Skip to content

feat(BA-2946): Apply RBAC validator infrastructure to Session actions#9624

Draft
fregataa wants to merge 7 commits intomainfrom
feature/BA-2946-apply-rbac-validator-to-session
Draft

feat(BA-2946): Apply RBAC validator infrastructure to Session actions#9624
fregataa wants to merge 7 commits intomainfrom
feature/BA-2946-apply-rbac-validator-to-session

Conversation

@fregataa
Copy link
Member

@fregataa fregataa commented Mar 4, 2026

Summary

  • Refactored Session actions to use BaseScopeAction and BaseSingleEntityAction base classes for RBAC validation
  • Added SessionScopeAction and SessionSingleEntityAction with target_element() methods for BEP-1048 compliance
  • Updated 6 scope-level actions (Create, Search, Match) and 4 single-entity actions (Get, Destroy, Execute, Modify) to implement RBAC validation infrastructure
  • Followed VFolder patterns from BA-4620 for consistent RBAC validation across all guarded entities

Test plan

  • Lint and type checks pass
  • Unit tests pass (CI will verify)
  • Integration tests with RBAC validators (follow-up work needed)
  • API layer updates to set scope/session_id fields (tracked in BA-2946)

Next Steps

This PR provides the infrastructure foundation for Session RBAC validation. Follow-up work required:

  1. Update API/processor layer to populate _scope_type, _scope_id, and session_id fields
  2. Connect RBAC validators to action processors
  3. Apply same pattern to remaining 20+ single-entity Session actions
  4. Add integration tests for RBAC permission checks

Resolves BA-2946

@fregataa @claude
feat(BA-2946): Apply RBAC validator infrastructure to Session actions
4b8580d 
Refactor Session actions to use BaseScopeAction and BaseSingleEntityAction
for RBAC validation support, following VFolder patterns from BEP-1048.

Changes:
- Add SessionScopeAction and SessionSingleEntityAction base classes
- Refactor 6 scope-level actions (Create, Search, Match)
  - Add _scope_type and _scope_id fields for RBAC validation
  - Implement scope_type(), scope_id(), target_element() methods
- Refactor 4 single-entity actions (Get, Destroy, Execute, Modify)
  - Add session_id field for RBAC validation
  - Implement target_entity_id() and target_element() methods
- Add field_data() method to SessionSingleEntityAction

TODO:
- Set _scope_type/_scope_id from context in API/processor layer
- Resolve session_id from session_name before RBAC validation
- Apply same pattern to remaining 20+ single-entity actions
- Connect RBAC validators to action processors

Related: BA-4617, BA-4620, BEP-1048

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 4, 2026 09:06
@github-actions github-actions bot added size:L 100~500 LoC comp:manager Related to Manager component labels Mar 4, 2026
Copilot AI reviewed Mar 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors Session service actions to use the RBAC validator base action infrastructure (scope-level and single-entity) to align with BEP-1048 patterns.

Changes:

  • Added Session-specific BaseScopeAction / BaseSingleEntityAction wrappers in services/session/base.py.
  • Updated several Session actions (search/match/create/modify/get/execute/destroy) to provide RBAC scope/target element metadata.
  • Added a changelog entry documenting the RBAC infra addition.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 12 comments.

Show a summary per file
File Description
src/ai/backend/manager/services/session/base.py Introduces SessionScope/SingleEntity base action wrappers for RBAC validation.
src/ai/backend/manager/services/session/actions/search_kernel.py Migrates kernel search action to scope-based RBAC action and supplies scope target element.
src/ai/backend/manager/services/session/actions/search.py Migrates session search action to scope-based RBAC action and supplies scope target element.
src/ai/backend/manager/services/session/actions/modify_session.py Migrates session modify action to single-entity RBAC action and supplies session target element.
src/ai/backend/manager/services/session/actions/match_sessions.py Migrates session match action to scope-based RBAC action and supplies scope target element.
src/ai/backend/manager/services/session/actions/get_session_info.py Migrates get-session-info action to single-entity RBAC action and supplies session target element.
src/ai/backend/manager/services/session/actions/execute_session.py Migrates execute-session action to single-entity RBAC action and supplies session target element.
src/ai/backend/manager/services/session/actions/destroy_session.py Migrates destroy-session action to single-entity RBAC action and supplies session target element.
src/ai/backend/manager/services/session/actions/create_from_template.py Migrates create-from-template action to scope-based RBAC action and supplies scope target element.
src/ai/backend/manager/services/session/actions/create_from_params.py Migrates create-from-params action to scope-based RBAC action and supplies scope target element.
src/ai/backend/manager/services/session/actions/create_cluster.py Migrates create-cluster action to scope-based RBAC action and supplies scope target element.
changes/9624.feature.md Records the feature addition in the changelog.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/ai/backend/manager/services/session/actions/execute_session.py Outdated
api_version: tuple[Any, ...]
owner_access_key: AccessKey
params: ExecuteSessionActionParams
session_id: str = "" # TODO: Resolve from session_name before RBAC validation
Copy link

Copilot AI Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as GetSessionInfoAction: target_entity_id() and target_element() can return an empty ID when session_id hasn’t been resolved. Prefer session_id: str | None and fail fast in target_entity_id()/target_element() if it’s not set (or require session_id as a mandatory field for this action).

Copilot uses AI. Check for mistakes.
@fregataa fregataa added this to the 26.3 milestone Mar 4, 2026
@fregataa fregataa marked this pull request as draft March 4, 2026 09:14
fregataa and others added 3 commits March 4, 2026 19:07
@fregataa @claude
refactor(BA-2946): move RBAC methods to base classes and fix validation
0d6611b 
Address PR review feedback by refactoring Session action classes:

- Move common RBAC methods (scope_type, scope_id, target_element,
  target_entity_id, field_data) from concrete classes to base classes
  (SessionScopeAction and SessionSingleEntityAction)
- Change field defaults from GLOBAL/empty string to None with explicit
  validation to prevent empty RBAC elements
- Add proper error messages when fields not set before RBAC validation
- Fix ModifySessionAction: rename session_id to session_uuid to avoid
  type conflict with base class (UUID vs str), convert in __post_init__
- Update API call in gql_legacy/session.py to use new parameter name

This eliminates ~200 lines of duplicated code across 10 action classes
and ensures scope is always explicitly set (never defaulting to GLOBAL
per user requirement).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@fregataa @claude
refactor(BA-2946): derive scope from business logic, remove _scope_ty…
ad248be 
…pe/_scope_id fields

Change SessionScopeAction pattern to compute scope from business context
instead of storing it in separate fields:

- Remove _scope_type and _scope_id fields from all SessionScopeAction
  concrete classes (SearchSessionsAction, CreateFromParamsAction, etc.)
- Each concrete class now computes scope directly from its business fields:
  * scope_type() always returns ScopeType.USER
  * scope_id() returns str(self.user_id)
  * target_element() uses USER scope with user_id
- Add user_id field to actions that lacked it:
  * SearchSessionsAction
  * SearchKernelsAction
  * MatchSessionsAction

Benefits:
- Eliminates redundant fields (_scope_type, _scope_id)
- Scope derivation logic co-located with action definition
- Enforces "always USER scope" requirement at type level
- API handlers now only need to provide user_id, not compute scope

This follows user requirement: "scope는 모두 user id로 설정.
global scope는 절대 쓰지 마라" (always use user id for scope,
never use GLOBAL scope).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@fregataa @claude
fix(BA-2946): add user_id to SessionScopeAction calls in API handlers
7a29856 
Update all API handlers to provide user_id when creating SessionScopeAction
instances (SearchSessionsAction, SearchKernelsAction, MatchSessionsAction).

Changes:
- GraphQL data loaders: get user_id from current_user() context
  * session/loader.py
  * kernel/loader.py
- GraphQL fetchers: get user_id from current_user() context
  * kernel/fetcher/kernel.py
  * session/fetcher/session.py
- GraphQL types: add user_id to SearchKernelsAction in kernels field
  * session/types.py
- REST API handlers: get user_id from current_user() context
  * rest/session/handler.py (MatchSessionsAction)
  * rest/compute_sessions/handler.py (SearchSessionsAction, SearchKernelsAction)

All actions now receive user_id which is used to compute USER scope
for RBAC validation as required by the design.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@fregataa fregataa mentioned this pull request Mar 4, 2026
Open
fregataa and others added 2 commits March 4, 2026 22:46
@fregataa @claude
refactor(BA-2946): remove single entity actions, keep scope actions only
deb85c0 
Remove 4 single entity actions and SessionSingleEntityAction base class
to keep this branch focused on scope actions only. Single entity actions
will be handled in separate branches (BA-4864).

Changes:
- Removed SessionSingleEntityAction and SessionSingleEntityActionResult from base.py
- Restored 4 single entity action files to main state:
  - destroy_session.py
  - execute_session.py
  - get_session_info.py
  - modify_session.py
- Kept SessionScopeAction and 6 scope actions:
  - create_cluster, create_from_params, create_from_template
  - match_sessions, search_kernel, search

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@fregataa @claude
feat(BA-2946): connect RBAC validators to SessionProcessors
492fa67 
- Add permission_repository parameter to SessionProcessors.__init__
- Instantiate ScopeActionRBACValidator and SingleEntityActionRBACValidator
- Apply scope validator to 6 scope actions (create_cluster, create_from_params, create_from_template, match_sessions, search_kernels, search_sessions)
- Apply single entity validator to 4 single entity actions (destroy_session, execute_session, get_session_info, modify_session)
- Reorganize processor initialization into three logical sections: no validation, scope validation, single entity validation

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@fregataa fregataa marked this pull request as ready for review March 4, 2026 14:24
@fregataa fregataa marked this pull request as draft March 4, 2026 16:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@fregataa fregataa

Labels

comp:manager Related to Manager component size:L 100~500 LoC

Projects

None yet

Milestone

26.3

Development

Successfully merging this pull request may close these issues.

2 participants

@fregataa