feat(BA-2946): connect RBAC validators to SessionProcessors

fregataa · claude · fregataa · commit e474aaa13d86 · 2026-03-13T03:45:59.000+09:00
- Add permission_repository parameter to SessionProcessors.__init__
- Instantiate ScopeActionRBACValidator and SingleEntityActionRBACValidator
- Apply scope validator to 6 scope actions (create_cluster, create_from_params, create_from_template, match_sessions, search_kernels, search_sessions)
- Apply single entity validator to 4 single entity actions (destroy_session, execute_session, get_session_info, modify_session)
- Reorganize processor initialization into three logical sections: no validation, scope validation, single entity validation

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/src/ai/backend/manager/services/session/processors.py b/src/ai/backend/manager/services/session/processors.py
@@ -1,8 +1,9 @@
-from typing import override
+from typing import cast, override
 
 from ai.backend.manager.actions.monitors.monitor import ActionMonitor
 from ai.backend.manager.actions.processor import ActionProcessor
 from ai.backend.manager.actions.types import AbstractProcessorPackage, ActionSpec
+from ai.backend.manager.actions.validator.base import ActionValidator
 from ai.backend.manager.actions.validators import ActionValidators
 from ai.backend.manager.services.session.actions.check_and_transit_status import (
     CheckAndTransitStatusAction,
@@ -172,42 +173,88 @@ def __init__(
         action_monitors: list[ActionMonitor],
         validators: ActionValidators,
     ) -> None:
+        scope_validator = validators.rbac.scope
+        single_entity_validator = validators.rbac.single_entity
+
+        # Actions without RBAC validation (internal/legacy)
         self.commit_session = ActionProcessor(service.commit_session, action_monitors)
         self.complete = ActionProcessor(service.complete, action_monitors)
         self.convert_session_to_image = ActionProcessor(
             service.convert_session_to_image, action_monitors
         )
-        self.create_cluster = ActionProcessor(service.create_cluster, action_monitors)
-        self.create_from_params = ActionProcessor(service.create_from_params, action_monitors)
-        self.create_from_template = ActionProcessor(service.create_from_template, action_monitors)
-        self.destroy_session = ActionProcessor(service.destroy_session, action_monitors)
         self.download_file = ActionProcessor(service.download_file, action_monitors)
         self.download_files = ActionProcessor(service.download_files, action_monitors)
-        self.execute_session = ActionProcessor(service.execute_session, action_monitors)
         self.get_abusing_report = ActionProcessor(service.get_abusing_report, action_monitors)
         self.get_commit_status = ActionProcessor(service.get_commit_status, action_monitors)
         self.get_container_logs = ActionProcessor(service.get_container_logs, action_monitors)
         self.get_dependency_graph = ActionProcessor(service.get_dependency_graph, action_monitors)
         self.get_direct_access_info = ActionProcessor(
             service.get_direct_access_info, action_monitors
         )
-        self.get_session_info = ActionProcessor(service.get_session_info, action_monitors)
         self.get_status_history = ActionProcessor(service.get_status_history, action_monitors)
         self.interrupt = ActionProcessor(service.interrupt, action_monitors)
         self.list_files = ActionProcessor(service.list_files, action_monitors)
-        self.match_sessions = ActionProcessor(service.match_sessions, action_monitors)
         self.rename_session = ActionProcessor(service.rename_session, action_monitors)
         self.restart_session = ActionProcessor(service.restart_session, action_monitors)
-        self.search_kernels = ActionProcessor(service.search_kernels, action_monitors)
-        self.search_sessions = ActionProcessor(service.search, action_monitors)
         self.shutdown_service = ActionProcessor(service.shutdown_service, action_monitors)
         self.start_service = ActionProcessor(service.start_service, action_monitors)
         self.upload_files = ActionProcessor(service.upload_files, action_monitors)
-        self.modify_session = ActionProcessor(service.modify_session, action_monitors)
         self.check_and_transit_status = ActionProcessor(
             service.check_and_transit_status, action_monitors
         )
 
+        # Scope actions with RBAC validation
+        self.create_cluster = ActionProcessor(
+            service.create_cluster,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.create_from_params = ActionProcessor(
+            service.create_from_params,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.create_from_template = ActionProcessor(
+            service.create_from_template,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.match_sessions = ActionProcessor(
+            service.match_sessions,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.search_kernels = ActionProcessor(
+            service.search_kernels,
+            action_monitors,
+            validators=[cast(ActionValidator, scope_validator)],
+        )
+        self.search_sessions = ActionProcessor(
+            service.search, action_monitors, validators=[cast(ActionValidator, scope_validator)]
+        )
+
+        # Single entity actions with RBAC validation
+        self.destroy_session = ActionProcessor(
+            service.destroy_session,
+            action_monitors,
+            validators=[cast(ActionValidator, single_entity_validator)],
+        )
+        self.execute_session = ActionProcessor(
+            service.execute_session,
+            action_monitors,
+            validators=[cast(ActionValidator, single_entity_validator)],
+        )
+        self.get_session_info = ActionProcessor(
+            service.get_session_info,
+            action_monitors,
+            validators=[cast(ActionValidator, single_entity_validator)],
+        )
+        self.modify_session = ActionProcessor(
+            service.modify_session,
+            action_monitors,
+            validators=[cast(ActionValidator, single_entity_validator)],
+        )
+
     @override
     def supported_actions(self) -> list[ActionSpec]:
         return [
