feat(BA-5681): auto-sync user-scope entries on role assign/unassign (#10990)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: fregataa

changes/10990.feature.md

@@ -0,0 +1 @@
+Auto-sync user-scope membership entries in `association_scopes_entities` when roles are assigned or revoked

src/ai/backend/manager/repositories/group/db_source/db_source.py

@@ -858,6 +858,9 @@ async def bind_user_to_project(self, user_id: UUID, project_id: UUID) -> None:
         """Add a user to a project (business association + RBAC scope binding).
 
         Skips if the user is already a member of the project.
+
+        TODO: Remove once association_groups_users is fully migrated to
+        association_scopes_entities.
         """
         async with self._db.begin_session() as session:
             already_bound = await session.scalar(
@@ -878,7 +881,11 @@ async def bind_user_to_project(self, user_id: UUID, project_id: UUID) -> None:
             await execute_rbac_scope_binder(session, RBACScopeBinder(pairs=[pair]))
 
     async def unbind_user_from_project(self, user_id: UUID, project_id: UUID) -> None:
-        """Remove a user from a project (business association + RBAC scope binding)."""
+        """Remove a user from a project (business association + RBAC scope binding).
+
+        TODO: Remove once association_groups_users is fully migrated to
+        association_scopes_entities.
+        """
         async with self._db.begin_session() as session:
             await session.execute(
                 sa.delete(AssocGroupUserRow).where(

src/ai/backend/manager/repositories/group/repository.py

@@ -144,12 +144,19 @@ async def bind_user_to_project(self, user_id: UUID, project_id: UUID) -> None:
         """Add a user to a project (business association + RBAC scope binding).
 
         Skips if the user is already a member of the project.
+
+        TODO: Remove once association_groups_users is fully migrated to
+        association_scopes_entities.
         """
         await self._db_source.bind_user_to_project(user_id, project_id)
 
     @group_repository_resilience.apply()
     async def unbind_user_from_project(self, user_id: UUID, project_id: UUID) -> None:
-        """Remove a user from a project (business association + RBAC scope binding)."""
+        """Remove a user from a project (business association + RBAC scope binding).
+
+        TODO: Remove once association_groups_users is fully migrated to
+        association_scopes_entities.
+        """
         await self._db_source.unbind_user_from_project(user_id, project_id)
 
     @group_repository_resilience.apply()

src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py

@@ -1,10 +1,11 @@
 import logging
 import uuid
-from collections.abc import Iterable, Sequence
+from collections.abc import Collection, Iterable, Sequence
 from dataclasses import dataclass, field
 from typing import Any, cast
 
 import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import insert as pg_insert
 from sqlalchemy.ext.asyncio import AsyncSession as SASession
 from sqlalchemy.orm import contains_eager, selectinload
 
@@ -106,6 +107,83 @@ class PermissionDBSource:
     def __init__(self, db: ExtendedAsyncSAEngine) -> None:
         self._db = db
 
+    @staticmethod
+    async def _sync_user_scopes_on_assign(
+        db_session: SASession,
+        user_ids: Collection[uuid.UUID],
+    ) -> None:
+        """Ensure user-scope membership entries exist for all assigned roles.
+
+        For each user, finds every scope bound to any of their assigned roles
+        and inserts the corresponding user-scope entries.  Executed as a single
+        ``INSERT … SELECT`` so the role lookup and insert share the same snapshot.
+        """
+        if not user_ids:
+            return
+        ase = AssociationScopesEntitiesRow
+        source = (
+            sa.select(
+                ase.scope_type,
+                ase.scope_id,
+                sa.literal(EntityType.USER.value).label("entity_type"),
+                sa.cast(UserRoleRow.user_id, sa.String).label("entity_id"),
+                sa.literal(RelationType.AUTO.value).label("relation_type"),
+            )
+            .join(
+                UserRoleRow,
+                sa.cast(UserRoleRow.role_id, sa.String) == ase.entity_id,
+            )
+            .where(
+                ase.entity_type == EntityType.ROLE,
+                UserRoleRow.user_id.in_(user_ids),
+            )
+        )
+        await db_session.execute(
+            pg_insert(ase)
+            .from_select(
+                ["scope_type", "scope_id", "entity_type", "entity_id", "relation_type"],
+                source,
+            )
+            .on_conflict_do_nothing()
+        )
+
+    @staticmethod
+    async def _sync_user_scopes_on_revoke(
+        db_session: SASession,
+        user_ids: Collection[uuid.UUID],
+    ) -> None:
+        """Remove user-scope entries no longer covered by any assigned role.
+
+        Deletes user-scope rows for *user_ids* when no assigned role binds
+        the user to that scope.  Executed as a single ``DELETE`` statement
+        so the coverage check and deletion share the same snapshot.
+        """
+        if not user_ids:
+            return
+        ase = AssociationScopesEntitiesRow
+        str_user_ids = [str(uid) for uid in user_ids]
+        ase_remaining = sa.orm.aliased(ase, flat=True)
+        await db_session.execute(
+            sa.delete(ase).where(
+                ase.entity_type == EntityType.USER,
+                ase.entity_id.in_(str_user_ids),
+                ~sa.exists(
+                    sa.select(sa.literal(1))
+                    .select_from(ase_remaining)
+                    .join(
+                        UserRoleRow,
+                        sa.cast(UserRoleRow.role_id, sa.String) == ase_remaining.entity_id,
+                    )
+                    .where(
+                        ase_remaining.entity_type == EntityType.ROLE,
+                        ase_remaining.scope_type == ase.scope_type,
+                        ase_remaining.scope_id == ase.scope_id,
+                        sa.cast(UserRoleRow.user_id, sa.String) == ase.entity_id,
+                    )
+                ),
+            )
+        )
+
     # ------------------------------------------------------------------ role CRUD
 
     async def create_role(self, input_data: CreateRoleInput) -> RoleRow:
@@ -276,6 +354,7 @@ async def assign_role(self, data: UserRoleAssignmentInput) -> UserRoleRow:
                 )
             )
             result = await execute_creator(db_session, creator)
+            await self._sync_user_scopes_on_assign(db_session, [data.user_id])
             return result.row
 
     async def revoke_role(self, data: UserRoleRevocationInput) -> RoleRevocationResult:
@@ -299,8 +378,13 @@ async def revoke_role(self, data: UserRoleRevocationInput) -> RoleRevocationResu
             await db_session.delete(user_role_row)
             await db_session.flush()
 
-            # Single query: find projects this role belongs to and count
-            # remaining user-role mappings per project
+            await self._sync_user_scopes_on_revoke(db_session, [data.user_id])
+
+            # Used by PermissionControllerService.revoke_role() to decide whether
+            # to call GroupDBSource.unbind_user_from_project().
+            # TODO: remove this query when unbind_user_from_project() is retired
+            # (i.e. association_groups_users is fully migrated to
+            # association_scopes_entities).
             ase = AssociationScopesEntitiesRow
             project_subq = (
                 sa.select(ase.scope_id).where(
@@ -1041,7 +1125,10 @@ async def bulk_assign_role(
         self, bulk_creator: BulkCreator[UserRoleRow]
     ) -> BulkCreatorResultWithFailures[UserRoleRow]:
         async with self._db.begin_session() as db_session:
-            return await execute_bulk_creator_partial(db_session, bulk_creator)
+            result = await execute_bulk_creator_partial(db_session, bulk_creator)
+            all_user_ids = [row.user_id for row in result.successes]
+            await self._sync_user_scopes_on_assign(db_session, all_user_ids)
+            return result
 
     async def bulk_revoke_role(
         self, data: BulkUserRoleRevocationInput
@@ -1081,5 +1168,7 @@ async def bulk_revoke_role(
                         str(e),
                     )
                     failures.append(BulkRoleRevocationFailure(user_id=user_id, message=str(e)))
+            revoked_user_ids = [s.user_id for s in successes]
+            await self._sync_user_scopes_on_revoke(db_session, revoked_user_ids)
 
         return BulkRoleRevocationResultData(successes=successes, failures=failures)