Skip to content

feat(BA-4808): define RBAC scope-entity combination constants#9544

Open
fregataa wants to merge 8 commits intomainfrom
BA-4808
Open

feat(BA-4808): define RBAC scope-entity combination constants#9544
fregataa wants to merge 8 commits intomainfrom
BA-4808

Conversation

@fregataa
Copy link
Member

@fregataa fregataa commented Feb 28, 2026
edited
Loading

Summary

  • Add VALID_SCOPE_ENTITY_COMBINATIONS as a flat Mapping[RBACElementType, frozenset[RBACElementType]] mapping each scope type to its valid entity types based on BEP-1048 entity-edge-catalog
  • Include entity-level scopes (ResourceGroup, Agent, Session, ModelDeployment, ContainerRegistry, StorageHost) in addition to Domain, Project, User
  • Add AGENT, KERNEL, ROUTING values to RBACElementType enum
  • Add comprehensive unit tests covering all scope types, valid/invalid combinations

Test plan

  • Unit tests for all scope-entity combinations (Domain, Project, User, ResourceGroup, Agent, Session, ModelDeployment, ContainerRegistry, StorageHost)
  • Unit tests for invalid combinations (non-scope as scope, missing entities)
  • pants fmt, fix, lint pass

Resolves BA-4808

@fregataa @claude
feat(BA-4808): define RBAC scope-entity combination constants
d717f75 
Add VALID_SCOPE_ENTITY_COMBINATIONS dict and is_valid_scope_entity_combination()
helper based on BEP-1048/entity-edge-catalog.md. This provides a single source
of truth for valid scope-entity pairs (auto and ref edges) used by frontend UI
filtering and server-side validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 28, 2026 15:03
@github-actions github-actions bot added size:L 100~500 LoC comp:common Related to Common component labels Feb 28, 2026
Copilot AI reviewed Feb 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Defines a centralized catalog of valid RBAC (scope, entity) combinations (optionally filtered by relation type) and adds unit tests to validate expected combinations.

Changes:

  • Added VALID_SCOPE_ENTITY_COMBINATIONS and VALID_SCOPE_ENTITY_COMBINATIONS_BY_RELATION constants.
  • Added is_valid_scope_entity_combination() helper supporting optional relation-type filtering.
  • Added pytest coverage and a Pants python_tests() target for the new test module.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
src/ai/backend/common/data/permission/scope_entity_combinations.py Introduces the scope/entity combination constants and the validation helper.
tests/common/data/permission/test_scope_entity_combinations.py Adds unit tests for valid/invalid combinations and relation-type filtering.
tests/common/data/permission/BUILD Adds a Pants test target for the permission test directory.
changes/9544.feature.md Documents the new RBAC scope/entity combination single source of truth.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@fregataa fregataa marked this pull request as draft February 28, 2026 15:11
fregataa and others added 4 commits March 1, 2026 00:35
@fregataa @claude
feat(BA-4808): simplify scope-entity combinations and add entity-leve…
6d0e174 
…l scopes

- Flatten to single VALID_SCOPE_ENTITY_COMBINATIONS dict (remove
  BY_RELATION variant and helper function)
- Add AGENT and KERNEL to RBACElementType enum
- Add entity-level scope keys: ResourceGroup->{Agent},
  Agent->{Kernel}, ContainerRegistry->{Image}, StorageHost->{VFolder}

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fregataa
changelog: update news fragment for PR #9544
7f0adf9
@fregataa @claude
feat(BA-4808): add Session, ModelDeployment scopes and StorageHost to…
89448ab 
… Domain/Project

- Add ROUTING to RBACElementType enum
- Add scope keys: Session->{Kernel}, ModelDeployment->{Routing, Session}
- Add StorageHost entity to Domain and Project scopes

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fregataa @claude
refactor(BA-4808): use Mapping[..., frozenset] for immutable scope-en…
6f8c894 
…tity combinations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fregataa fregataa added this to the 26.3 milestone Feb 28, 2026
@fregataa fregataa requested a review from a team February 28, 2026 16:10
@fregataa fregataa marked this pull request as ready for review February 28, 2026 16:10
@fregataa fregataa requested a review from Copilot February 28, 2026 16:10
@fregataa @claude
fix(BA-4808): add AGENT, KERNEL, ROUTING to exhaustive match arms
bf05bd8 
New RBACElementType values caused mypy "Missing return statement"
errors in permission.py and entity.py match statements.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added the comp:manager Related to Manager component label Feb 28, 2026
Copilot AI reviewed Feb 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@fregataa fregataa

Labels

comp:common Related to Common component comp:manager Related to Manager component size:L 100~500 LoC

Projects

None yet

Milestone

26.3

Development

Successfully merging this pull request may close these issues.

2 participants

@fregataa