feat(BA-5613): implement blind role invitation data layer and service (#11181)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: octodog <mu001@lablup.com>

Author: 3 people

changes/11181.feature.md

@@ -0,0 +1 @@
+Add blind role invitation data layer: model, migration, RBAC actions, and service for inviting users to project roles by email

docs/manager/graphql-reference/supergraph.graphql

@@ -13818,6 +13818,7 @@ enum RBACElementType
   DEPLOYMENT_POLICY @join__enumValue(graph: STRAWBERRY)
   DEPLOYMENT_REVISION @join__enumValue(graph: STRAWBERRY)
   IMAGE_ALIAS @join__enumValue(graph: STRAWBERRY)
+  ROLE_ASSIGNMENT @join__enumValue(graph: STRAWBERRY)
   ARTIFACT_REVISION @join__enumValue(graph: STRAWBERRY)
 }
 

docs/manager/graphql-reference/v2-schema.graphql

@@ -8970,6 +8970,7 @@ enum RBACElementType {
   DEPLOYMENT_POLICY
   DEPLOYMENT_REVISION
   IMAGE_ALIAS
+  ROLE_ASSIGNMENT
   ARTIFACT_REVISION
 }
 

src/ai/backend/common/data/permission/types.py

@@ -412,6 +412,7 @@ class RBACElementType(enum.StrEnum):
     DEPLOYMENT_POLICY = "deployment:policy"
     DEPLOYMENT_REVISION = "deployment:revision"
     IMAGE_ALIAS = "image:alias"
+    ROLE_ASSIGNMENT = "role:assignment"
 
     # === Entity-level scopes (for entity-scope permissions) ===
     ARTIFACT_REVISION = "artifact_revision"

src/ai/backend/common/dto/manager/v2/rbac/types.py

@@ -116,6 +116,7 @@ class RBACElementTypeDTO(StrEnum):
     DEPLOYMENT_POLICY = "deployment:policy"
     DEPLOYMENT_REVISION = "deployment:revision"
     IMAGE_ALIAS = "image:alias"
+    ROLE_ASSIGNMENT = "role:assignment"
 
     # Entity-level scopes
     ARTIFACT_REVISION = "artifact_revision"

src/ai/backend/common/exception.py

@@ -184,6 +184,7 @@ class ErrorDomain(enum.StrEnum):
     PROMETHEUS_QUERY_PRESET = "prometheus-query-preset"
     PROMETHEUS_QUERY_PRESET_CATEGORY = "prometheus-query-preset-category"
     RUNTIME_VARIANT = "runtime-variant"
+    ROLE_INVITATION = "role-invitation"
 
     EXTERNAL_SYSTEM = "external-system"  # Errors from external systems
 

src/ai/backend/manager/actions/action/__init__.py

@@ -33,6 +33,13 @@
     ProjectSoftDeleteRBACAction,
     ProjectUpdateRBACAction,
 )
+from .rbac_role_invitation import (
+    AcceptRoleInvitationAction,
+    CancelRoleInvitationAction,
+    CreateRoleInvitationByEmailAction,
+    RejectRoleInvitationAction,
+    RoleInvitationReadRBACAction,
+)
 from .rbac_session import (
     SessionCreateRBACAction,
     SessionGetRBACAction,
@@ -104,6 +111,11 @@
     VFolderGrantUpdateRBACAction,
     VFolderGrantSoftDeleteRBACAction,
     VFolderGrantHardDeleteRBACAction,
+    CreateRoleInvitationByEmailAction,
+    RoleInvitationReadRBACAction,
+    AcceptRoleInvitationAction,
+    RejectRoleInvitationAction,
+    CancelRoleInvitationAction,
 )
 
 __all__ = (

src/ai/backend/manager/actions/action/rbac_role_invitation.py

@@ -0,0 +1,134 @@
+"""RBAC action declarations for role invitation operations.
+
+Each class is both an RBAC permission declaration (registered in
+RBAC_ACTION_REGISTRY) and a data-carrying action that the service layer
+receives.
+"""
+
+from dataclasses import dataclass, field
+from typing import override
+from uuid import UUID
+
+from ai.backend.common.data.permission.types import OperationType, RBACElementType
+from ai.backend.manager.actions.action.rbac import (
+    BaseRBACAction,
+    RBACActionName,
+    RBACRequiredPermission,
+)
+from ai.backend.manager.data.role_invitation.types import RoleInvitationData
+
+
+@dataclass
+class CreateRoleInvitationByEmailAction(BaseRBACAction):
+    """Project admin creates role invitations by invitee emails."""
+
+    invitee_emails: list[str]
+    inviter_user_id: UUID
+    role_id: UUID
+
+    @classmethod
+    @override
+    def action_name(cls) -> RBACActionName:
+        return RBACActionName.CREATE
+
+    @classmethod
+    @override
+    def required_permission(cls) -> RBACRequiredPermission:
+        return RBACRequiredPermission(RBACElementType.ROLE_ASSIGNMENT, OperationType.CREATE)
+
+    @classmethod
+    @override
+    def permission_scope(cls) -> RBACElementType:
+        return RBACElementType.PROJECT
+
+
+@dataclass
+class CreateRoleInvitationResult:
+    """Result of creating role invitations."""
+
+    created: list[RoleInvitationData] = field(default_factory=list)
+
+
+class RoleInvitationReadRBACAction(BaseRBACAction):
+    """Read / search role invitations."""
+
+    @classmethod
+    @override
+    def action_name(cls) -> RBACActionName:
+        return RBACActionName.SEARCH
+
+    @classmethod
+    @override
+    def required_permission(cls) -> RBACRequiredPermission:
+        return RBACRequiredPermission(RBACElementType.ROLE_ASSIGNMENT, OperationType.READ)
+
+    @classmethod
+    @override
+    def permission_scope(cls) -> RBACElementType:
+        return RBACElementType.PROJECT
+
+
+@dataclass
+class AcceptRoleInvitationAction(BaseRBACAction):
+    """Invitee accepts a role invitation."""
+
+    invitation_id: UUID
+
+    @classmethod
+    @override
+    def action_name(cls) -> RBACActionName:
+        return RBACActionName.UPDATE
+
+    @classmethod
+    @override
+    def required_permission(cls) -> RBACRequiredPermission:
+        return RBACRequiredPermission(RBACElementType.ROLE_ASSIGNMENT, OperationType.UPDATE)
+
+    @classmethod
+    @override
+    def permission_scope(cls) -> RBACElementType:
+        return RBACElementType.USER
+
+
+@dataclass
+class RejectRoleInvitationAction(BaseRBACAction):
+    """Invitee rejects a role invitation."""
+
+    invitation_id: UUID
+
+    @classmethod
+    @override
+    def action_name(cls) -> RBACActionName:
+        return RBACActionName.UPDATE
+
+    @classmethod
+    @override
+    def required_permission(cls) -> RBACRequiredPermission:
+        return RBACRequiredPermission(RBACElementType.ROLE_ASSIGNMENT, OperationType.UPDATE)
+
+    @classmethod
+    @override
+    def permission_scope(cls) -> RBACElementType:
+        return RBACElementType.USER
+
+
+@dataclass
+class CancelRoleInvitationAction(BaseRBACAction):
+    """Project admin cancels a role invitation."""
+
+    invitation_id: UUID
+
+    @classmethod
+    @override
+    def action_name(cls) -> RBACActionName:
+        return RBACActionName.SOFT_DELETE
+
+    @classmethod
+    @override
+    def required_permission(cls) -> RBACRequiredPermission:
+        return RBACRequiredPermission(RBACElementType.ROLE_ASSIGNMENT, OperationType.SOFT_DELETE)
+
+    @classmethod
+    @override
+    def permission_scope(cls) -> RBACElementType:
+        return RBACElementType.PROJECT

src/ai/backend/manager/api/gql/rbac/types/permission.py

@@ -188,6 +188,7 @@ async def scope(
                 | RBACElementType.MODEL_CARD
                 | RBACElementType.PROJECT_ADMIN_PAGE
                 | RBACElementType.DOMAIN_ADMIN_PAGE
+                | RBACElementType.ROLE_ASSIGNMENT
             ):
                 return None