feat(BA-5777): add bulk RBAC filtering infrastructure#11191
Merged
Conversation
github-actions
Bot
added
size:L
fregataa
added a commit
that referenced
this pull request
Apr 20, 2026
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces infrastructure for per-entity RBAC validation on batch actions (including validator tracing and in-place batch narrowing), and removes an unused/orphaned batch session status-transition path plus several unused intermediate *BatchAction base classes.
Changes:
- Refactors batch action plumbing:
BaseBatchActionbecomes a generic dataclass with mutableentity_ids: list[str]plustyped_entity_ids(), andBatchActionValidatornow returns a structuredBatchValidationResultand provides a stablename(). - Extends
BatchActionProcessorto wrap validator execution in an async scope, record per-validator decisions, and filtercurrent_action.entity_idsbased on validator outcomes. - Deletes the unused
check_and_transit_status_multibatch path and removes now-unused service-level*BatchActionbase classes (and associated tests/imports).
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/manager/services/session/test_session_lifecycle_service.py | Removes orphaned tests for the deleted check_and_transit_status_multi path. |
| src/ai/backend/manager/services/session/service.py | Deletes the unused check_and_transit_status_multi() service method and its imports. |
| src/ai/backend/manager/services/session/actions/check_and_transit_status.py | Removes now-unused batch action/result types for check/transit status. |
| src/ai/backend/manager/services/session/base.py | Removes SessionBatchAction base class (batch infra moves to central action layer). |
| src/ai/backend/manager/services/user_resource_policy/actions/base.py | Removes unused UserResourcePolicyBatchAction. |
| src/ai/backend/manager/services/resource_preset/actions/base.py | Removes unused ResourcePresetBatchAction. |
| src/ai/backend/manager/services/project_resource_policy/actions/base.py | Removes unused ProjectResourcePolicyBatchAction. |
| src/ai/backend/manager/services/keypair_resource_policy/actions/base.py | Removes unused KeypairResourcePolicyBatchAction. |
| src/ai/backend/manager/services/image/actions/base.py | Removes unused ImageBatchAction. |
| src/ai/backend/manager/services/container_registry/actions/base.py | Removes unused ContainerRegistryBatchAction. |
| src/ai/backend/manager/services/artifact_revision/actions/base.py | Removes unused ArtifactRevisionBatchAction. |
| src/ai/backend/manager/services/artifact_registry/actions/base.py | Removes unused ArtifactBatchRegistryAction. |
| src/ai/backend/manager/services/artifact/actions/base.py | Removes unused ArtifactBatchAction. |
| src/ai/backend/manager/actions/validator/batch.py | Adds DeniedEntity + BatchValidationResult, and updates validator interface to return structured per-entity outcomes. |
| src/ai/backend/manager/actions/validators/rbac/batch.py | Implements the new batch validator interface and adds a stable validator name (rbac). |
| src/ai/backend/manager/actions/processor/batch.py | Adds validator scoping + decision tracing and filters batch IDs based on validator results; returns BatchProcessResult. |
| src/ai/backend/manager/actions/action/batch.py | Refactors BaseBatchAction into a generic dataclass with mutable entity_ids and typed_entity_ids(). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
fregataa
force-pushed
the
feature/BA-5777-batch-rbac-filtering-infra
branch
from
654bb5f to
32a0fa8
Compare
jopemachine
reviewed
Apr 21, 2026
jopemachine
reviewed
Apr 21, 2026
jopemachine
reviewed
Apr 21, 2026
jopemachine
reviewed
Apr 21, 2026
jopemachine
reviewed
Apr 21, 2026
fregataa
changed the title
fregataa
force-pushed
the
feature/BA-5777-batch-rbac-filtering-infra
branch
from
4d262a7 to
20ac375
Compare
fregataa
force-pushed
the
feature/BA-5777-batch-rbac-filtering-infra
branch
from
20ac375 to
ccacdeb
Compare
seedspirit
reviewed
Apr 22, 2026
seedspirit
reviewed
Apr 22, 2026
seedspirit
reviewed
Apr 22, 2026
- BaseBatchAction is a generic @DataClass carrying only entity_ids: list[str] plus an abstract typed_entity_ids() returning list[T]; user context and per-operation data are deliberately excluded so the processor can rebuild a narrowed action via type(action)(entity_ids=...) without a factory hook - BatchActionValidator exposes name() + validate() returning BatchValidationResult(allowed_entity_ids, denied_entities: list[DeniedEntity(entity_id, deny_reason)]) - BatchActionProcessor runs each validator inside an _validator_scope async context manager (one place for timing/audit), appends a BatchValidatorDecision(validator_name, results) trace, and returns BatchProcessResult(result, validator_decisions) for partial-success responses - Remove orphan check_and_transit_status_multi path, CheckAndTransitStatus batch action/result and its tests, and 10 unused intermediate batch base classes (Session/Image/ContainerRegistry/*ResourcePolicy/ResourcePreset/ Artifact/ArtifactRevision/ArtifactRegistry) - Add unit tests for BatchActionProcessor covering no-validator pass-through, partial/full deny, multi-validator ordering, and original-action immutability - News fragment 11191.feature.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ology BA-5777 description was revised to use "Bulk" throughout. Rename the identifiers introduced in this branch to match: - Files: action/batch.py → action/bulk.py and the mirrors under processor/, validator/, validators/rbac/, plus the test file - Classes & type vars: BaseBatchAction → BaseBulkAction, BaseBatchActionResult → BaseBulkActionResult, BatchActionValidator → BulkActionValidator, BatchActionRBACValidator → BulkActionRBACValidator, BatchActionProcessor → BulkActionProcessor, BatchValidationResult → BulkValidationResult, BatchValidatorDecision → BulkValidatorDecision, BatchProcessResult → BulkProcessResult, TBatchAction/TBatchActionResult → TBulkAction/TBulkActionResult - __init__ exports and changelog fragment updated accordingly Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Rename BulkValidatorDecision to ValidatorDecision; the dataclass records one validator's verdict, so the Bulk prefix implied a set and conflicted with the surrounding Bulk* processor/result types - Replace the _validator_scope asynccontextmanager with a plain async helper _run_validator; the CM yielded once with no pre/post split, so the bookend ceremony bought nothing over a regular call - Drop the unused name parameter and _name attribute from the test's _AllowSetValidator (name() classmethod hardcodes the identifier) - Note in _run that the service function runs once on the post-filter action so only entities that passed every validator reach it Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… and improving names Inline _run_validator() into the loop, rename _process_action to _filter_by_validation, and rename current_action to filtered_action. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fregataa
force-pushed
the
feature/BA-5777-batch-rbac-filtering-infra
branch
from
ccacdeb to
c05370d
Compare
seedspirit
approved these changes
Apr 22, 2026
jopemachine
pushed a commit
that referenced
this pull request
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
manager/actions/:BaseBulkAction[T](generic dataclass withentity_ids: list[str]+ abstracttyped_entity_ids()),BulkActionValidatorreturningBulkValidationResult(allowed_entity_ids, denied_entities), andBulkActionProcessorthat narrows the action between validators and returnsBulkProcessResult(result, validator_decisions)for partial-success responses.entity_idsso the processor can reconstruct a narrowed action viatype(action)(entity_ids=...)— no factory hook.check_and_transit_status_multipath and 10 unused intermediate*BulkActionbase classes across services.BulkActionRBACValidator.validate()toPermissionControllerRepository.check_bulk_permission_with_scope_chain()(BA-5776).Commits:
Batch*→Bulk*to match updated BA-5777 wording.BulkValidatorDecision→ValidatorDecision, replace_validator_scopeCM with a plain async helper, drop deadnameparam in test validator.Test plan
pants fmt / lint / checkpants test tests/unit/manager/actions/test_bulk_processor.pyResolves BA-5777
🤖 Generated with Claude Code