Skip to content

feat(BA-4147): Implement querier pattern for RBAC permission/scope fetchers #8432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
fregataa wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(BA-4147): Implement querier pattern for RBAC permission/scope fetchers #8432

fregataa wants to merge 7 commits into from

Conversation

@fregataa
Copy link
Member

@fregataa fregataa commented Jan 29, 2026
edited
Loading

resolves #8429 (BA-4147)

Summary

  • Add BatchQuerier-based search methods for permission groups, scoped permissions, and object permissions across all layers (options, data types, DB source, repository, service actions).
  • This DOES NOT include any API spec or schema

Checklist: (if applicable)

  • Milestone metadata specifying the target backport version
  • Mention to the original issue
  • Installer updates including:
    • Fixtures for db schema changes
    • New mandatory config options
  • Update of end-to-end CLI integration tests in ai.backend.test
  • API server-client counterparts (e.g., manager API -> client SDK)
  • Test case(s) to:
    • Demonstrate the difference of before/after
    • Demonstrate the flow of abstract/conceptual models with a concrete implementation
  • Documentation
    • Contents in the docs directory
    • docstrings in public interfaces and type annotations

@fregataa fregataa added this to the 26.2 milestone Jan 29, 2026
@fregataa fregataa self-assigned this Jan 29, 2026
Copilot AI review requested due to automatic review settings January 29, 2026 10:57
@github-actions github-actions bot added size:XL 500~ LoC comp:manager Related to Manager component labels Jan 29, 2026
Copilot AI reviewed Jan 29, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements a BatchQuerier-based search pattern for RBAC permission and scope fetchers, providing SQL-level querying capabilities to replace in-memory filtering. The changes introduce new search infrastructure across data types, repository options, database sources, repositories, service actions, and services.

Changes:

  • Added three new list result data types (PermissionGroupListResult, ScopedPermissionListResult, ObjectPermissionListResult) to support paginated search results
  • Implemented conditions and orders classes for querying permission groups, scoped permissions, and object permissions with cursor-based pagination support
  • Created search methods in the database source, repository, and service layers for all three entity types with proper pagination and filtering capabilities

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/ai/backend/manager/data/permission/permission_group.py Added PermissionGroupListResult data type for paginated search results
src/ai/backend/manager/data/permission/permission.py Added ScopedPermissionListResult data type for paginated search results
src/ai/backend/manager/data/permission/object_permission.py Added ObjectPermissionListResult data type for paginated search results
src/ai/backend/manager/repositories/permission_controller/options.py Implemented query conditions and orders for permission groups, scoped permissions, and object permissions with cursor-based pagination support
src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py Added database-level search methods for permission groups, scoped permissions, and object permissions using execute_batch_querier
src/ai/backend/manager/repositories/permission_controller/repository.py Added repository-level wrapper methods with resilience decorators for all three search operations
src/ai/backend/manager/services/permission_contoller/actions/search_permission_groups.py Created SearchPermissionGroupsAction and SearchPermissionGroupsActionResult classes
src/ai/backend/manager/services/permission_contoller/actions/search_scoped_permissions.py Created SearchScopedPermissionsAction and SearchScopedPermissionsActionResult classes
src/ai/backend/manager/services/permission_contoller/actions/search_object_permissions.py Created SearchObjectPermissionsAction and SearchObjectPermissionsActionResult classes
src/ai/backend/manager/services/permission_contoller/actions/init.py Exported the new search action classes for external use
src/ai/backend/manager/services/permission_contoller/service.py Implemented service-level methods that orchestrate the search operations by calling repository methods and transforming results

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@fregataa fregataa force-pushed the feat/BA-4147-rbac-querier-pattern branch 2 times, most recently from f1d2ab1 to 2e5ca4e Compare January 30, 2026 05:28
jopemachine
jopemachine reviewed Jan 30, 2026
View reviewed changes
src/ai/backend/manager/services/permission_contoller/actions/search_object_permissions.py
@classmethod
def operation_type(cls) -> str:
return "search"

Copy link
Member

@jopemachine jopemachine Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like SearchScopedPermissionsAction, this is also a RoleAction, so shouldn’t we specify the operation_type more concretely as search_object_permission?

Copy link
Member Author

@fregataa fregataa Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We decided to declare operation type as enum

@fregataa fregataa marked this pull request as draft February 2, 2026 01:41
@fregataa fregataa removed the request for review from HyeockJinKim February 2, 2026 01:42
@fregataa
feat(BA-4147): Implement querier pattern for RBAC permission/scope fe…
79a977d 
…tchers

Add BatchQuerier-based search methods for permission groups, scoped
permissions, and object permissions across all layers (options, data
types, DB source, repository, service actions).
@fregataa
refactor(BA-4147): Remove unnecessary type: ignore[attr-defined] from…
ad81a63 
… new Conditions/Orders classes
@fregataa
add news fragment
0b29a55
@fregataa
test(BA-4147): Add repository unit tests for RBAC search operations
de55541 
Add tests for search_roles, search_permission_groups,
search_scoped_permissions, and search_object_permissions
covering filtering and ordering capabilities.
@fregataa
fix wrong import
1c87dd1
@fregataa
fix(BA-4147): Use read-committed isolation for permission search queries
2239ce0
@fregataa
minor updates
7d38e5a
@fregataa fregataa force-pushed the feat/BA-4147-rbac-querier-pattern branch from 2e5ca4e to 7d38e5a Compare February 3, 2026 09:20
@fregataa fregataa marked this pull request as ready for review February 3, 2026 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@HyeockJinKim HyeockJinKim Awaiting requested review from HyeockJinKim

@jopemachine jopemachine Awaiting requested review from jopemachine

Assignees

@fregataa fregataa

Labels

comp:manager Related to Manager component size:XL 500~ LoC

Projects

None yet

Milestone

26.2

Development

Successfully merging this pull request may close these issues.

Implement querier pattern for RBAC permission/scope fetchers

3 participants

@fregataa @jopemachine