feat(BA-3696): Apply RBAC validator for User actions (#10055)

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: fregataa

changes/10055.feature.md

@@ -0,0 +1 @@
+Apply RBAC validator for User actions following the established pattern from Group, VFolder, and Session services

src/ai/backend/manager/api/rest/user/handler.py

@@ -102,7 +102,10 @@ async def create_user(
         )
 
         action_result = await self._user.create_user.wait_for_complete(
-            CreateUserAction(creator=creator, group_ids=body.parsed.group_ids)
+            CreateUserAction(
+                creator=creator,
+                group_ids=body.parsed.group_ids,
+            )
         )
 
         resp = CreateUserResponse(user=self._adapter.convert_to_dto(action_result.data.user))
@@ -182,7 +185,7 @@ async def update_user(
         updater = self._adapter.build_updater(body.parsed, email, password_info)
 
         action_result = await self._user.modify_user.wait_for_complete(
-            ModifyUserAction(email=email, updater=updater)
+            ModifyUserAction(user_uuid=path.parsed.user_id, email=email, updater=updater)
         )
 
         resp = UpdateUserResponse(user=self._adapter.convert_to_dto(action_result.data))
@@ -247,6 +250,7 @@ async def purge_user(
 
         await self._user.purge_user.wait_for_complete(
             PurgeUserAction(
+                user_uuid=body.parsed.user_id,
                 user_info_ctx=user_info_ctx,
                 email=get_result.user.email,
                 purge_shared_vfolders=purge_shared,

src/ai/backend/manager/repositories/user/db_source/db_source.py

@@ -107,8 +107,7 @@
     RoleUserSearchScope,
 )
 from ai.backend.manager.repositories.user.updaters import UserUpdaterSpec
-from ai.backend.manager.services.user.actions.create_user import UserCreateSpec
-from ai.backend.manager.services.user.actions.modify_user import UserUpdateSpec
+from ai.backend.manager.services.user.types import UserCreateSpec, UserUpdateSpec
 
 log = BraceStyleAdapter(logging.getLogger(__spec__.name))
 

src/ai/backend/manager/repositories/user/repository.py

@@ -40,8 +40,7 @@
     ProjectUserSearchScope,
     RoleUserSearchScope,
 )
-from ai.backend.manager.services.user.actions.create_user import UserCreateSpec
-from ai.backend.manager.services.user.actions.modify_user import UserUpdateSpec
+from ai.backend.manager.services.user.types import UserCreateSpec, UserUpdateSpec
 
 log = BraceStyleAdapter(logging.getLogger(__spec__.name))
 

src/ai/backend/manager/services/user/actions/__init__.py

@@ -7,9 +7,19 @@
     AdminMonthStatsAction,
     AdminMonthStatsActionResult,
 )
+from .base import (
+    UserAction,
+    UserScopeAction,
+    UserScopeActionResult,
+    UserSingleEntityAction,
+    UserSingleEntityActionResult,
+)
 from .create_user import (
+    BulkCreateUserAction,
+    BulkCreateUserActionResult,
     CreateUserAction,
     CreateUserActionResult,
+    UserCreateSpec,
 )
 from .delete_user import (
     DeleteUserAction,
@@ -20,8 +30,11 @@
     GetUserActionResult,
 )
 from .modify_user import (
+    BulkModifyUserAction,
+    BulkModifyUserActionResult,
     ModifyUserAction,
     ModifyUserActionResult,
+    UserUpdateSpec,
 )
 from .purge_user import (
     BulkPurgeUserAction,
@@ -41,6 +54,10 @@
     SearchUsersByProjectAction,
     SearchUsersByProjectActionResult,
 )
+from .search_users_by_role import (
+    SearchUsersByRoleAction,
+    SearchUsersByRoleActionResult,
+)
 from .user_month_stats import (
     UserMonthStatsAction,
     UserMonthStatsActionResult,
@@ -49,6 +66,12 @@
 __all__ = (
     "AdminMonthStatsAction",
     "AdminMonthStatsActionResult",
+    "BulkCreateUserAction",
+    "BulkCreateUserActionResult",
+    "BulkModifyUserAction",
+    "BulkModifyUserActionResult",
+    "BulkPurgeUserAction",
+    "BulkPurgeUserActionResult",
     "CreateUserAction",
     "CreateUserActionResult",
     "DeleteUserAction",
@@ -57,8 +80,6 @@
     "GetUserActionResult",
     "ModifyUserAction",
     "ModifyUserActionResult",
-    "BulkPurgeUserAction",
-    "BulkPurgeUserActionResult",
     "PurgeUserAction",
     "PurgeUserActionResult",
     "SearchUsersAction",
@@ -67,6 +88,15 @@
     "SearchUsersByDomainActionResult",
     "SearchUsersByProjectAction",
     "SearchUsersByProjectActionResult",
+    "SearchUsersByRoleAction",
+    "SearchUsersByRoleActionResult",
+    "UserAction",
+    "UserCreateSpec",
     "UserMonthStatsAction",
     "UserMonthStatsActionResult",
+    "UserScopeAction",
+    "UserScopeActionResult",
+    "UserSingleEntityAction",
+    "UserSingleEntityActionResult",
+    "UserUpdateSpec",
 )

src/ai/backend/manager/services/user/actions/base.py

@@ -2,10 +2,42 @@
 
 from ai.backend.common.data.permission.types import EntityType
 from ai.backend.manager.actions.action import BaseAction
+from ai.backend.manager.actions.action.scope import BaseScopeAction, BaseScopeActionResult
+from ai.backend.manager.actions.action.single_entity import (
+    BaseSingleEntityAction,
+    BaseSingleEntityActionResult,
+)
+from ai.backend.manager.actions.action.types import FieldData
 
 
 class UserAction(BaseAction):
     @override
     @classmethod
     def entity_type(cls) -> EntityType:
         return EntityType.USER
+
+
+class UserScopeAction(BaseScopeAction):
+    @override
+    @classmethod
+    def entity_type(cls) -> EntityType:
+        return EntityType.USER
+
+
+class UserScopeActionResult(BaseScopeActionResult):
+    pass
+
+
+class UserSingleEntityAction(BaseSingleEntityAction):
+    @override
+    @classmethod
+    def entity_type(cls) -> EntityType:
+        return EntityType.USER
+
+    @override
+    def field_data(self) -> FieldData | None:
+        return None
+
+
+class UserSingleEntityActionResult(BaseSingleEntityActionResult):
+    pass

src/ai/backend/manager/services/user/actions/create_user.py

@@ -1,44 +1,73 @@
+from __future__ import annotations
+
 from dataclasses import dataclass
-from typing import override
+from typing import cast, override
 
+from ai.backend.common.data.permission.types import RBACElementType, ScopeType
 from ai.backend.manager.actions.action import BaseActionResult
 from ai.backend.manager.actions.types import ActionOperationType
+from ai.backend.manager.data.permission.types import RBACElementRef
 from ai.backend.manager.data.user.types import BulkUserCreateResultData, UserCreateResultData
 from ai.backend.manager.models.user import UserRow
 from ai.backend.manager.repositories.base.creator import Creator
-from ai.backend.manager.services.user.actions.base import UserAction
+from ai.backend.manager.repositories.user.creators import UserCreatorSpec
+from ai.backend.manager.services.user.actions.base import (
+    UserAction,
+    UserScopeAction,
+    UserScopeActionResult,
+)
+from ai.backend.manager.services.user.types import UserCreateSpec
+
+__all__ = (
+    "CreateUserAction",
+    "CreateUserActionResult",
+    "UserCreateSpec",
+    "BulkCreateUserAction",
+    "BulkCreateUserActionResult",
+)
 
 
 @dataclass
-class CreateUserAction(UserAction):
-    creator: Creator[UserRow]
+class CreateUserAction(UserScopeAction):
+    creator: Creator[UserRow]  # spec: UserCreatorSpec
     group_ids: list[str] | None = None
 
-    @override
-    def entity_id(self) -> str | None:
-        return None
-
     @override
     @classmethod
     def operation_type(cls) -> ActionOperationType:
         return ActionOperationType.CREATE
 
+    @override
+    def scope_type(self) -> ScopeType:
+        return ScopeType.DOMAIN
+
+    @override
+    def scope_id(self) -> str:
+        spec = cast(UserCreatorSpec, self.creator.spec)
+        return spec.domain_name
+
+    @override
+    def target_element(self) -> RBACElementRef:
+        spec = cast(UserCreatorSpec, self.creator.spec)
+        return RBACElementRef(RBACElementType.DOMAIN, spec.domain_name)
+
 
 @dataclass
-class CreateUserActionResult(BaseActionResult):
+class CreateUserActionResult(UserScopeActionResult):
     data: UserCreateResultData
 
     @override
     def entity_id(self) -> str | None:
         return str(self.data.user.id)
 
+    @override
+    def scope_type(self) -> ScopeType:
+        return ScopeType.DOMAIN
 
-@dataclass
-class UserCreateSpec:
-    """Specification for creating a single user, including group assignments."""
-
-    creator: Creator[UserRow]
-    group_ids: list[str] | None = None
+    @override
+    def scope_id(self) -> str:
+        # UserCreateResultData always has domain_name set (from creator.spec.domain_name)
+        return self.data.user.domain_name or ""
 
 
 @dataclass

src/ai/backend/manager/services/user/actions/get_user.py

@@ -2,34 +2,46 @@
 from typing import override
 from uuid import UUID
 
-from ai.backend.manager.actions.action import BaseActionResult
+from ai.backend.common.data.permission.types import RBACElementType
 from ai.backend.manager.actions.types import ActionOperationType
+from ai.backend.manager.data.permission.types import RBACElementRef
 from ai.backend.manager.data.user.types import UserData
-from ai.backend.manager.services.user.actions.base import UserAction
+from ai.backend.manager.services.user.actions.base import (
+    UserSingleEntityAction,
+    UserSingleEntityActionResult,
+)
 
 
 @dataclass
-class GetUserAction(UserAction):
+class GetUserAction(UserSingleEntityAction):
     """Action to retrieve a single user by UUID."""
 
     user_uuid: UUID
 
-    @override
-    def entity_id(self) -> str | None:
-        return str(self.user_uuid)
-
     @override
     @classmethod
     def operation_type(cls) -> ActionOperationType:
         return ActionOperationType.GET
 
+    @override
+    def target_entity_id(self) -> str:
+        return str(self.user_uuid)
+
+    @override
+    def target_element(self) -> RBACElementRef:
+        return RBACElementRef(RBACElementType.USER, str(self.user_uuid))
+
 
 @dataclass
-class GetUserActionResult(BaseActionResult):
+class GetUserActionResult(UserSingleEntityActionResult):
     """Result of GetUserAction containing user data."""
 
     user: UserData
 
     @override
     def entity_id(self) -> str | None:
         return str(self.user.uuid)
+
+    @override
+    def target_entity_id(self) -> str:
+        return str(self.user.uuid)