From c1c79fb79ae920e5a8576a7ff0d4b40e549d4eec Mon Sep 17 00:00:00 2001 From: Sanghun Lee Date: Fri, 28 Jun 2024 19:08:53 +0900 Subject: [PATCH] rename all --- src/ai/backend/manager/models/rbac/BUILD | 1 + .../backend/manager/models/rbac/__init__.py | 92 +++++---- .../backend/manager/models/rbac/exceptions.py | 1 - src/ai/backend/manager/models/vfolder.py | 176 +++++++++--------- 4 files changed, 133 insertions(+), 137 deletions(-) create mode 100644 src/ai/backend/manager/models/rbac/BUILD diff --git a/src/ai/backend/manager/models/rbac/BUILD b/src/ai/backend/manager/models/rbac/BUILD new file mode 100644 index 00000000000..db46e8d6c97 --- /dev/null +++ b/src/ai/backend/manager/models/rbac/BUILD @@ -0,0 +1 @@ +python_sources() diff --git a/src/ai/backend/manager/models/rbac/__init__.py b/src/ai/backend/manager/models/rbac/__init__.py index 8666ce05978..44561f140e0 100644 --- a/src/ai/backend/manager/models/rbac/__init__.py +++ b/src/ai/backend/manager/models/rbac/__init__.py @@ -19,7 +19,7 @@ __all__: Sequence[str] = ( - "BaseACLPermission", + "BasePermission", "ClientContext", "DomainScope", "ProjectScope", @@ -27,16 +27,16 @@ "StorageHost", "ImageRegistry", "ScalingGroup", - "AbstractACLPermissionContext", - "AbstractACLPermissionContextBuilder", + "AbstractPermissionContext", + "AbstractPermissionContextBuilder", ) -class BaseACLPermission(enum.StrEnum): +class BasePermission(enum.StrEnum): pass -ACLPermissionType = TypeVar("ACLPermissionType", bound=BaseACLPermission) +PermissionType = TypeVar("PermissionType", bound=BasePermission) class Bypass(enum.Enum): @@ -127,67 +127,67 @@ async def _get_or_init_project_ctx(self, db_session: AsyncSession) -> ProjectCon return self._project_ctx -class BaseACLScope(metaclass=ABCMeta): +class BaseScope(metaclass=ABCMeta): @abstractmethod def __str__(self) -> str: pass @dataclass(frozen=True) -class DomainScope(BaseACLScope): +class DomainScope(BaseScope): domain_name: str - + def __str__(self) -> str: return f"Domain(name: {self.domain_name})" @dataclass(frozen=True) -class ProjectScope(BaseACLScope): +class ProjectScope(BaseScope): project_id: uuid.UUID - + def __str__(self) -> str: return f"Project(id: {self.project_id})" @dataclass(frozen=True) -class UserScope(BaseACLScope): +class UserScope(BaseScope): user_id: uuid.UUID def __str__(self) -> str: return f"User(id: {self.user_id})" -# Extra ACL scope is to address some scopes that contain specific object types +# Extra scope is to address some scopes that contain specific object types # such as registries for images, scaling groups for agents, storage hosts for vfolders etc. -class ExtraACLScope: +class ExtraScope: pass @dataclass(frozen=True) -class StorageHost(ExtraACLScope): +class StorageHost(ExtraScope): name: str @dataclass(frozen=True) -class ImageRegistry(ExtraACLScope): +class ImageRegistry(ExtraScope): name: str @dataclass(frozen=True) -class ScalingGroup(ExtraACLScope): +class ScalingGroup(ExtraScope): name: str -ACLObjectType = TypeVar("ACLObjectType") -ACLObjectIDType = TypeVar("ACLObjectIDType") +ObjectType = TypeVar("ObjectType") +ObjectIDType = TypeVar("ObjectIDType") @dataclass -class AbstractACLPermissionContext( - Generic[ACLPermissionType, ACLObjectType, ACLObjectIDType], metaclass=ABCMeta +class AbstractPermissionContext( + Generic[PermissionType, ObjectType, ObjectIDType], metaclass=ABCMeta ): """ - Define ACL permissions under given User, Project or Domain scopes. + Define permissions under given User, Project or Domain scopes. Each field of this class represents a mapping of ["accessible scope id", "permissions under the scope"]. For example, `project` field has a mapping of ["accessible project id", "permissions under the project"]. { @@ -195,29 +195,29 @@ class AbstractACLPermissionContext( "PROJECT_B_ID": {"READ"} } - `additional` and `overriding` fields have a mapping of ["ACL object id", "permissions applied to the object"]. - `additional` field is used to add permissions to specific ACL objects. It can be used for admins. + `additional` and `overriding` fields have a mapping of ["object id", "permissions applied to the object"]. + `additional` field is used to add permissions to specific objects. It can be used for admins. `overriding` field is used to address exceptional cases such as permission overriding or cover other scopes(scaling groups or storage hosts etc). """ - user_id_to_permission_map: Mapping[uuid.UUID, frozenset[ACLPermissionType]] = field( + user_id_to_permission_map: Mapping[uuid.UUID, frozenset[PermissionType]] = field( default_factory=dict ) - project_id_to_permission_map: Mapping[uuid.UUID, frozenset[ACLPermissionType]] = field( + project_id_to_permission_map: Mapping[uuid.UUID, frozenset[PermissionType]] = field( default_factory=dict ) - domain_name_to_permission_map: Mapping[str, frozenset[ACLPermissionType]] = field( + domain_name_to_permission_map: Mapping[str, frozenset[PermissionType]] = field( default_factory=dict ) - object_id_to_additional_permission_map: Mapping[ - ACLObjectIDType, frozenset[ACLPermissionType] - ] = field(default_factory=dict) - object_id_to_overriding_permission_map: Mapping[ - ACLObjectIDType, frozenset[ACLPermissionType] - ] = field(default_factory=dict) + object_id_to_additional_permission_map: Mapping[ObjectIDType, frozenset[PermissionType]] = ( + field(default_factory=dict) + ) + object_id_to_overriding_permission_map: Mapping[ObjectIDType, frozenset[PermissionType]] = ( + field(default_factory=dict) + ) - def filter_by_permission(self, permission_to_include: ACLPermissionType) -> None: + def filter_by_permission(self, permission_to_include: PermissionType) -> None: self.user_id_to_permission_map = { uid: permissions for uid, permissions in self.user_id_to_permission_map.items() @@ -249,30 +249,28 @@ async def build_query(self) -> sa.sql.Select | None: pass @abstractmethod - async def calculate_final_permission( - self, acl_obj: ACLObjectType - ) -> frozenset[ACLPermissionType]: + async def calculate_final_permission(self, acl_obj: ObjectType) -> frozenset[PermissionType]: """ - Calculate the final permissions applied to the given ACL object based on the fields in this class. + Calculate the final permissions applied to the given object based on the fields in this class. """ pass -ACLPermissionContextType = TypeVar("ACLPermissionContextType", bound=AbstractACLPermissionContext) +PermissionContextType = TypeVar("PermissionContextType", bound=AbstractPermissionContext) -class AbstractACLPermissionContextBuilder( - Generic[ACLPermissionType, ACLPermissionContextType], metaclass=ABCMeta +class AbstractPermissionContextBuilder( + Generic[PermissionType, PermissionContextType], metaclass=ABCMeta ): @classmethod async def build( cls, db_session: AsyncSession, ctx: ClientContext, - target_scope: BaseACLScope, + target_scope: BaseScope, *, - permission: ACLPermissionType | None = None, - ) -> ACLPermissionContextType: + permission: PermissionType | None = None, + ) -> PermissionContextType: match target_scope: case UserScope(user_id=user_id): result = await cls._build_in_user_scope(db_session, ctx, user_id) @@ -281,7 +279,7 @@ async def build( case DomainScope(domain_name=domain_name): result = await cls._build_in_domain_scope(db_session, ctx, domain_name) case _: - raise RuntimeError(f"invalid ACL scope `{target_scope}`") + raise RuntimeError(f"invalid scope `{target_scope}`") if permission is not None: result.filter_by_permission(permission) return result @@ -293,7 +291,7 @@ async def _build_in_user_scope( db_session: AsyncSession, ctx: ClientContext, user_id: uuid.UUID, - ) -> ACLPermissionContextType: + ) -> PermissionContextType: pass @classmethod @@ -303,7 +301,7 @@ async def _build_in_project_scope( db_session: AsyncSession, ctx: ClientContext, project_id: uuid.UUID, - ) -> ACLPermissionContextType: + ) -> PermissionContextType: pass @classmethod @@ -313,5 +311,5 @@ async def _build_in_domain_scope( db_session: AsyncSession, ctx: ClientContext, domain_name: str, - ) -> ACLPermissionContextType: + ) -> PermissionContextType: pass diff --git a/src/ai/backend/manager/models/rbac/exceptions.py b/src/ai/backend/manager/models/rbac/exceptions.py index a69a76c1da7..d83195ad193 100644 --- a/src/ai/backend/manager/models/rbac/exceptions.py +++ b/src/ai/backend/manager/models/rbac/exceptions.py @@ -1,4 +1,3 @@ - class RBACException(Exception): pass diff --git a/src/ai/backend/manager/models/vfolder.py b/src/ai/backend/manager/models/vfolder.py index 4f84f576fe3..6c037cd40d8 100644 --- a/src/ai/backend/manager/models/vfolder.py +++ b/src/ai/backend/manager/models/vfolder.py @@ -87,10 +87,10 @@ from .minilang.ordering import OrderSpecItem, QueryOrderParser from .minilang.queryfilter import FieldSpecItem, QueryFilterParser, enum_field_getter from .rbac import ( - AbstractACLPermissionContext, - AbstractACLPermissionContextBuilder, - BaseACLPermission, - BaseACLScope, + AbstractPermissionContext, + AbstractPermissionContextBuilder, + BasePermission, + BaseScope, ClientContext, StorageHost, ) @@ -109,7 +109,7 @@ "vfolder_invitations", "vfolder_permissions", "VirtualFolder", - "VFolderACLPermission", + "VFolderRBACPermission", "VFolderOwnershipType", "VFolderInvitationState", "VFolderPermission", @@ -139,10 +139,10 @@ "HARD_DELETED_VFOLDER_STATUSES", "VFolderPermissionSetAlias", "get_vfolders", - "VFolderACLObject", + "VFolderWithPermissionSet", "OWNER_PERMISSIONS", - "ACLPermissionContext", - "ACLPermissionContextBuilder", + "PermissionContext", + "PermissionContextBuilder", ) @@ -682,7 +682,7 @@ async def _append_entries(_query, _is_owner=True): return entries -class VFolderACLPermission(BaseACLPermission): +class VFolderRBACPermission(BasePermission): # Only owners can do CLONE = enum.auto() OVERRIDE_PERMISSION_TO_OTHERS = enum.auto() # Invite, share @@ -706,69 +706,67 @@ class VFolderACLPermission(BaseACLPermission): ) # TypeAlias is deprecated since 3.12 -OWNER_PERMISSIONS: frozenset[VFolderACLPermission] = frozenset([ - perm for perm in VFolderACLPermission +OWNER_PERMISSIONS: frozenset[VFolderRBACPermission] = frozenset([ + perm for perm in VFolderRBACPermission ]) -ADMIN_PERMISSIONS: frozenset[VFolderACLPermission] = frozenset([ - VFolderACLPermission.READ_ATTRIBUTE, - VFolderACLPermission.UPDATE_ATTRIBUTE, - VFolderACLPermission.DELETE_VFOLDER, +ADMIN_PERMISSIONS: frozenset[VFolderRBACPermission] = frozenset([ + VFolderRBACPermission.READ_ATTRIBUTE, + VFolderRBACPermission.UPDATE_ATTRIBUTE, + VFolderRBACPermission.DELETE_VFOLDER, ]) -ADMIN_PERMISSIONS_ON_OTHER_USER_INVITED_FOLDERS: frozenset[VFolderACLPermission] = frozenset([ - VFolderACLPermission.READ_ATTRIBUTE, +ADMIN_PERMISSIONS_ON_OTHER_USER_INVITED_FOLDERS: frozenset[VFolderRBACPermission] = frozenset([ + VFolderRBACPermission.READ_ATTRIBUTE, ]) # Admins allow to READ folders that other users are invited to -USER_PERMISSIONS_ON_PROJECT_FOLDERS: frozenset[VFolderACLPermission] = frozenset([ - VFolderACLPermission.READ_ATTRIBUTE, - VFolderACLPermission.READ_CONTENT, - VFolderACLPermission.WRITE_CONTENT, - VFolderACLPermission.DELETE_CONTENT, - VFolderACLPermission.MOUNT_RO, - VFolderACLPermission.MOUNT_RW, - VFolderACLPermission.MOUNT_WD, +USER_PERMISSIONS_ON_PROJECT_FOLDERS: frozenset[VFolderRBACPermission] = frozenset([ + VFolderRBACPermission.READ_ATTRIBUTE, + VFolderRBACPermission.READ_CONTENT, + VFolderRBACPermission.WRITE_CONTENT, + VFolderRBACPermission.DELETE_CONTENT, + VFolderRBACPermission.MOUNT_RO, + VFolderRBACPermission.MOUNT_RW, + VFolderRBACPermission.MOUNT_WD, ]) # The element of admin permission set on project folders is the same with owner's permission set # but it doesn't mean that admins are the owner of the project folders. -ADMIN_PERMISSIONS_ON_PROJECT_FOLDERS: frozenset[VFolderACLPermission] = ( +ADMIN_PERMISSIONS_ON_PROJECT_FOLDERS: frozenset[VFolderRBACPermission] = ( ADMIN_PERMISSIONS | USER_PERMISSIONS_ON_PROJECT_FOLDERS - | {VFolderACLPermission.CLONE, VFolderACLPermission.OVERRIDE_PERMISSION_TO_OTHERS} + | {VFolderRBACPermission.CLONE, VFolderRBACPermission.OVERRIDE_PERMISSION_TO_OTHERS} ) -# TODO: Change type of `vfolder_permissions.permission` to VFolderACLPermission -PERMISSION_TO_ACL_PERMISSION_MAP: Mapping[VFolderPermission, frozenset[VFolderACLPermission]] = { +# TODO: Change type of `vfolder_permissions.permission` to VFolderRBACPermission +PERMISSION_TO_RBAC_PERMISSION_MAP: Mapping[VFolderPermission, frozenset[VFolderRBACPermission]] = { VFolderPermission.READ_ONLY: frozenset([ - VFolderACLPermission.READ_ATTRIBUTE, - VFolderACLPermission.READ_CONTENT, + VFolderRBACPermission.READ_ATTRIBUTE, + VFolderRBACPermission.READ_CONTENT, ]), VFolderPermission.READ_WRITE: frozenset([ - VFolderACLPermission.READ_ATTRIBUTE, - VFolderACLPermission.UPDATE_ATTRIBUTE, - VFolderACLPermission.DELETE_VFOLDER, - VFolderACLPermission.READ_CONTENT, - VFolderACLPermission.WRITE_CONTENT, - VFolderACLPermission.DELETE_CONTENT, - VFolderACLPermission.MOUNT_RO, - VFolderACLPermission.MOUNT_RW, + VFolderRBACPermission.READ_ATTRIBUTE, + VFolderRBACPermission.UPDATE_ATTRIBUTE, + VFolderRBACPermission.DELETE_VFOLDER, + VFolderRBACPermission.READ_CONTENT, + VFolderRBACPermission.WRITE_CONTENT, + VFolderRBACPermission.DELETE_CONTENT, + VFolderRBACPermission.MOUNT_RO, + VFolderRBACPermission.MOUNT_RW, ]), VFolderPermission.RW_DELETE: frozenset([ - VFolderACLPermission.READ_ATTRIBUTE, - VFolderACLPermission.UPDATE_ATTRIBUTE, - VFolderACLPermission.DELETE_VFOLDER, - VFolderACLPermission.READ_CONTENT, - VFolderACLPermission.WRITE_CONTENT, - VFolderACLPermission.DELETE_CONTENT, - VFolderACLPermission.MOUNT_RO, - VFolderACLPermission.MOUNT_RW, - VFolderACLPermission.MOUNT_WD, + VFolderRBACPermission.READ_ATTRIBUTE, + VFolderRBACPermission.UPDATE_ATTRIBUTE, + VFolderRBACPermission.DELETE_VFOLDER, + VFolderRBACPermission.READ_CONTENT, + VFolderRBACPermission.WRITE_CONTENT, + VFolderRBACPermission.DELETE_CONTENT, + VFolderRBACPermission.MOUNT_RO, + VFolderRBACPermission.MOUNT_RW, + VFolderRBACPermission.MOUNT_WD, ]), VFolderPermission.OWNER_PERM: OWNER_PERMISSIONS, } @dataclass -class ACLPermissionContext( - AbstractACLPermissionContext[VFolderACLPermission, VFolderRow, uuid.UUID] -): +class PermissionContext(AbstractPermissionContext[VFolderRBACPermission, VFolderRow, uuid.UUID]): @property def query_condition(self) -> WhereClauseType | None: cond: WhereClauseType | None = None @@ -814,14 +812,14 @@ async def build_query(self) -> sa.sql.Select | None: async def calculate_final_permission( self, acl_obj: VFolderRow - ) -> frozenset[VFolderACLPermission]: + ) -> frozenset[VFolderRBACPermission]: vfolder_row = acl_obj vfolder_id = cast(uuid.UUID, acl_obj.id) if ( overriding_perm := self.object_id_to_overriding_permission_map.get(vfolder_id) ) is not None: return overriding_perm - permissions: set[VFolderACLPermission] = set() + permissions: set[VFolderRBACPermission] = set() permissions |= self.object_id_to_additional_permission_map.get(vfolder_id, set()) permissions |= self.user_id_to_permission_map.get(vfolder_row.user, set()) permissions |= self.project_id_to_permission_map.get(vfolder_row.group, set()) @@ -829,8 +827,8 @@ async def calculate_final_permission( return frozenset(permissions) -class ACLPermissionContextBuilder( - AbstractACLPermissionContextBuilder[VFolderACLPermission, ACLPermissionContext] +class PermissionContextBuilder( + AbstractPermissionContextBuilder[VFolderRBACPermission, PermissionContext] ): @classmethod async def _build_in_user_scope( @@ -838,13 +836,13 @@ async def _build_in_user_scope( db_session: SASession, ctx: ClientContext, user_id: uuid.UUID, - ) -> ACLPermissionContext: - user_id_to_permission_map: Mapping[uuid.UUID, frozenset[VFolderACLPermission]] = {} + ) -> PermissionContext: + user_id_to_permission_map: Mapping[uuid.UUID, frozenset[VFolderRBACPermission]] = {} object_id_to_additional_permission_map: Mapping[ - uuid.UUID, frozenset[VFolderACLPermission] + uuid.UUID, frozenset[VFolderRBACPermission] ] = {} object_id_to_overriding_permission_map: Mapping[ - uuid.UUID, frozenset[VFolderACLPermission] + uuid.UUID, frozenset[VFolderRBACPermission] ] = {} match ctx.user_role: case UserRole.SUPERADMIN | UserRole.MONITOR: @@ -860,7 +858,7 @@ async def _build_in_user_scope( ) ) object_id_to_additional_permission_map = { - row.vfolder: PERMISSION_TO_ACL_PERMISSION_MAP[row.permission] + row.vfolder: PERMISSION_TO_RBAC_PERMISSION_MAP[row.permission] for row in await db_session.scalars(additional_stmt) } user_id_to_permission_map = {user_id: OWNER_PERMISSIONS} @@ -893,7 +891,7 @@ async def _build_in_user_scope( ) ) object_id_to_additional_permission_map = { - row.vfolder: PERMISSION_TO_ACL_PERMISSION_MAP[row.permission] + row.vfolder: PERMISSION_TO_RBAC_PERMISSION_MAP[row.permission] for row in await db_session.scalars(additional_stmt) } @@ -936,14 +934,14 @@ async def _build_in_user_scope( ) ) object_id_to_overriding_permission_map = { - row.vfolder: PERMISSION_TO_ACL_PERMISSION_MAP[row.permission] + row.vfolder: PERMISSION_TO_RBAC_PERMISSION_MAP[row.permission] for row in await db_session.scalars(overriding_stmt) } user_id_to_permission_map = {ctx.user_id: OWNER_PERMISSIONS} case _: raise RuntimeError("should not reach here") - return ACLPermissionContext( + return PermissionContext( user_id_to_permission_map, object_id_to_additional_permission_map=object_id_to_additional_permission_map, object_id_to_overriding_permission_map=object_id_to_overriding_permission_map, @@ -955,10 +953,10 @@ async def _build_in_project_scope( db_session: SASession, ctx: ClientContext, project_id: uuid.UUID, - ) -> ACLPermissionContext: - project_id_to_permission_map: Mapping[uuid.UUID, frozenset[VFolderACLPermission]] = {} + ) -> PermissionContext: + project_id_to_permission_map: Mapping[uuid.UUID, frozenset[VFolderRBACPermission]] = {} object_id_to_overriding_permission_map: Mapping[ - uuid.UUID, frozenset[VFolderACLPermission] + uuid.UUID, frozenset[VFolderRBACPermission] ] = {} role_in_project = await ctx.get_user_role_in_project(db_session, project_id) @@ -976,12 +974,12 @@ async def _build_in_project_scope( ) ) object_id_to_overriding_permission_map = { - row.vfolder: PERMISSION_TO_ACL_PERMISSION_MAP[row.permission] + row.vfolder: PERMISSION_TO_RBAC_PERMISSION_MAP[row.permission] for row in await db_session.scalars(overriding_stmt) } case _: pass - return ACLPermissionContext( + return PermissionContext( project_id_to_permission_map=project_id_to_permission_map, object_id_to_overriding_permission_map=object_id_to_overriding_permission_map, ) @@ -992,15 +990,15 @@ async def _build_in_domain_scope( db_session: SASession, ctx: ClientContext, domain_name: str, - ) -> ACLPermissionContext: - user_id_to_permission_map: Mapping[uuid.UUID, frozenset[VFolderACLPermission]] = {} - project_id_to_permission_map: Mapping[uuid.UUID, frozenset[VFolderACLPermission]] = {} - domain_name_to_permission_map: Mapping[str, frozenset[VFolderACLPermission]] = {} + ) -> PermissionContext: + user_id_to_permission_map: Mapping[uuid.UUID, frozenset[VFolderRBACPermission]] = {} + project_id_to_permission_map: Mapping[uuid.UUID, frozenset[VFolderRBACPermission]] = {} + domain_name_to_permission_map: Mapping[str, frozenset[VFolderRBACPermission]] = {} object_id_to_additional_permission_map: Mapping[ - uuid.UUID, frozenset[VFolderACLPermission] + uuid.UUID, frozenset[VFolderRBACPermission] ] = {} object_id_to_overriding_permission_map: Mapping[ - uuid.UUID, frozenset[VFolderACLPermission] + uuid.UUID, frozenset[VFolderRBACPermission] ] = {} match ctx.user_role: case UserRole.SUPERADMIN | UserRole.MONITOR: @@ -1021,7 +1019,7 @@ async def _build_in_domain_scope( ) ) object_id_to_additional_permission_map = { - row.vfolder: PERMISSION_TO_ACL_PERMISSION_MAP[row.permission] + row.vfolder: PERMISSION_TO_RBAC_PERMISSION_MAP[row.permission] for row in await db_session.scalars(additional_stmt) } @@ -1046,7 +1044,7 @@ async def _build_in_domain_scope( ) ) object_id_to_additional_permission_map = { - row.vfolder: PERMISSION_TO_ACL_PERMISSION_MAP[row.permission] + row.vfolder: PERMISSION_TO_RBAC_PERMISSION_MAP[row.permission] for row in await db_session.scalars(additional_stmt) } @@ -1075,7 +1073,7 @@ async def _build_in_domain_scope( ) ) object_id_to_overriding_permission_map = { - row.vfolder: PERMISSION_TO_ACL_PERMISSION_MAP[row.permission] + row.vfolder: PERMISSION_TO_RBAC_PERMISSION_MAP[row.permission] for row in await db_session.scalars(overriding_stmt) } @@ -1086,7 +1084,7 @@ async def _build_in_domain_scope( case _: raise RuntimeError("should not reach here") - return ACLPermissionContext( + return PermissionContext( user_id_to_permission_map, project_id_to_permission_map, domain_name_to_permission_map, @@ -1095,26 +1093,26 @@ async def _build_in_domain_scope( ) -class VFolderACLObject(NamedTuple): +class VFolderWithPermissionSet(NamedTuple): vfolder_row: VFolderRow - permissions: frozenset[VFolderACLPermission] + permissions: frozenset[VFolderRBACPermission] async def get_vfolders( db_conn: SAConnection, ctx: ClientContext, - target_scope: BaseACLScope, + target_scope: BaseScope, extra_scope: StorageHost | None = None, - requested_permission: VFolderACLPermission | None = None, + requested_permission: VFolderRBACPermission | None = None, *, vfolder_id: uuid.UUID | None = None, vfolder_name: str | None = None, usage_mode: VFolderUsageMode | None = None, allowed_status: Container[VFolderOperationStatus] | None = None, blocked_status: Container[VFolderOperationStatus] | None = None, -) -> list[VFolderACLObject]: +) -> list[VFolderWithPermissionSet]: async with ctx.db.begin_readonly_session(db_conn) as db_session: - permission_ctx = await ACLPermissionContextBuilder.build( + permission_ctx = await PermissionContextBuilder.build( db_session, ctx, target_scope, permission=requested_permission ) query_stmt = await permission_ctx.build_query() @@ -1131,25 +1129,25 @@ async def get_vfolders( if blocked_status is not None: query_stmt = query_stmt.where(VFolderRow.status.not_in(blocked_status)) - result: list[VFolderACLObject] = [] + result: list[VFolderWithPermissionSet] = [] for row in await db_session.scalars(query_stmt): row = cast(VFolderRow, row) permissions = await permission_ctx.calculate_final_permission(row) - result.append(VFolderACLObject(row, permissions)) + result.append(VFolderWithPermissionSet(row, permissions)) return result async def validate_permission( db_conn: SAConnection, ctx: ClientContext, - target_scope: BaseACLScope, + target_scope: BaseScope, extra_scope: StorageHost | None = None, *, - permission: VFolderACLPermission, + permission: VFolderRBACPermission, vfolder_id: uuid.UUID, ) -> None: async with ctx.db.begin_readonly_session(db_conn) as db_session: - permission_ctx = await ACLPermissionContextBuilder.build( + permission_ctx = await PermissionContextBuilder.build( db_session, ctx, target_scope, permission=permission ) query_stmt = await permission_ctx.build_query()