Skip to content

feat(BA-3692): Apply RBAC validator for Model Deployment actions #10033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
fregataa merged 11 commits into from
Mar 16, 2026
Merged

feat(BA-3692): Apply RBAC validator for Model Deployment actions #10033

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
5ee0690
feat(BA-3692): Add RBAC base classes for model serving actions
fregataa Mar 13, 2026
de1c21a
feat(BA-3692): Refactor model serving actions to use RBAC base classes
fregataa Mar 13, 2026
3138336
feat(BA-3692): Wire RBAC validators to model serving processors
fregataa Mar 13, 2026
31bc4bb
fix(BA-3692): Fix action result signatures and entity type references
fregataa Mar 13, 2026
4624c1f
changelog: add news fragment for PR #10033
fregataa Mar 13, 2026
635a3e9
fix(BA-3692): Fix action signatures and scope types for list/search o…
fregataa Mar 13, 2026
73f9b6a
refactor: exclude search actions from RBAC validator application
fregataa Mar 13, 2026
b61bc61
fix(test): use real ActionValidators instance in model serving proces…
fregataa Mar 13, 2026
4c51fae
revert(BA-3692): Restore ListModelServiceAction to main version
fregataa Mar 13, 2026
bb80cda
fix(BA-3692): Exclude list action from RBAC validator and fix test co…
fregataa Mar 13, 2026
e069fc7
fix(BA-3692): Fix unit tests for updated RBAC action signatures
fregataa Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changes/10033.feature.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Apply RBAC permission validators to model deployment service actions
8 changes: 4 additions & 4 deletions src/ai/backend/manager/api/rest/service/handler.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -469,9 +469,9 @@ async def update_route(
traffic_ratio=params.traffic_ratio,
)

result = await self._model_serving.update_route.wait_for_complete(action)
await self._model_serving.update_route.wait_for_complete(action)

resp = SuccessResponseModel(success=result.success)
resp = SuccessResponseModel(success=True)
return APIResponse.build(HTTPStatus.OK, resp)

# ------------------------------------------------------------------
Expand All @@ -494,9 +494,9 @@ async def delete_route(
route_id=path_params.route_id,
)

result = await self._model_serving.delete_route.wait_for_complete(action)
await self._model_serving.delete_route.wait_for_complete(action)

resp = SuccessResponseModel(success=result.success)
resp = SuccessResponseModel(success=True)
return APIResponse.build(HTTPStatus.OK, resp)

# ------------------------------------------------------------------
Expand Down
34 changes: 33 additions & 1 deletion src/ai/backend/manager/services/model_serving/actions/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,42 @@

from ai.backend.common.data.permission.types import EntityType
from ai.backend.manager.actions.action import BaseAction
from ai.backend.manager.actions.action.scope import BaseScopeAction, BaseScopeActionResult
from ai.backend.manager.actions.action.single_entity import (
BaseSingleEntityAction,
BaseSingleEntityActionResult,
)
from ai.backend.manager.actions.action.types import FieldData


class ModelServiceAction(BaseAction):
@override
@classmethod
def entity_type(cls) -> EntityType:
return EntityType.MODEL_SERVICE
return EntityType.MODEL_DEPLOYMENT


class ModelServiceScopeAction(BaseScopeAction):
@override
@classmethod
def entity_type(cls) -> EntityType:
return EntityType.MODEL_DEPLOYMENT


class ModelServiceScopeActionResult(BaseScopeActionResult):
pass


class ModelServiceSingleEntityAction(BaseSingleEntityAction):
@override
@classmethod
def entity_type(cls) -> EntityType:
return EntityType.MODEL_DEPLOYMENT

@override
def field_data(self) -> FieldData | None:
return None


class ModelServiceSingleEntityActionResult(BaseSingleEntityActionResult):
pass
38 changes: 28 additions & 10 deletions src/ai/backend/manager/services/model_serving/actions/create_model_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,32 +4,50 @@
from dataclasses import dataclass
from typing import override

from ai.backend.manager.actions.action import BaseActionResult
from ai.backend.common.data.permission.types import RBACElementType, ScopeType
from ai.backend.manager.actions.types import ActionOperationType
from ai.backend.manager.data.model_serving.creator import ModelServiceCreator
from ai.backend.manager.data.model_serving.types import ServiceInfo
from ai.backend.manager.services.model_serving.actions.base import ModelServiceAction
from ai.backend.manager.data.permission.types import RBACElementRef
from ai.backend.manager.services.model_serving.actions.base import (
ModelServiceScopeAction,
ModelServiceScopeActionResult,
)


@dataclass
class CreateModelServiceAction(ModelServiceAction):
class CreateModelServiceAction(ModelServiceScopeAction):
request_user_id: uuid.UUID
creator: ModelServiceCreator

@override
def entity_id(self) -> str | None:
return None
_project_id: uuid.UUID

@override
@classmethod
def operation_type(cls) -> ActionOperationType:
return ActionOperationType.CREATE

@override
def scope_type(self) -> ScopeType:
return ScopeType.PROJECT

@override
def scope_id(self) -> str:
return str(self._project_id)

@override
def target_element(self) -> RBACElementRef:
return RBACElementRef(RBACElementType.PROJECT, str(self._project_id))


@dataclass
class CreateModelServiceActionResult(BaseActionResult):
class CreateModelServiceActionResult(ModelServiceScopeActionResult):
data: ServiceInfo
_project_id: uuid.UUID

@override
def scope_type(self) -> ScopeType:
return ScopeType.PROJECT

@override
def entity_id(self) -> str | None:
return str(self.data.endpoint_id)
def scope_id(self) -> str:
return str(self._project_id)
30 changes: 19 additions & 11 deletions src/ai/backend/manager/services/model_serving/actions/delete_model_service.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,37 @@
from dataclasses import dataclass
from typing import override

from ai.backend.manager.actions.action import BaseActionResult
from ai.backend.common.data.permission.types import RBACElementType
from ai.backend.manager.actions.types import ActionOperationType
from ai.backend.manager.services.model_serving.actions.base import ModelServiceAction
from ai.backend.manager.data.permission.types import RBACElementRef
from ai.backend.manager.services.model_serving.actions.base import (
ModelServiceSingleEntityAction,
ModelServiceSingleEntityActionResult,
)


@dataclass
class DeleteModelServiceAction(ModelServiceAction):
class DeleteModelServiceAction(ModelServiceSingleEntityAction):
service_id: uuid.UUID

@override
def entity_id(self) -> str | None:
return None

@override
@classmethod
def operation_type(cls) -> ActionOperationType:
return ActionOperationType.DELETE

@override
def target_entity_id(self) -> str:
return str(self.service_id)

@override
def target_element(self) -> RBACElementRef:
return RBACElementRef(RBACElementType.MODEL_DEPLOYMENT, str(self.service_id))


@dataclass
class DeleteModelServiceActionResult(BaseActionResult):
success: bool
class DeleteModelServiceActionResult(ModelServiceSingleEntityActionResult):
service_id: uuid.UUID

@override
def entity_id(self) -> str | None:
return None
def target_entity_id(self) -> str:
return str(self.service_id)
33 changes: 20 additions & 13 deletions src/ai/backend/manager/services/model_serving/actions/delete_route.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,36 +2,43 @@
from dataclasses import dataclass
from typing import override

from ai.backend.common.data.permission.types import EntityType
from ai.backend.manager.actions.action import BaseActionResult
from ai.backend.common.data.permission.types import EntityType, RBACElementType
from ai.backend.manager.actions.types import ActionOperationType
from ai.backend.manager.services.model_serving.actions.base import ModelServiceAction
from ai.backend.manager.data.permission.types import RBACElementRef
from ai.backend.manager.services.model_serving.actions.base import (
ModelServiceSingleEntityAction,
ModelServiceSingleEntityActionResult,
)


@dataclass
class DeleteRouteAction(ModelServiceAction):
class DeleteRouteAction(ModelServiceSingleEntityAction):
service_id: uuid.UUID
route_id: uuid.UUID

@override
@classmethod
def entity_type(cls) -> EntityType:
return EntityType.DEPLOYMENT_ROUTE

@override
def entity_id(self) -> str | None:
return None
return EntityType.MODEL_DEPLOYMENT
Comment thread
fregataa marked this conversation as resolved.

@override
@classmethod
def operation_type(cls) -> ActionOperationType:
return ActionOperationType.DELETE

@override
def target_entity_id(self) -> str:
return str(self.route_id)
Comment thread
fregataa marked this conversation as resolved.

@override
def target_element(self) -> RBACElementRef:
return RBACElementRef(RBACElementType.MODEL_DEPLOYMENT, str(self.service_id))


@dataclass
class DeleteRouteActionResult(BaseActionResult):
success: bool
class DeleteRouteActionResult(ModelServiceSingleEntityActionResult):
route_id: uuid.UUID

@override
def entity_id(self) -> str | None:
return None
def target_entity_id(self) -> str:
return str(self.route_id)
26 changes: 17 additions & 9 deletions src/ai/backend/manager/services/model_serving/actions/get_model_service_info.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,30 +2,38 @@
from dataclasses import dataclass
from typing import override

from ai.backend.manager.actions.action import BaseActionResult
from ai.backend.common.data.permission.types import RBACElementType
from ai.backend.manager.actions.types import ActionOperationType
from ai.backend.manager.data.model_serving.types import ServiceInfo
from ai.backend.manager.services.model_serving.actions.base import ModelServiceAction
from ai.backend.manager.data.permission.types import RBACElementRef
from ai.backend.manager.services.model_serving.actions.base import (
ModelServiceSingleEntityAction,
ModelServiceSingleEntityActionResult,
)


@dataclass
class GetModelServiceInfoAction(ModelServiceAction):
class GetModelServiceInfoAction(ModelServiceSingleEntityAction):
service_id: uuid.UUID

@override
def entity_id(self) -> str | None:
return None

@override
@classmethod
def operation_type(cls) -> ActionOperationType:
return ActionOperationType.GET

@override
def target_entity_id(self) -> str:
return str(self.service_id)
Comment thread
fregataa marked this conversation as resolved.

@override
def target_element(self) -> RBACElementRef:
return RBACElementRef(RBACElementType.MODEL_DEPLOYMENT, str(self.service_id))


@dataclass
class GetModelServiceInfoActionResult(BaseActionResult):
class GetModelServiceInfoActionResult(ModelServiceSingleEntityActionResult):
data: ServiceInfo

@override
def entity_id(self) -> str | None:
def target_entity_id(self) -> str:
return str(self.data.endpoint_id)
Comment thread
fregataa marked this conversation as resolved.
29 changes: 19 additions & 10 deletions src/ai/backend/manager/services/model_serving/actions/modify_endpoint.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,34 +2,43 @@
from dataclasses import dataclass
from typing import override

from ai.backend.manager.actions.action import BaseActionResult
from ai.backend.common.data.permission.types import RBACElementType
from ai.backend.manager.actions.types import ActionOperationType
from ai.backend.manager.data.model_serving.types import EndpointData
from ai.backend.manager.data.permission.types import RBACElementRef
from ai.backend.manager.models.endpoint import EndpointRow
from ai.backend.manager.repositories.base.updater import Updater
from ai.backend.manager.services.model_serving.actions.base import ModelServiceAction
from ai.backend.manager.services.model_serving.actions.base import (
ModelServiceSingleEntityAction,
ModelServiceSingleEntityActionResult,
)


@dataclass
class ModifyEndpointAction(ModelServiceAction):
class ModifyEndpointAction(ModelServiceSingleEntityAction):
endpoint_id: uuid.UUID
updater: Updater[EndpointRow]

@override
def entity_id(self) -> str | None:
return None

@override
@classmethod
def operation_type(cls) -> ActionOperationType:
return ActionOperationType.UPDATE

@override
def target_entity_id(self) -> str:
return str(self.endpoint_id)

@override
def target_element(self) -> RBACElementRef:
return RBACElementRef(RBACElementType.MODEL_DEPLOYMENT, str(self.endpoint_id))


@dataclass
class ModifyEndpointActionResult(BaseActionResult):
class ModifyEndpointActionResult(ModelServiceSingleEntityActionResult):
endpoint_id: uuid.UUID
success: bool
data: EndpointData | None

@override
def entity_id(self) -> str | None:
return str(self.data.id) if self.data is not None else None
def target_entity_id(self) -> str:
return str(self.endpoint_id)
33 changes: 20 additions & 13 deletions src/ai/backend/manager/services/model_serving/actions/update_route.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,37 +2,44 @@
from dataclasses import dataclass
from typing import override

from ai.backend.common.data.permission.types import EntityType
from ai.backend.manager.actions.action import BaseActionResult
from ai.backend.common.data.permission.types import EntityType, RBACElementType
from ai.backend.manager.actions.types import ActionOperationType
from ai.backend.manager.services.model_serving.actions.base import ModelServiceAction
from ai.backend.manager.data.permission.types import RBACElementRef
from ai.backend.manager.services.model_serving.actions.base import (
ModelServiceSingleEntityAction,
ModelServiceSingleEntityActionResult,
)


@dataclass
class UpdateRouteAction(ModelServiceAction):
class UpdateRouteAction(ModelServiceSingleEntityAction):
service_id: uuid.UUID
route_id: uuid.UUID
traffic_ratio: float

@override
@classmethod
def entity_type(cls) -> EntityType:
return EntityType.DEPLOYMENT_ROUTE

@override
def entity_id(self) -> str | None:
return None
return EntityType.MODEL_DEPLOYMENT
Comment thread
fregataa marked this conversation as resolved.

@override
@classmethod
def operation_type(cls) -> ActionOperationType:
return ActionOperationType.UPDATE

@override
def target_entity_id(self) -> str:
return str(self.route_id)
Comment thread
fregataa marked this conversation as resolved.

@override
def target_element(self) -> RBACElementRef:
return RBACElementRef(RBACElementType.MODEL_DEPLOYMENT, str(self.service_id))


@dataclass
class UpdateRouteActionResult(BaseActionResult):
success: bool
class UpdateRouteActionResult(ModelServiceSingleEntityActionResult):
route_id: uuid.UUID

@override
def entity_id(self) -> str | None:
return None
def target_entity_id(self) -> str:
return str(self.route_id)
Loading
Loading