feat(BA-5040): Apply RBAC validator for Image actions#10059
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds RBAC-aware action base classes for the Image service and wires RBAC validators into selected Image action processors to enforce authorization at the processor layer.
Changes:
- Introduced Image RBAC base action/result classes (
ImageScopeAction*,ImageSingleEntityAction*). - Refactored scope and single-entity Image actions/results to implement RBAC-required methods and carry scope metadata.
- Updated Image processors to use
ScopeActionProcessor/SingleEntityActionProcessorwith RBAC validators for relevant actions.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/ai/backend/manager/services/image/service.py | Propagates scope metadata into action results for scope-based RBAC actions. |
| src/ai/backend/manager/services/image/processors.py | Switches certain processors to RBAC-aware processors and attaches RBAC validators. |
| src/ai/backend/manager/services/image/actions/search_images.py | Converts search action/result to RBAC scope action with scope metadata and target element. |
| src/ai/backend/manager/services/image/actions/purge_images.py | Converts purge-by-id action/result to single-entity RBAC action with target element. |
| src/ai/backend/manager/services/image/actions/get_all_images.py | Converts get-all action/result to RBAC scope action with scope metadata and target element. |
| src/ai/backend/manager/services/image/actions/forget_image.py | Converts forget-by-id action/result to single-entity RBAC action with target element. |
| src/ai/backend/manager/services/image/actions/base.py | Adds Image-specific RBAC base action/result classes for scope and single-entity patterns. |
| changes/10059.feature.md | Adds a changelog entry for applying RBAC validators to Image actions. |
Comments suppressed due to low confidence (1)
src/ai/backend/manager/services/image/processors.py:1
- The PR summary/title indicates applying RBAC validators to Image actions, but
get_image_by_idremains on a plainActionProcessorunder the 'without RBAC validation' section. Ifget_image_by_idis meant to be protected by RBAC (typical for single-entity read), it should likely be moved to aSingleEntityActionProcessorwithvalidators.rbac.single_entity; if it is intentionally exempt, please clarify why in the PR description or via an inline comment to avoid future confusion.
from typing import override
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces RBAC-aware base action types for the Image service and starts wiring RBAC validators into the Image action processing pipeline, updating tests and changelog accordingly.
Changes:
- Added
ImageSingleEntityAction/ImageSingleEntityActionResultbase classes for RBAC-style single-entity actions. - Refactored
ForgetImageByIdActionandPurgeImageByIdAction(+ results) to implement RBAC single-entity requirements (target_entity_id(),target_element()), and wired them throughSingleEntityActionProcessorwithvalidators.rbac.single_entity. - Updated unit/component tests to stub RBAC validator calls and added a changelog entry.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
src/ai/backend/manager/services/image/actions/base.py |
Adds Image single-entity RBAC base action/result types. |
src/ai/backend/manager/services/image/actions/forget_image.py |
Converts forget-by-id action/result to RBAC single-entity style with target element info. |
src/ai/backend/manager/services/image/actions/purge_images.py |
Converts purge-by-id action/result to RBAC single-entity style with target element info. |
src/ai/backend/manager/services/image/processors.py |
Switches forget/purge-by-id processors to SingleEntityActionProcessor and attaches RBAC validator. |
tests/unit/manager/services/image/test_image_service.py |
Adjusts processor fixture to provide async RBAC validator mocks. |
tests/component/image/conftest.py |
Adjusts component fixture to provide async RBAC validator mocks. |
changes/10059.feature.md |
Adds changelog note for applying RBAC validators to Image actions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jopemachine
reviewed
Mar 17, 2026
Add ImageScopeAction and ImageSingleEntityAction base classes: - ImageScopeAction: extends BaseScopeAction, returns EntityType.IMAGE - ImageSingleEntityAction: extends BaseSingleEntityAction, returns EntityType.IMAGE, field_data() returns None - Added corresponding result classes: ImageScopeActionResult, ImageSingleEntityActionResult These base classes will be used to apply RBAC validators to image service actions. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Classify and refactor Image service actions to extend RBAC-aware base classes: Scope-based actions (extend ImageScopeAction): - SearchImagesAction: implement scope_type(), scope_id(), target_element() - GetAllImagesAction: add _scope_type/_scope_id fields, implement required methods Single-entity actions (extend ImageSingleEntityAction): - ForgetImageByIdAction: implement target_entity_id(), target_element() - PurgeImageByIdAction: implement target_entity_id(), target_element() Keep as ImageAction (special entity types or deprecated): - Actions with IMAGE_PRELOAD, IMAGE_SCAN, IMAGE_AGENT, IMAGE_TAG entity types - ImageAliasAction subclasses (IMAGE_ALIAS entity type) - ImageResourceLimitAction subclasses (IMAGE_RESOURCE_LIMIT entity type) - Deprecated actions (ForgetImageAction, PurgeImageAction, etc.) This prepares the actions for RBAC validator integration in processors. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Use ScopeActionProcessor for scope-based actions (get_all_images, search_images) - Use SingleEntityActionProcessor for single-entity actions (forget_image_by_id, purge_image_by_id) - Pass RBAC validators from ActionValidators to processors - Keep internal/system actions on plain ActionProcessor without RBAC validators Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add _scope_type and _scope_id fields to SearchImagesAction - Update service methods to pass scope info to action results - Fix target_element implementation with proper RBACElementType mapping Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fix mypy [call-arg] errors by making user_uuid and domain_name optional with default values in SearchImagesAction and GetAllImagesAction. Changes: - Add default empty strings to user_uuid and domain_name fields - Update call sites to pass context where available (REST, GQL legacy) - Internal utilities (data loaders) use defaults for system operations - Service layer updated to use user_uuid instead of _scope_type/_scope_id This allows RBAC validators to work for user-facing APIs while allowing internal batch operations to proceed without user context. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Replace MagicMock(spec=ActionValidators) with plain MagicMock and AsyncMock validators to support nested attribute access and async validate() calls required by ScopeActionProcessor and SingleEntityActionProcessor. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…uid in scope actions Remove dead domain_name field from SearchImagesAction and GetAllImagesAction. Make user_uuid required (no default) and update all callers to provide it explicitly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Revert SearchImagesAction to plain ImageAction without scope metadata. Remove user_uuid/domain_name fields, scope methods, and switch processor back to ActionProcessor. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Revert GetAllImagesAction to plain ImageAction without scope metadata. Remove ImageScopeAction/ImageScopeActionResult base classes and ScopeActionProcessor usage from Image processors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use spec'd mocks (ActionValidators/RBACValidators dataclass instances with MagicMock(spec=...)) instead of bare MagicMock() in test fixtures - Add comment explaining superadmin-only mutations skip RBAC validation since access is enforced by check_admin_only at the API layer Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Member
|
Overall, it’s unclear whether the actions without permission checks were intentionally left unmodified because they are deprecated, or if they were simply overlooked. Would it make sense to add deprecation annotations to all actions that have not been updated? |
HyeockJinKim
approved these changes
Mar 18, 2026
Collaborator
|
It seems the admin service should be separated; please review this. Rather than distinguishing between them at the API level, please verify at the service layer whether the respective operations should be restricted to admins only. (For GET requests, check if the user has access permissions; for SEARCH, check based on the scope; for CREATE, UPDATE, DELETE, and PURGE, check based on permissions.) @fregataa |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ImageSingleEntityAction) for Image service following established patternsForgetImageByIdActionandPurgeImageByIdActionto extendImageSingleEntityActionand implement required RBAC methods (target_entity_id(),target_element(),entity_type())SingleEntityActionValidatorto Image processors usingSingleEntityActionProcessorfor entity-level permission checksActionProcessor— access is enforced bycheck_admin_onlyat the API layerActionProcessorwithout RBAC validatorsTest plan
pants fmtpassespants fixpassespants lint --changed-since=origin/mainpassesResolves BA-5040