Conversation
github-actions
Bot
added
size:L
fregataa
added a commit
that referenced
this pull request
Mar 13, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Introduces RBAC enforcement for model deployment (model serving) actions by splitting actions/processors into scope-based and single-entity RBAC-aware variants, and updating action result payloads to satisfy RBAC processor expectations.
Changes:
- Added model-serving RBAC base action/result classes for scope actions and single-entity actions.
- Refactored model serving action classes and processors to use
ScopeActionProcessor/SingleEntityActionProcessorwith RBAC validators. - Updated several service methods’ action result signatures to include scope IDs (
_project_id) or return entity IDs instead of success flags.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/ai/backend/manager/services/model_serving/services/model_serving.py | Updates action result payloads to match RBAC processor contracts (scope id + entity ids). |
| src/ai/backend/manager/services/model_serving/processors/model_serving.py | Switches processors to RBAC-aware processors and applies RBAC validators. |
| src/ai/backend/manager/services/model_serving/actions/base.py | Adds RBAC base classes for scope and single-entity model serving actions/results. |
| src/ai/backend/manager/services/model_serving/actions/create_model_service.py | Converts create action/result into project-scoped RBAC action/result. |
| src/ai/backend/manager/services/model_serving/actions/list_model_service.py | Converts list action/result into project-scoped RBAC action/result. |
| src/ai/backend/manager/services/model_serving/actions/search_services.py | Converts search action/result into project-scoped RBAC action/result. |
| src/ai/backend/manager/services/model_serving/actions/get_model_service_info.py | Converts get-info action/result into single-entity RBAC action/result. |
| src/ai/backend/manager/services/model_serving/actions/delete_model_service.py | Converts delete action/result into single-entity RBAC action/result. |
| src/ai/backend/manager/services/model_serving/actions/modify_endpoint.py | Converts modify action/result into single-entity RBAC action/result. |
| src/ai/backend/manager/services/model_serving/actions/update_route.py | Converts update-route action/result into single-entity RBAC action/result. |
| src/ai/backend/manager/services/model_serving/actions/delete_route.py | Converts delete-route action/result into single-entity RBAC action/result. |
| changes/10033.feature.md | Adds a changelog entry for applying RBAC validators to model deployment actions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
fregataa
added a commit
that referenced
this pull request
Mar 13, 2026
…perations - Changed ListModelServiceAction and SearchServicesAction to use USER scope instead of PROJECT scope - Removed _project_id field and replaced with _user_id in action results - Fixed handler to not access non-existent .success attribute on action results - Removed unused result variables in update_route and delete_route handlers These changes fix the mypy errors in PR #10033: 1. Missing positional argument "_project_id" - fixed by removing it and using USER scope 2. ActionResult has no attribute "success" - fixed by using SuccessResponseModel(success=True) directly Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add ModelServiceScopeAction for scope-based actions (create, list, search) - Add ModelServiceSingleEntityAction for single-entity actions (get, update, delete) - Add corresponding result classes - Change entity_type from MODEL_SERVICE to MODEL_DEPLOYMENT per RBAC requirements Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Apply RBAC validator integration pattern to model serving actions: Scope Actions (ProjectScope): - CreateModelServiceAction - create operations within project scope - ListModelServiceAction - list operations within project scope - SearchServicesAction - search operations within project scope Single Entity Actions: - GetModelServiceInfoAction - read specific model service - DeleteModelServiceAction - delete specific model service - ModifyEndpointAction - update specific endpoint - UpdateRouteAction - update specific route (DEPLOYMENT_ROUTE entity type) - DeleteRouteAction - delete specific route (DEPLOYMENT_ROUTE entity type) Each action now implements required RBAC methods: - Scope actions: scope_type(), scope_id(), target_element() - Single entity actions: target_entity_id(), target_element() All actions follow the pattern from group service processors. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Update model_serving processors to use specialized processor types with RBAC validation: Scope actions (with RBAC): - create_model_service → ScopeActionProcessor with scope validator - list_model_service → ScopeActionProcessor with scope validator - search_services → ScopeActionProcessor with scope validator Single entity actions (with RBAC): - get_model_service_info → SingleEntityActionProcessor with single_entity validator - delete_model_service → SingleEntityActionProcessor with single_entity validator - modify_endpoint → SingleEntityActionProcessor with single_entity validator - update_route → SingleEntityActionProcessor with single_entity validator - delete_route → SingleEntityActionProcessor with single_entity validator Internal/system actions (no RBAC): - dry_run_model_service, list_errors, clear_error, force_sync, generate_token, validate_model_service → plain ActionProcessor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add _project_id parameter to scope action results (Create, List, Search) - Fix single entity action results to use entity ID instead of success flag - Update modify_endpoint to include endpoint_id in result - Use EntityType.MODEL_DEPLOYMENT instead of non-existent DEPLOYMENT_ROUTE - Use RBACElementType.MODEL_DEPLOYMENT with service_id for route operations All mypy errors in model_serving/* are now resolved. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…perations - Changed ListModelServiceAction and SearchServicesAction to use USER scope instead of PROJECT scope - Removed _project_id field and replaced with _user_id in action results - Fixed handler to not access non-existent .success attribute on action results - Removed unused result variables in update_route and delete_route handlers These changes fix the mypy errors in PR #10033: 1. Missing positional argument "_project_id" - fixed by removing it and using USER scope 2. ActionResult has no attribute "success" - fixed by using SuccessResponseModel(success=True) directly Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Search actions are excluded from RBAC validator scope per BA-2946. Search results are already filtered by scope through the existing SearchScope mechanism. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…sor fixtures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ListModelServiceAction does not need RBAC scope migration as it is a search action excluded from RBAC validator application. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…nftest - Revert list_model_service from ScopeActionProcessor to ActionProcessor (no RBAC) - Remove invalid _user_id kwarg from ListModelServiceActionResult - Use real RBACValidators instance in conftest instead of MagicMock(spec=...) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add _project_id to CreateModelServiceAction/Result test data - Replace success field with route_id/service_id in ActionResult assertions - Add shared conftest with mock_action_validators fixture - Replace MagicMock(spec=ActionValidators) with real dataclass instances (MagicMock spec doesn't expose dataclass instance fields) - Add python_test_utils to BUILD for conftest.py Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
seedspirit
approved these changes
Mar 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ModelServingScopeAction,ModelServingSingleEntityAction) to enforce permission checks for model deployment operationstarget_entity_id(),scope_type(),scope_id(),permission_operation_type(),entity_type())ScopeActionProcessorandSingleEntityActionProcessorwith RBAC validators instead of plainActionProcessor_project_id, single-entity actions use entity ID instead of success flag)Test plan
pants fmt ::passespants fix ::passespants lint --changed-since=origin/mainpassespants check) passesResolves BA-3692