Skip to content

feat(BA-5514): register roles in association_scopes_entities with optional scope#10704

Open
fregataa wants to merge 9 commits intomainfrom
feature/BA-5514/register-role-scope
Open

feat(BA-5514): register roles in association_scopes_entities with optional scope#10704
fregataa wants to merge 9 commits intomainfrom
feature/BA-5514/register-role-scope

Conversation

@fregataa
Copy link
Copy Markdown
Member

@fregataa fregataa commented Apr 1, 2026
edited
Loading

Summary

  • Add optional scope registration when creating roles via ScopeInput (scope_type + scope_id)
  • When scope is provided, RBACEntityCreator atomically creates the role row and its scope association; when absent, only the role row is created
  • Move RBACElementTypeGQL to a new scope.py module to break the circular import chain and co-locate it with ScopeInputGQL

Test plan

  • pants lint --changed-since=origin/main passes
  • pants check passes (0 new errors)
  • tests/unit/manager/api/gql/rbac/test_rbac_element_type_sync.py passes
  • tests/unit/common/dto/manager/v2/rbac:: passes
  • CI green

Resolves BA-5514

📚 Documentation preview 📚: https://sorna--10704.org.readthedocs.build/en/10704/

📚 Documentation preview 📚: https://sorna-ko--10704.org.readthedocs.build/ko/10704/

Copilot AI review requested due to automatic review settings April 1, 2026 01:38
@github-actions github-actions bot added size:L 100~500 LoC comp:manager Related to Manager component comp:common Related to Common component labels Apr 1, 2026
fregataa added a commit that referenced this pull request Apr 1, 2026
@fregataa
changelog: add news fragment for PR #10704
d5e0022
@github-actions github-actions bot added the area:docs Documentations label Apr 1, 2026
Copilot AI reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds optional scope registration when creating RBAC roles (so newly created roles can be atomically registered into association_scopes_entities when a scope is provided), and refactors GraphQL RBAC enum/type placement to avoid circular imports.

Changes:

  • Thread optional scope_ref from GraphQL input → adapter → action/service → repository and use RBACEntityCreator to insert the scope association alongside role creation.
  • Introduce ScopeInput (DTO + GQL) and move RBACElementTypeGQL into a new scope.py module to break circular imports.
  • Update affected imports/exports and adjust enum sync test to the new module path.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
tests/unit/manager/api/gql/rbac/test_rbac_element_type_sync.py Updates enum import location after moving RBACElementTypeGQL.
src/ai/backend/manager/services/permission_contoller/service.py Passes new scope_ref through to repository create-role input.
src/ai/backend/manager/services/permission_contoller/actions/create_role.py Extends CreateRoleAction with optional scope_ref.
src/ai/backend/manager/repositories/permission_controller/role_manager.py Uses RBACEntityCreator to register system roles in association_scopes_entities.
src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py Conditionally uses RBACEntityCreator to create+register roles when scope_ref is provided.
src/ai/backend/manager/api/gql/rbac/types/scope.py New module defining RBACElementTypeGQL and ScopeInputGQL.
src/ai/backend/manager/api/gql/rbac/types/role.py Adds optional scope to GraphQL CreateRoleInput.
src/ai/backend/manager/api/gql/rbac/types/permission.py Imports RBACElementTypeGQL from the new scope module.
src/ai/backend/manager/api/gql/rbac/types/entity.py Imports RBACElementTypeGQL from the new scope module.
src/ai/backend/manager/api/gql/rbac/types/init.py Re-exports RBACElementTypeGQL and new ScopeInputGQL.
src/ai/backend/manager/api/adapters/rbac.py Converts optional GraphQL scope into internal RBACElementRef and passes it to CreateRoleAction.
src/ai/backend/common/dto/manager/v2/rbac/types.py Adds ScopeInput request model.
src/ai/backend/common/dto/manager/v2/rbac/request.py Extends CreateRoleInput (DTO) with optional scope.
src/ai/backend/common/dto/manager/v2/rbac/init.py Exports ScopeInput.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@fregataa fregataa requested a review from a team April 1, 2026 03:26
@fregataa fregataa added this to the 26.4 milestone Apr 1, 2026
jopemachine
jopemachine reviewed Apr 1, 2026
View reviewed changes
@fregataa fregataa force-pushed the feature/BA-5514/register-role-scope branch from 80468fd to c04ee83 Compare April 1, 2026 06:48
@fregataa fregataa requested review from a team and jopemachine April 1, 2026 06:58
fregataa and others added 8 commits April 2, 2026 14:10
@fregataa @claude
feat(BA-5514): register roles in association_scopes_entities with opt…
e805f7c 
…ional scope

Add optional scope registration when creating roles. When scope is
provided, RBACEntityCreator atomically creates the role row and its
scope association. When absent, only the role row is created.

- Add ScopeInput DTO type (scope_type enum + scope_id)
- Add ScopeInputGQL and move RBACElementTypeGQL to scope.py to break
  circular import chain
- Thread scope_ref through adapter → action → service → db_source
- System role creation now uses RBACEntityCreator with scope

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fregataa
changelog: add news fragment for PR #10704
dbd8f29
@fregataa @lablup-octodog
chore: update api schema dump
7f281e6 
Co-authored-by: octodog <mu001@lablup.com>
@fregataa @claude
fix(BA-5514): use NEXT_RELEASE_VERSION for ScopeInputGQL added_version
fbb0e98 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fregataa @lablup-octodog
chore: update api schema dump
c5ce0db 
Co-authored-by: octodog <mu001@lablup.com>
@fregataa @claude
fix(BA-5514): update RBACElementTypeGQL import in test_permission_mut…
6dcfb55 
…ations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fregataa @claude
feat(BA-5514): support multiple scopes when creating a role
ac3b89b 
Change scope from single optional to a list, leveraging
RBACEntityCreator's existing additional_scope_refs support.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fregataa @lablup-octodog
chore: update api schema dump
783131e 
Co-authored-by: octodog <mu001@lablup.com>
@fregataa fregataa force-pushed the feature/BA-5514/register-role-scope branch from 99f7958 to 783131e Compare April 2, 2026 05:13
@github-actions github-actions bot added size:XL 500~ LoC and removed size:L 100~500 LoC labels Apr 2, 2026
@fregataa @lablup-octodog
chore: update api schema dump
d3c78e8 
Co-authored-by: octodog <mu001@lablup.com>
@github-actions github-actions bot added size:L 100~500 LoC and removed size:XL 500~ LoC labels Apr 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jopemachine jopemachine Awaiting requested review from jopemachine

At least 1 approving review is required to merge this pull request.

Assignees

@fregataa fregataa

Labels

area:docs Documentations comp:common Related to Common component comp:manager Related to Manager component size:L 100~500 LoC

Projects

None yet

Milestone

26.4

Development

Successfully merging this pull request may close these issues.

3 participants

@fregataa @jopemachine