evaluation_rule_update"), | ||
| ALERT_UPDATE("alert_update"), | ||
| ANNOTATION_QUEUE_CREATE("annotation_queue_create"); |
There was a problem hiding this comment.
New permission enums added at lines 24-32 aren't registered in the auth/permission registry or workspace roles, should we update the registry and role assignments or gate the change and verify resource annotations?
Finding type: Breaking Changes | Severity: 🔴 High
Want Baz to fix this for you? Activate Fixer
Other fix methods
Prompt for AI Agents:
Before applying, verify this suggestion against the current code. In
apps/opik-backend/src/main/java/com/comet/opik/infrastructure/auth/WorkspaceUserPermission.java
around lines 24 to 32, the WorkspaceUserPermission enum was extended with new values
(e.g. ALERT_UPDATE, PROJECT_DATA_VIEW, COMMENT_WRITE, TRACE_SPAN_THREAD_ANNOTATE,
ONLINE_EVALUATION_RULE_UPDATE, ANNOTATION_QUEUE_CREATE). This change is breaking because
the permission registry, workspace role definitions, and any API key/role provisioning
were not updated to expose or grant these new permission strings. Update the
authorization subsystem: add these new permission strings to the permission
registry/service and ensure default workspace roles and system API keys are granted the
appropriate subset (or create a migration that grants them to existing roles), and/or
add a feature flag to gate the new resource annotations until roles are provisioned.
Also scan the resources that now require these permissions (AlertResource,
ProjectsResource, SpansResource, TracesResource, AutomationRuleEvaluatorsResource,
ManualEvaluationResource, AnnotationQueuesResource) and confirm each required permission
maps to a granted role or API key; adjust role assignments or tests accordingly.
| WORKSPACE_SETTINGS_CONFIGURE("workspace_settings_configure"), | ||
| AI_PROVIDER_UPDATE("ai_provider_update"), | ||
| ANNOTATION_QUEUE_ANNOTATE("annotation_queue_annotate"); | ||
| ANNOTATION_QUEUE_ANNOTATE("annotation_queue_annotate"), |
There was a problem hiding this comment.
Nit: list similar enum values together (annotation queues etc.)
📋 PR Linter Failed❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the ❌ Missing Section. The description is missing the |
2 participants
Summary
WorkspaceUserPermissionenum:project_create,project_data_view,comment_write,trace_span_thread_annotate,trace_tag,online_evaluation_rule_update,alert_update,annotation_queue_createProjectsResource,TracesResource,SpansResource,AlertResource,AutomationRuleEvaluatorsResource,ManualEvaluationResource,AnnotationQueuesResource) with@RequiredPermissionsTest plan
ProjectsResourceTest,TracesResourceTest,SpansResourceTest,AlertResourceTest,AutomationRuleEvaluatorsResourceTest,ManualEvaluationResourceTest,AnnotationQueuesResourceTest🤖 Generated with Claude Code