feat(BA-2946): connect RBAC validators to SessionProcessors

- Add permission_repository parameter to SessionProcessors.__init__
- Instantiate ScopeActionRBACValidator and SingleEntityActionRBACValidator
- Apply scope validator to 6 scope actions (create_cluster, create_from_params, create_from_template, match_sessions, search_kernels, search_sessions)
- Apply single entity validator to 4 single entity actions (destroy_session, execute_session, get_session_info, modify_session)
- Reorganize processor initialization into three logical sections: no validation, scope validation, single entity validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: fregataa

src/ai/backend/manager/services/processors.py

@@ -543,7 +543,11 @@ def create(cls, args: ProcessorArgs, action_monitors: list[ActionMonitor]) -> Se
         vfolder_sharing_processors = VFolderSharingProcessors(
             services.vfolder_sharing, action_monitors
         )
-        session_processors = SessionProcessors(services.session, action_monitors)
+        session_processors = SessionProcessors(
+            services.session,
+            action_monitors,
+            args.service_args.repositories.permission_controller.repository,
+        )
         keypair_resource_policy_processors = KeypairResourcePolicyProcessors(
             services.keypair_resource_policy, action_monitors
         )

src/ai/backend/manager/services/session/processors.py

@@ -1,8 +1,14 @@
-from typing import override
+from typing import cast, override
 
 from ai.backend.manager.actions.monitors.monitor import ActionMonitor
 from ai.backend.manager.actions.processor import ActionProcessor
 from ai.backend.manager.actions.types import AbstractProcessorPackage, ActionSpec
+from ai.backend.manager.actions.validator.base import ActionValidator
+from ai.backend.manager.actions.validators.rbac.scope import ScopeActionRBACValidator
+from ai.backend.manager.actions.validators.rbac.single_entity import SingleEntityActionRBACValidator
+from ai.backend.manager.repositories.permission_controller.repository import (
+    PermissionControllerRepository,
+)
 from ai.backend.manager.services.session.actions.check_and_transit_status import (
     CheckAndTransitStatusAction,
     CheckAndTransitStatusActionResult,
@@ -165,43 +171,95 @@ class SessionProcessors(AbstractProcessorPackage):
         CheckAndTransitStatusAction, CheckAndTransitStatusActionResult
     ]
 
-    def __init__(self, service: SessionService, action_monitors: list[ActionMonitor]) -> None:
+    def __init__(
+        self,
+        service: SessionService,
+        action_monitors: list[ActionMonitor],
+        permission_repository: PermissionControllerRepository,
+    ) -> None:
+        # Create RBAC validators
+        scope_validator = ScopeActionRBACValidator(permission_repository)
+        single_entity_validator = SingleEntityActionRBACValidator(permission_repository)
+
+        # Actions without RBAC validation (internal/legacy)
         self.commit_session = ActionProcessor(service.commit_session, action_monitors)
         self.complete = ActionProcessor(service.complete, action_monitors)
         self.convert_session_to_image = ActionProcessor(
             service.convert_session_to_image, action_monitors
         )
-        self.create_cluster = ActionProcessor(service.create_cluster, action_monitors)
-        self.create_from_params = ActionProcessor(service.create_from_params, action_monitors)
-        self.create_from_template = ActionProcessor(service.create_from_template, action_monitors)
-        self.destroy_session = ActionProcessor(service.destroy_session, action_monitors)
         self.download_file = ActionProcessor(service.download_file, action_monitors)
         self.download_files = ActionProcessor(service.download_files, action_monitors)
-        self.execute_session = ActionProcessor(service.execute_session, action_monitors)
         self.get_abusing_report = ActionProcessor(service.get_abusing_report, action_monitors)
         self.get_commit_status = ActionProcessor(service.get_commit_status, action_monitors)
         self.get_container_logs = ActionProcessor(service.get_container_logs, action_monitors)
         self.get_dependency_graph = ActionProcessor(service.get_dependency_graph, action_monitors)
         self.get_direct_access_info = ActionProcessor(
             service.get_direct_access_info, action_monitors
         )
-        self.get_session_info = ActionProcessor(service.get_session_info, action_monitors)
         self.get_status_history = ActionProcessor(service.get_status_history, action_monitors)
         self.interrupt = ActionProcessor(service.interrupt, action_monitors)
         self.list_files = ActionProcessor(service.list_files, action_monitors)
-        self.match_sessions = ActionProcessor(service.match_sessions, action_monitors)
         self.rename_session = ActionProcessor(service.rename_session, action_monitors)
         self.restart_session = ActionProcessor(service.restart_session, action_monitors)
-        self.search_kernels = ActionProcessor(service.search_kernels, action_monitors)
-        self.search_sessions = ActionProcessor(service.search, action_monitors)
         self.shutdown_service = ActionProcessor(service.shutdown_service, action_monitors)
         self.start_service = ActionProcessor(service.start_service, action_monitors)
         self.upload_files = ActionProcessor(service.upload_files, action_monitors)
-        self.modify_session = ActionProcessor(service.modify_session, action_monitors)
         self.check_and_transit_status = ActionProcessor(
             service.check_and_transit_status, action_monitors
         )
 
+        # Scope actions with RBAC validation
+        self.create_cluster = ActionProcessor(
+            service.create_cluster,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.create_from_params = ActionProcessor(
+            service.create_from_params,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.create_from_template = ActionProcessor(
+            service.create_from_template,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.match_sessions = ActionProcessor(
+            service.match_sessions,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.search_kernels = ActionProcessor(
+            service.search_kernels,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.search_sessions = ActionProcessor(
+            service.search, action_monitors, validators=[cast(ActionValidator, scope_validator)]
+        )
+
+        # Single entity actions with RBAC validation
+        self.destroy_session = ActionProcessor(
+            service.destroy_session,
+            action_monitors,
+            validators=[cast(ActionValidator, single_entity_validator)],
+        )
+        self.execute_session = ActionProcessor(
+            service.execute_session,
+            action_monitors,
+            validators=[cast(ActionValidator, single_entity_validator)],
+        )
+        self.get_session_info = ActionProcessor(
+            service.get_session_info,
+            action_monitors,
+            validators=[cast(ActionValidator, single_entity_validator)],
+        )
+        self.modify_session = ActionProcessor(
+            service.modify_session,
+            action_monitors,
+            validators=[cast(ActionValidator, single_entity_validator)],
+        )
+
     @override
     def supported_actions(self) -> list[ActionSpec]:
         return [