refactor(BA-5073): Apply RBAC Creator pattern to DeploymentRevision (#10016)

fregataa · claude · lablup-octodog · web-flow · commit 3e21c8e184e4 · 2026-03-19T14:15:27.000+09:00
Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
Co-authored-by: octodog &lt;mu001@lablup.com&gt;
diff --git a/changes/10016.enhance.md b/changes/10016.enhance.md
@@ -0,0 +1 @@
+Apply RBAC Creator pattern to auto sub-entity (BA-5073)
diff --git a/docs/manager/graphql-reference/supergraph.graphql b/docs/manager/graphql-reference/supergraph.graphql
@@ -10492,6 +10492,7 @@ enum RBACElementType
   NOTIFICATION_RULE @join__enumValue(graph: STRAWBERRY)
   DEPLOYMENT_TOKEN @join__enumValue(graph: STRAWBERRY)
   DEPLOYMENT_POLICY @join__enumValue(graph: STRAWBERRY)
+  DEPLOYMENT_REVISION @join__enumValue(graph: STRAWBERRY)
   ARTIFACT_REVISION @join__enumValue(graph: STRAWBERRY)
 }
 
diff --git a/docs/manager/graphql-reference/v2-schema.graphql b/docs/manager/graphql-reference/v2-schema.graphql
@@ -6079,6 +6079,7 @@ enum RBACElementType {
   NOTIFICATION_RULE
   DEPLOYMENT_TOKEN
   DEPLOYMENT_POLICY
+  DEPLOYMENT_REVISION
   ARTIFACT_REVISION
 }
 
diff --git a/src/ai/backend/common/data/permission/types.py b/src/ai/backend/common/data/permission/types.py
@@ -391,6 +391,7 @@ class RBACElementType(enum.StrEnum):
     # === Auto sub-entities with direct GET APIs ===
     DEPLOYMENT_TOKEN = "deployment:token"
     DEPLOYMENT_POLICY = "deployment:policy"
+    DEPLOYMENT_REVISION = "deployment:revision"
 
     # === Entity-level scopes (for entity-scope permissions) ===
     ARTIFACT_REVISION = "artifact_revision"
diff --git a/src/ai/backend/manager/api/gql/rbac/types/entity.py b/src/ai/backend/manager/api/gql/rbac/types/entity.py
@@ -167,6 +167,7 @@ async def entity(
                 | RBACElementType.ROUTING
                 | RBACElementType.DEPLOYMENT_TOKEN
                 | RBACElementType.DEPLOYMENT_POLICY
+                | RBACElementType.DEPLOYMENT_REVISION
             ):
                 return None
 
diff --git a/src/ai/backend/manager/api/gql/rbac/types/permission.py b/src/ai/backend/manager/api/gql/rbac/types/permission.py
@@ -87,6 +87,7 @@ class RBACElementTypeGQL(StrEnum):
     # Auto sub-entities with direct GET APIs
     DEPLOYMENT_TOKEN = "deployment:token"
     DEPLOYMENT_POLICY = "deployment:policy"
+    DEPLOYMENT_REVISION = "deployment:revision"
 
     # Entity-level scopes
     ARTIFACT_REVISION = "artifact_revision"
@@ -266,6 +267,7 @@ async def scope(
                 | RBACElementType.ROUTING
                 | RBACElementType.DEPLOYMENT_TOKEN
                 | RBACElementType.DEPLOYMENT_POLICY
+                | RBACElementType.DEPLOYMENT_REVISION
             ):
                 return None
 
diff --git a/src/ai/backend/manager/repositories/deployment/db_source/db_source.py b/src/ai/backend/manager/repositories/deployment/db_source/db_source.py
@@ -1,5 +1,6 @@
 """Database source implementation for deployment repository."""
 
+import dataclasses
 import uuid
 from collections import Counter, defaultdict
 from collections.abc import AsyncIterator, Mapping, Sequence
@@ -2037,7 +2038,7 @@ async def get_latest_revision_number(
 
     async def create_revision(
         self,
-        creator: Creator[DeploymentRevisionRow],
+        creator: RBACEntityCreator[DeploymentRevisionRow],
     ) -> ModelRevisionData:
         """Create a new deployment revision for an endpoint.
 
@@ -2052,16 +2053,12 @@ async def create_revision(
         This requires adding a `revision_history_limit` column to EndpointRow.
         """
         async with self._begin_session_read_committed() as db_sess:
-            spec = cast(DeploymentRevisionCreatorSpec, creator.spec)
-
-            row = spec.build_row()
-            db_sess.add(row)
-            await db_sess.flush()
-            return row.to_data()
+            rbac_result = await execute_rbac_entity_creator(db_sess, creator)
+            return rbac_result.row.to_data()
 
     async def create_revision_with_next_number(
         self,
-        creator: Creator[DeploymentRevisionRow],
+        creator: RBACEntityCreator[DeploymentRevisionRow],
         endpoint_id: uuid.UUID,
     ) -> ModelRevisionData:
         """Atomically read the latest revision number and create a new revision.
@@ -2089,14 +2086,14 @@ async def create_revision_with_next_number(
             )
             result = await db_sess.execute(max_query)
             latest_revision_number = result.scalar()
-            next_revision_number = (latest_revision_number or 0) + 1
+            next_number = (latest_revision_number or 0) + 1
 
             spec = cast(DeploymentRevisionCreatorSpec, creator.spec)
-            spec = spec.with_revision_number(next_revision_number)
-            row = spec.build_row()
-            db_sess.add(row)
-            await db_sess.flush()
-            return row.to_data()
+            updated_creator = dataclasses.replace(
+                creator, spec=spec.with_revision_number(next_number)
+            )
+            rbac_result = await execute_rbac_entity_creator(db_sess, updated_creator)
+            return rbac_result.row.to_data()
 
     async def get_revision(
         self,
diff --git a/src/ai/backend/manager/repositories/deployment/repository.py b/src/ai/backend/manager/repositories/deployment/repository.py
@@ -1057,15 +1057,15 @@ async def get_default_architecture_from_scaling_group(
     @deployment_repository_resilience.apply()
     async def create_revision(
         self,
-        creator: Creator[DeploymentRevisionRow],
+        creator: RBACEntityCreator[DeploymentRevisionRow],
     ) -> ModelRevisionData:
         """Create a new deployment revision."""
         return await self._db_source.create_revision(creator)
 
     @deployment_repository_resilience.apply()
     async def create_revision_with_next_number(
         self,
-        creator: Creator[DeploymentRevisionRow],
+        creator: RBACEntityCreator[DeploymentRevisionRow],
         endpoint_id: uuid.UUID,
     ) -> ModelRevisionData:
         """Atomically read the latest revision number and create a new revision.
diff --git a/src/ai/backend/manager/services/deployment/service.py b/src/ai/backend/manager/services/deployment/service.py
@@ -37,9 +37,7 @@
 from ai.backend.manager.data.permission.types import RBACElementRef
 from ai.backend.manager.errors.service import RoutingNotFound
 from ai.backend.manager.models.deployment_policy import DeploymentPolicyRow
-from ai.backend.manager.models.deployment_revision import DeploymentRevisionRow
 from ai.backend.manager.models.endpoint import EndpointRow, EndpointTokenRow
-from ai.backend.manager.repositories.base import Creator
 from ai.backend.manager.repositories.base.rbac.entity_creator import RBACEntityCreator
 from ai.backend.manager.repositories.base.upserter import Upserter
 from ai.backend.manager.repositories.deployment import DeploymentRepository
@@ -611,7 +609,14 @@ async def _build_revision(
             # TODO: Convert merged_creator.mounts.extra_mounts (list[MountInfo]) to Sequence[VFolderMount] instead of discarding.
             extra_mounts=(),
         )
-        creator: Creator[DeploymentRevisionRow] = Creator(spec=spec)
+        creator = RBACEntityCreator(
+            spec=spec,
+            element_type=RBACElementType.DEPLOYMENT_REVISION,
+            scope_ref=RBACElementRef(
+                element_type=RBACElementType.MODEL_DEPLOYMENT,
+                element_id=str(deployment_id),
+            ),
+        )
         return await self._deployment_repository.create_revision_with_next_number(
             creator, deployment_id
         )
diff --git a/tests/unit/manager/repositories/deployment/test_deployment_repository.py b/tests/unit/manager/repositories/deployment/test_deployment_repository.py
@@ -1198,6 +1198,7 @@ async def db_with_cleanup(
                 ImageRow,
                 EndpointRow,
                 EntityFieldRow,  # DeploymentRevisionRow relationship dependency
+                AssociationScopesEntitiesRow,  # RBACEntityCreator dependency
                 DeploymentRevisionRow,
                 DeploymentPolicyRow,
             ],
@@ -1455,7 +1456,16 @@ async def test_revision_data(
             runtime_variant=RuntimeVariant.CUSTOM,
             extra_mounts=[],
         )
-        return await deployment_repository.create_revision(Creator(spec=spec))
+        return await deployment_repository.create_revision(
+            RBACEntityCreator(
+                spec=spec,
+                element_type=RBACElementType.DEPLOYMENT_REVISION,
+                scope_ref=RBACElementRef(
+                    element_type=RBACElementType.MODEL_DEPLOYMENT,
+                    element_id=str(test_endpoint_id),
+                ),
+            )
+        )
 
     @pytest.fixture
     async def test_multiple_revisions(
@@ -1488,7 +1498,16 @@ async def test_multiple_revisions(
                 runtime_variant=RuntimeVariant.CUSTOM,
                 extra_mounts=[],
             )
-            revision = await deployment_repository.create_revision(Creator(spec=spec))
+            revision = await deployment_repository.create_revision(
+                RBACEntityCreator(
+                    spec=spec,
+                    element_type=RBACElementType.DEPLOYMENT_REVISION,
+                    scope_ref=RBACElementRef(
+                        element_type=RBACElementType.MODEL_DEPLOYMENT,
+                        element_id=str(test_endpoint_id),
+                    ),
+                )
+            )
             revisions.append(revision)
         return revisions
 
@@ -1523,7 +1542,16 @@ async def test_five_revisions(
                 runtime_variant=RuntimeVariant.CUSTOM,
                 extra_mounts=[],
             )
-            revision = await deployment_repository.create_revision(Creator(spec=spec))
+            revision = await deployment_repository.create_revision(
+                RBACEntityCreator(
+                    spec=spec,
+                    element_type=RBACElementType.DEPLOYMENT_REVISION,
+                    scope_ref=RBACElementRef(
+                        element_type=RBACElementType.MODEL_DEPLOYMENT,
+                        element_id=str(test_endpoint_id),
+                    ),
+                )
+            )
             revisions.append(revision)
         return revisions
 
@@ -1534,7 +1562,7 @@ async def test_create_revision(
         test_image_id: uuid.UUID,
         test_scaling_group_name: str,
     ) -> None:
-        """Test creating a deployment revision using Creator."""
+        """Test creating a deployment revision using RBACEntityCreator."""
         spec = DeploymentRevisionCreatorSpec(
             endpoint_id=test_endpoint_id,
             revision_number=1,
@@ -1555,7 +1583,14 @@ async def test_create_revision(
             runtime_variant=RuntimeVariant.CUSTOM,
             extra_mounts=[],
         )
-        creator = Creator(spec=spec)
+        creator = RBACEntityCreator(
+            spec=spec,
+            element_type=RBACElementType.DEPLOYMENT_REVISION,
+            scope_ref=RBACElementRef(
+                element_type=RBACElementType.MODEL_DEPLOYMENT,
+                element_id=str(test_endpoint_id),
+            ),
+        )
 
         result = await deployment_repository.create_revision(creator)
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Apply RBAC Creator pattern to auto sub-entity (BA-5073)`
Original file line number	Diff line number	Diff line change
`@@ -10492,6 +10492,7 @@ enum RBACElementType`
`10492`	`10492`	`NOTIFICATION_RULE @join__enumValue(graph: STRAWBERRY)`
`10493`	`10493`	`DEPLOYMENT_TOKEN @join__enumValue(graph: STRAWBERRY)`
`10494`	`10494`	`DEPLOYMENT_POLICY @join__enumValue(graph: STRAWBERRY)`
	`10495`	`+ DEPLOYMENT_REVISION @join__enumValue(graph: STRAWBERRY)`
`10495`	`10496`	`ARTIFACT_REVISION @join__enumValue(graph: STRAWBERRY)`
`10496`	`10497`	`}`
`10497`	`10498`
Original file line number	Diff line number	Diff line change
`@@ -6079,6 +6079,7 @@ enum RBACElementType {`
`6079`	`6079`	`NOTIFICATION_RULE`
`6080`	`6080`	`DEPLOYMENT_TOKEN`
`6081`	`6081`	`DEPLOYMENT_POLICY`
	`6082`	`+ DEPLOYMENT_REVISION`
`6082`	`6083`	`ARTIFACT_REVISION`
`6083`	`6084`	`}`
`6084`	`6085`