Skip to content

Launchpad MP (501314) - r00ta/openfga-users-to-groups-endpoints#439

Open
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
r00tabot:6fa11695-5cf1-406f-9595-919682665fb5
Open

Launchpad MP (501314) - r00ta/openfga-users-to-groups-endpoints#439
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
r00tabot:6fa11695-5cf1-406f-9595-919682665fb5

Conversation

@r00tabot
Copy link
Collaborator

@r00tabot r00tabot commented Mar 4, 2026

This is autogenerated by maas.r00ta.com. Enjoy!

Commit message: feat: add v2 and v3 API usergroup membership endpoints

Details:

  • openfga built-in migrations are executed before the alembic migrations, because we added an alembic migration that creates a view on the openfga.tuple table.
  • A new view maasserver_usergroup_members_view has been added. It reads data from the openfga.tuple table and joins it with the auth_user table, so to return the list of users and their groups.
  • V2 endpoints to list, add and remove users to groups
  • V3 endpoints to list, add and remove users to groups
  • Avoid adding system users to groups.

@r00ta r00ta requested a review from Copilot March 4, 2026 00:18
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds user↔group membership support across MAAS’ service layer and both API surfaces (legacy v2 + FastAPI v3) by introducing a SQL view over OpenFGA tuples joined to auth_user, plus the corresponding repositories/services/handlers and tests. It also adjusts migration ordering so OpenFGA built-in migrations run before Alembic, and prevents internal/system users from being auto-assigned to groups.

Changes:

  • Introduce maasserver_usergroup_members_view (OpenFGA tuples → user/group membership) and a read-only repository/model for querying it.
  • Add service-layer methods and v2/v3 API endpoints to list/add/remove group members, including “already in group” conflict handling.
  • Run OpenFGA built-in migrations before Alembic and skip auto-adding system users to default groups.

Reviewed changes

Copilot reviewed 26 out of 27 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
src/maasservicelayer/db/alembic/versions/0020_create_maasserver_user_group_membership.py Adds Alembic migration to create the user↔group membership view.
src/maasservicelayer/db/repositories/usergroups_members.py New read-only repository + clause factory for querying membership view.
src/maasservicelayer/db/tables.py Adds SQLAlchemy table definition for maasserver_usergroup_members_view.
src/maasservicelayer/exceptions/constants.py Adds a new exception “type” constant for conflict responses.
src/maasservicelayer/models/usergroup_members.py New service-layer model representing a group member row.
src/maasservicelayer/services/init.py Wires UserGroupMembersRepository into the service collection.
src/maasservicelayer/services/openfga_tuples.py Adds tuple deletion helper for removing a user from a group.
src/maasservicelayer/services/usergroups.py Adds membership methods (list/add/remove) + “already member” detection.
src/maasapiserver/v3/api/public/handlers/usergroups.py Adds v3 endpoints: GET/POST/DELETE /groups/{id}/members[...] with conflict handling.
src/maasapiserver/v3/api/public/models/requests/usergroup_members.py New request model for adding a member by user_id.
src/maasapiserver/v3/api/public/models/responses/usergroup_members.py New v3 response models for member list payloads.
src/maasopenfga/internal/migrations/00002_migrate_environments.go Skips internal users when bulk-assigning users to groups during OpenFGA migration.
src/maasserver/api/usergroups.py Adds v2 ops: list_members, add_member, remove_member.
src/maasserver/api/tests/test_usergroups.py Adds v2 API tests covering membership operations and permissions.
src/maasserver/exceptions.py Adds a v2 API exception for “already a member” conflict (409).
src/maasserver/management/commands/dbupgrade.py Runs OpenFGA migrations before Alembic migrations.
src/maasserver/models/signals/tests/test_users.py Adds signal tests ensuring system users are not auto-assigned to groups.
src/maasserver/models/signals/users.py Prevents system users from being auto-added to default groups on create.
src/maasserver/testing/factory.py Adds make_Usergroup() test factory using the service layer.
src/maasserver/testing/initial.maas_test.sql Updates test DB snapshot with the new view + bumps alembic version.
src/tests/fixtures/factories/user.py Makes test users use randomized usernames/emails by default.
src/tests/maasapiserver/v3/api/public/handlers/test_usergroups.py Adds v3 handler tests for membership endpoints and conflict/notfound cases.
src/tests/maasservicelayer/db/repositories/test_usergroups_members.py New repository tests for membership view filtering/listing.
src/tests/maasservicelayer/db/test_views.py Adds the new view to the “all views usable” test.
src/tests/maasservicelayer/services/test_openfga_tuples.py Adds test for removing a user-from-group tuple deletion.
src/tests/maasservicelayer/services/test_usergroups.py Extends service tests for membership add/list/remove and “already member” behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@r00tabot