feat(BA-2107): Add database migration code and functions for RBAC system (#5734)

Co-authored-by: octodog <mu001@lablup.com>

Author: fregataa

changes/5340.feature.md

@@ -0,0 +1 @@
+Add data migration script from VFolder to RBAC tables

changes/5417.feature.md

@@ -0,0 +1 @@
+Migrate existing user/project records to RBAC data

changes/5465.feature.md

@@ -0,0 +1 @@
+Expand RBAC tables by adding `permission_groups` table to group permissions with the same target

changes/5699.feature.md

@@ -0,0 +1 @@
+Add RBAC repositoy functions to manage scopes and entity DB records

docs/manager/rest-reference/openapi.json

@@ -402,15 +402,15 @@
         "title": "HarborWebhookRequestModel",
         "type": "object"
       },
-      "VFolderPermission": {
+      "VFolderMountPermission": {
         "description": "Permissions for a virtual folder given to a specific access key.\nRW_DELETE includes READ_WRITE and READ_WRITE includes READ_ONLY.",
         "enum": [
           "ro",
           "rw",
           "wd",
           "wd"
         ],
-        "title": "VFolderPermission",
+        "title": "VFolderMountPermission",
         "type": "string"
       },
       "VFolderUsageMode": {
@@ -447,7 +447,7 @@
             "default": "general"
           },
           "permission": {
-            "$ref": "#/components/schemas/VFolderPermission",
+            "$ref": "#/components/schemas/VFolderMountPermission",
             "default": "rw"
           },
           "unmanagedPath": {
@@ -613,7 +613,7 @@
           "permission": {
             "anyOf": [
               {
-                "$ref": "#/components/schemas/VFolderPermission"
+                "$ref": "#/components/schemas/VFolderMountPermission"
               },
               {
                 "type": "null"

src/ai/backend/manager/data/domain/__init__.py

@@ -0,0 +1,134 @@
+import uuid
+from collections.abc import Iterable, Mapping
+from dataclasses import dataclass, field
+from datetime import datetime
+from typing import Any, Optional, override
+
+from ai.backend.common.types import ResourceSlot, VFolderHostPermissionMap
+from ai.backend.manager.data.permission.id import ScopeId
+from ai.backend.manager.data.permission.types import (
+    EntityType,
+    OperationType,
+    ScopeType,
+)
+from ai.backend.manager.data.user.types import UserRole
+from ai.backend.manager.types import Creator, OptionalState, PartialModifier, TriState
+
+
+@dataclass
+class UserInfo:
+    id: uuid.UUID
+    role: UserRole
+    domain_name: str
+
+
+@dataclass
+class DomainData:
+    name: str
+    description: Optional[str]
+    is_active: bool
+    created_at: datetime = field(compare=False)
+    modified_at: datetime = field(compare=False)
+    total_resource_slots: ResourceSlot
+    allowed_vfolder_hosts: VFolderHostPermissionMap
+    allowed_docker_registries: list[str]
+    dotfiles: bytes
+    integration_id: Optional[str]
+
+    def scope_id(self) -> ScopeId:
+        return ScopeId(
+            scope_type=ScopeType.DOMAIN,
+            scope_id=self.name,
+        )
+
+    def role_name(self) -> str:
+        return f"domain-{self.name}-admin"
+
+    def entity_operations(self) -> Mapping[EntityType, Iterable[OperationType]]:
+        return {
+            entity: OperationType.admin_operations()
+            for entity in EntityType.admin_accessible_entity_types_in_domain()
+        }
+
+
+@dataclass
+class DomainCreator(Creator):
+    name: str
+    description: Optional[str] = None
+    is_active: Optional[bool] = None
+    total_resource_slots: Optional[ResourceSlot] = None
+    allowed_vfolder_hosts: Optional[dict[str, list[str]]] = None
+    allowed_docker_registries: Optional[list[str]] = None
+    integration_id: Optional[str] = None
+    dotfiles: Optional[bytes] = None
+
+    @override
+    def fields_to_store(self) -> dict[str, Any]:
+        to_store: dict[str, Any] = {"name": self.name}
+        if self.description is not None:
+            to_store["description"] = self.description
+        if self.is_active is not None:
+            to_store["is_active"] = self.is_active
+        if self.total_resource_slots is not None:
+            to_store["total_resource_slots"] = self.total_resource_slots
+        if self.allowed_vfolder_hosts is not None:
+            to_store["allowed_vfolder_hosts"] = self.allowed_vfolder_hosts
+        if self.allowed_docker_registries is not None:
+            to_store["allowed_docker_registries"] = self.allowed_docker_registries
+        if self.integration_id is not None:
+            to_store["integration_id"] = self.integration_id
+        if self.dotfiles is not None:
+            to_store["dotfiles"] = self.dotfiles
+        return to_store
+
+
+@dataclass
+class DomainModifier(PartialModifier):
+    name: OptionalState[str] = field(default_factory=OptionalState.nop)
+    description: TriState[str] = field(default_factory=TriState.nop)
+    is_active: OptionalState[bool] = field(default_factory=OptionalState.nop)
+    total_resource_slots: TriState[ResourceSlot] = field(default_factory=TriState.nop)
+    allowed_vfolder_hosts: OptionalState[dict[str, list[str]]] = field(
+        default_factory=OptionalState.nop
+    )
+    allowed_docker_registries: OptionalState[list[str]] = field(default_factory=OptionalState.nop)
+    integration_id: TriState[str] = field(default_factory=TriState.nop)
+
+    @override
+    def fields_to_update(self) -> dict[str, Any]:
+        to_update: dict[str, Any] = {}
+        self.name.update_dict(to_update, "name")
+        self.description.update_dict(to_update, "description")
+        self.is_active.update_dict(to_update, "is_active")
+        self.total_resource_slots.update_dict(to_update, "total_resource_slots")
+        self.allowed_vfolder_hosts.update_dict(to_update, "allowed_vfolder_hosts")
+        self.allowed_docker_registries.update_dict(to_update, "allowed_docker_registries")
+        self.integration_id.update_dict(to_update, "integration_id")
+        return to_update
+
+
+@dataclass
+class DomainNodeModifier(PartialModifier):
+    description: TriState[str] = field(default_factory=TriState[str].nop)
+    is_active: OptionalState[bool] = field(default_factory=OptionalState[bool].nop)
+    total_resource_slots: TriState[ResourceSlot] = field(default_factory=TriState[ResourceSlot].nop)
+    allowed_vfolder_hosts: OptionalState[dict[str, list[str]]] = field(
+        default_factory=OptionalState[dict[str, list[str]]].nop
+    )
+    allowed_docker_registries: OptionalState[list[str]] = field(
+        default_factory=OptionalState[list[str]].nop
+    )
+    integration_id: TriState[str] = field(default_factory=TriState[str].nop)
+    dotfiles: OptionalState[bytes] = field(default_factory=OptionalState[bytes].nop)
+
+    @override
+    def fields_to_update(self) -> dict[str, Any]:
+        to_update: dict[str, Any] = {}
+        self.description.update_dict(to_update, "description")
+        self.is_active.update_dict(to_update, "is_active")
+        self.total_resource_slots.update_dict(to_update, "total_resource_slots")
+        self.allowed_vfolder_hosts.update_dict(to_update, "allowed_vfolder_hosts")
+        self.allowed_docker_registries.update_dict(to_update, "allowed_docker_registries")
+        self.integration_id.update_dict(to_update, "integration_id")
+        self.dotfiles.update_dict(to_update, "dotfiles")
+        return to_update

src/ai/backend/manager/data/domain/types.py

@@ -0,0 +1,132 @@
+from __future__ import annotations
+
+import enum
+import uuid
+from collections.abc import Iterable, Mapping
+from dataclasses import dataclass, field
+from datetime import datetime
+from typing import Any, Optional, override
+
+from ai.backend.common.types import ResourceSlot, VFolderHostPermissionMap
+from ai.backend.manager.data.permission.id import ScopeId
+from ai.backend.manager.data.permission.types import (
+    EntityType,
+    OperationType,
+    ScopeType,
+)
+from ai.backend.manager.types import Creator, OptionalState, PartialModifier, TriState
+
+
+class ProjectType(enum.StrEnum):
+    GENERAL = "general"
+    MODEL_STORE = "model-store"
+
+    @classmethod
+    def _missing_(cls, value: Any) -> Optional[ProjectType]:
+        assert isinstance(value, str)
+        match value.upper():
+            case "GENERAL":
+                return cls.GENERAL
+            case "MODEL_STORE" | "MODEL-STORE":
+                return cls.MODEL_STORE
+        return None
+
+
+@dataclass
+class GroupCreator(Creator):
+    name: str
+    domain_name: str
+    type: Optional[ProjectType] = None
+    description: Optional[str] = None
+    is_active: Optional[bool] = None
+    total_resource_slots: Optional[ResourceSlot] = None
+    allowed_vfolder_hosts: Optional[dict[str, str]] = None
+    integration_id: Optional[str] = None
+    resource_policy: Optional[str] = None
+    container_registry: Optional[dict[str, str]] = None
+    dotfiles: Optional[bytes] = None
+
+    def fields_to_store(self) -> dict[str, Any]:
+        return {
+            "name": self.name,
+            "domain_name": self.domain_name,
+            "type": self.type,
+            "description": self.description,
+            "is_active": self.is_active,
+            "total_resource_slots": self.total_resource_slots,
+            "allowed_vfolder_hosts": self.allowed_vfolder_hosts,
+            "integration_id": self.integration_id,
+            "resource_policy": self.resource_policy,
+            "container_registry": self.container_registry,
+            "dotfiles": self.dotfiles,
+        }
+
+
+@dataclass
+class GroupData:
+    id: uuid.UUID = field(compare=False)
+    name: str
+    description: Optional[str]
+    is_active: bool
+    created_at: datetime = field(compare=False)
+    modified_at: datetime = field(compare=False)
+    integration_id: Optional[str]
+    domain_name: str
+    total_resource_slots: ResourceSlot
+    allowed_vfolder_hosts: VFolderHostPermissionMap
+    dotfiles: bytes
+    resource_policy: str
+    type: ProjectType
+    container_registry: Optional[dict[str, str]]
+
+    def scope_id(self) -> ScopeId:
+        return ScopeId(
+            scope_type=ScopeType.PROJECT,
+            scope_id=str(self.id),
+        )
+
+    def role_name(self) -> str:
+        return f"project-{str(self.id)[:8]}-admin"
+
+    def entity_operations(self) -> Mapping[EntityType, Iterable[OperationType]]:
+        return {
+            entity: OperationType.admin_operations()
+            for entity in EntityType.admin_accessible_entity_types_in_project()
+        }
+
+
+@dataclass
+class GroupModifier(PartialModifier):
+    name: OptionalState[str] = field(default_factory=OptionalState[str].nop)
+    description: TriState[str] = field(
+        default_factory=TriState[str].nop,
+    )
+    is_active: OptionalState[bool] = field(default_factory=OptionalState[bool].nop)
+    domain_name: OptionalState[str] = field(
+        default_factory=OptionalState[str].nop,
+    )
+    total_resource_slots: OptionalState[ResourceSlot] = field(
+        default_factory=OptionalState[ResourceSlot].nop
+    )
+    allowed_vfolder_hosts: OptionalState[dict[str, str]] = field(
+        default_factory=OptionalState[dict[str, str]].nop
+    )
+    integration_id: OptionalState[str] = field(default_factory=OptionalState[str].nop)
+    resource_policy: OptionalState[str] = field(default_factory=OptionalState[str].nop)
+    container_registry: TriState[dict[str, str]] = field(
+        default_factory=TriState[dict[str, str]].nop
+    )
+
+    @override
+    def fields_to_update(self) -> dict[str, Any]:
+        to_update: dict[str, Any] = {}
+        self.name.update_dict(to_update, "name")
+        self.description.update_dict(to_update, "description")
+        self.is_active.update_dict(to_update, "is_active")
+        self.domain_name.update_dict(to_update, "domain_name")
+        self.total_resource_slots.update_dict(to_update, "total_resource_slots")
+        self.allowed_vfolder_hosts.update_dict(to_update, "allowed_vfolder_hosts")
+        self.integration_id.update_dict(to_update, "integration_id")
+        self.resource_policy.update_dict(to_update, "resource_policy")
+        self.container_registry.update_dict(to_update, "container_registry")
+        return to_update

src/ai/backend/manager/data/group/__init__.py

@@ -1,9 +1,27 @@
 import uuid
 from dataclasses import dataclass
+from typing import Any, override
+
+from ai.backend.manager.types import Creator
 
 from .id import ObjectId, ScopeId
 
 
+@dataclass
+class AssociationScopesEntitiesCreateInput(Creator):
+    scope_id: ScopeId
+    object_id: ObjectId
+
+    @override
+    def fields_to_store(self) -> dict[str, Any]:
+        return {
+            "scope_type": self.scope_id.scope_type,
+            "scope_id": self.scope_id.scope_id,
+            "entity_type": self.object_id.entity_type,
+            "entity_id": self.object_id.entity_id,
+        }
+
+
 @dataclass
 class AssociationScopesEntitiesData:
     id: uuid.UUID