feat(BA-2938): Migrate Session data to RBAC database#9636
Merged
Conversation
github-actions
Bot
added
size:L
fregataa
added a commit
that referenced
this pull request
Mar 4, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates Session entities into the RBAC system by adding entity-type permissions and creating AUTO scope→entity associations via an Alembic migration.
Changes:
- Added an Alembic migration to backfill SESSION permissions for existing role+scope combinations.
- Added AUTO association edges from user/project scopes to Session records using batched pagination.
- Added a changelog entry describing the migration.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 10 comments.
| File | Description |
|---|---|
| src/ai/backend/manager/models/alembic/versions/30c8308738ee_migrate_session_data_to_rbac.py | Implements the RBAC data migration for Session permissions and scope associations. |
| changes/9636.feature.md | Documents the feature/migration at a high level. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
fregataa
commented
Mar 4, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
fregataa
added a commit
that referenced
this pull request
Mar 11, 2026
fregataa
force-pushed
the
feature/BA-2938-migrate-session-rbac
branch
from
f47c98a to
591fc12
Compare
jopemachine
reviewed
Mar 12, 2026
Member
|
Is it appropriate to classify a data migration PR as a feat? |
fregataa
added a commit
that referenced
this pull request
Mar 13, 2026
fregataa
force-pushed
the
feature/BA-2938-migrate-session-rbac
branch
from
591fc12 to
79b7a88
Compare
Member
Author
yes it is because it effects to RBAC features |
Add alembic migration to migrate Session entities to the new RBAC system: - Add SESSION entity-type permissions to all role+scope combinations - Skip domain member roles (scope too broad) - Member roles get READ operation only - Owner/admin roles get all operations - Create AUTO edges from User scope → Session (via user_uuid) - Create AUTO edges from Project scope → Session (via group_id) - Use keyset pagination for scalability with large session tables - Support both upgrade and downgrade operations This migration follows the new RBAC pattern where permissions table includes role_id, scope_type, scope_id directly (no permission_groups). The association_scopes_entities table uses relation_type='auto' to mark automatically managed scope-entity relationships. Unlike VFolder, Session has no invitation/sharing mechanism, making the migration simpler with only entity-type permissions and AUTO edges. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
…tent ordering Replace text-based UUID comparison with UUID type comparison to avoid potential ordering discrepancies between lexicographic (text) and binary (UUID) sort orders. Changes: - Import UUID from uuid module - Initialize last_id as UUID object instead of string - Remove ::text casting in WHERE and SELECT clauses - Use native UUID comparison (id > :last_id) instead of text comparison This ensures that filtering and ordering use the same sort order, preventing potential data skips or duplicates during batch processing. Addresses Copilot review comment about UUID/text ordering mismatch.
…LECT Replace application-side OFFSET pagination with a single set-based INSERT ... SELECT query for better performance and consistency. Changes: - Remove while loop with OFFSET pagination - Use CTE (WITH clause) to derive role+scope combinations - Use UNION ALL to combine member and owner operations - Use unnest() to expand operation arrays inline - Single database round-trip instead of multiple batches Benefits: - O(1) time complexity vs O(N) with OFFSET - No risk of row skips/duplicates from concurrent changes - Simpler code without manual batching logic - Better query plan from database optimizer Addresses Copilot review comment about OFFSET inefficiency.
…d queries Replace string interpolation in INSERT and DELETE statements with parameterized queries to improve security and maintainability. Changes for INSERT: - Build values_list with dicts instead of string formatting - Use parameterized query with :named parameters - Execute individual inserts in loop (safe for ON CONFLICT) Changes for DELETE: - Replace 'SELECT + string join' pattern with subquery - Use DELETE ... WHERE id IN (SELECT ... LIMIT N) - Check rowcount instead of empty result set - Keep all parameters bound safely Benefits: - Eliminates SQL injection risks from malformed UUIDs - Prevents quoting/escaping issues - Avoids oversized query strings with large batches - More maintainable and readable code Addresses Copilot review comments about SQL injection and DELETE pattern.
Rename constant to use more accurate terminology. 'SUFFIX' better describes the pattern matching with str.endswith() than 'POSTFIX'. Addresses Copilot review comment about naming convention.
fregataa
force-pushed
the
feature/BA-2938-migrate-session-rbac
branch
from
79b7a88 to
b6c1341
Compare
…vel constants Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jopemachine
approved these changes
Mar 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This migration brings Session entities into the RBAC system, enabling fine-grained access control. Unlike VFolder, Session has no invitation/sharing mechanism, making the migration simpler with only entity-type permissions and AUTO edges.
Test plan
alembic upgrade head)alembic downgrade -1)Resolves BA-2938