feat(BA-4876): add GQL types and resolver for permission update mutation

changes/9724.feature.md

@@ -0,0 +1 @@
+Add GraphQL types and resolver stub for permission update mutation

docs/manager/graphql-reference/supergraph.graphql

@@ -7507,6 +7507,9 @@ type Mutation
   """Added in 26.3.0. Create a scoped permission (admin only)."""
   adminCreatePermission(input: CreatePermissionInput!): Permission! @join__field(graph: STRAWBERRY)
 
+  """Added in 26.3.0. Update a scoped permission (admin only)."""
+  adminUpdatePermission(input: UpdatePermissionInput!): Permission! @join__field(graph: STRAWBERRY)
+
   """Added in 26.3.0. Delete a scoped permission (admin only)."""
   adminDeletePermission(input: DeletePermissionInput!): DeletePermissionPayload! @join__field(graph: STRAWBERRY)
 
@@ -11984,6 +11987,17 @@ type UpdateObjectStoragePayload
   objectStorage: ObjectStorage!
 }
 
+"""Added in 26.3.0. Input for updating a scoped permission"""
+input UpdatePermissionInput
+  @join__type(graph: STRAWBERRY)
+{
+  id: UUID!
+  scopeType: RBACElementType = null
+  scopeId: String = null
+  entityType: RBACElementType = null
+  operation: OperationType = null
+}
+
 """Added in 25.14.0"""
 input UpdateReservoirRegistryInput
   @join__type(graph: STRAWBERRY)

docs/manager/graphql-reference/v2-schema.graphql

@@ -3940,6 +3940,9 @@ type Mutation {
   """Added in 26.3.0. Create a scoped permission (admin only)."""
   adminCreatePermission(input: CreatePermissionInput!): Permission!
 
+  """Added in 26.3.0. Update a scoped permission (admin only)."""
+  adminUpdatePermission(input: UpdatePermissionInput!): Permission!
+
   """Added in 26.3.0. Delete a scoped permission (admin only)."""
   adminDeletePermission(input: DeletePermissionInput!): DeletePermissionPayload!
 
@@ -7048,6 +7051,15 @@ type UpdateObjectStoragePayload {
   objectStorage: ObjectStorage!
 }
 
+"""Added in 26.3.0. Input for updating a scoped permission"""
+input UpdatePermissionInput {
+  id: UUID!
+  scopeType: RBACElementType = null
+  scopeId: String = null
+  entityType: RBACElementType = null
+  operation: OperationType = null
+}
+
 """Added in 25.14.0"""
 input UpdateReservoirRegistryInput {
   id: ID!

src/ai/backend/manager/api/gql/rbac/__init__.py

@@ -13,6 +13,7 @@
     admin_role,
     admin_role_assignments,
     admin_roles,
+    admin_update_permission,
     admin_update_role,
     my_roles,
     rbac_scope_entity_combinations,
@@ -42,6 +43,7 @@
     RoleSourceGQL,
     RoleStatusGQL,
     ScopeEntityCombinationGQL,
+    UpdatePermissionInput,
     UpdateRoleInput,
 )
 
@@ -70,6 +72,7 @@
     "CreateRoleInput",
     "UpdateRoleInput",
     "CreatePermissionInput",
+    "UpdatePermissionInput",
     "AssignRoleInput",
     "RevokeRoleInput",
     # Connections
@@ -91,6 +94,7 @@
     "admin_delete_role",
     "admin_purge_role",
     "admin_create_permission",
+    "admin_update_permission",
     "admin_delete_permission",
     "admin_assign_role",
     "admin_revoke_role",

src/ai/backend/manager/api/gql/rbac/resolver/__init__.py

@@ -5,6 +5,7 @@
     admin_create_permission,
     admin_delete_permission,
     admin_permissions,
+    admin_update_permission,
     rbac_scope_entity_combinations,
 )
 from .role import (
@@ -28,6 +29,7 @@
     "admin_entities",
     # Permission mutations
     "admin_create_permission",
+    "admin_update_permission",
     "admin_delete_permission",
     # Role queries
     "admin_role",

src/ai/backend/manager/api/gql/rbac/resolver/permission.py

@@ -19,6 +19,7 @@
     PermissionOrderBy,
     RBACElementTypeGQL,
     ScopeEntityCombinationGQL,
+    UpdatePermissionInput,
 )
 from ai.backend.manager.api.gql.types import StrawberryGQLContext
 from ai.backend.manager.models.rbac_models.permission.permission import PermissionRow
@@ -27,6 +28,9 @@
     CreatePermissionAction,
     DeletePermissionAction,
 )
+from ai.backend.manager.services.permission_contoller.actions.update_permission import (
+    UpdatePermissionAction,
+)
 
 # ==================== Query Resolvers ====================
 
@@ -90,6 +94,19 @@ async def admin_create_permission(
     return PermissionGQL.from_dataclass(action_result.data)
 
 
+@strawberry.mutation(description="Added in 26.3.0. Update a scoped permission (admin only).")  # type: ignore[misc]
+async def admin_update_permission(
+    info: Info[StrawberryGQLContext],
+    input: UpdatePermissionInput,
+) -> PermissionGQL:
+    action_result = (
+        await info.context.processors.permission_controller.update_permission.wait_for_complete(
+            UpdatePermissionAction(updater=input.to_updater())
+        )
+    )
+    return PermissionGQL.from_dataclass(action_result.data)
+
+
 @strawberry.mutation(description="Added in 26.3.0. Delete a scoped permission (admin only).")  # type: ignore[misc]
 async def admin_delete_permission(
     info: Info[StrawberryGQLContext],

src/ai/backend/manager/api/gql/rbac/types/__init__.py

@@ -22,6 +22,7 @@
     PermissionOrderField,
     RBACElementTypeGQL,
     ScopeEntityCombinationGQL,
+    UpdatePermissionInput,
 )
 from .role import (
     AssignRoleInput,
@@ -79,6 +80,7 @@
     "EntityOrderBy",
     # Inputs
     "CreatePermissionInput",
+    "UpdatePermissionInput",
     "DeletePermissionInput",
     "CreateRoleInput",
     "UpdateRoleInput",

src/ai/backend/manager/api/gql/rbac/types/permission.py

@@ -23,11 +23,14 @@
 from ai.backend.manager.models.rbac_models.permission.permission import PermissionRow
 from ai.backend.manager.repositories.base import QueryCondition, QueryOrder
 from ai.backend.manager.repositories.base.creator import Creator
+from ai.backend.manager.repositories.base.updater import Updater
 from ai.backend.manager.repositories.permission_controller.creators import PermissionCreatorSpec
 from ai.backend.manager.repositories.permission_controller.options import (
     ScopedPermissionConditions,
     ScopedPermissionOrders,
 )
+from ai.backend.manager.repositories.permission_controller.updaters import PermissionUpdaterSpec
+from ai.backend.manager.types import OptionalState
 
 if TYPE_CHECKING:
     from ai.backend.manager.api.gql.rbac.types.role import RoleGQL
@@ -333,6 +336,40 @@ def to_creator(self) -> Creator[PermissionRow]:
         )
 
 
+@strawberry.input(description="Added in 26.3.0. Input for updating a scoped permission")
+class UpdatePermissionInput:
+    id: uuid.UUID
+    scope_type: RBACElementTypeGQL | None = None
+    scope_id: str | None = None
+    entity_type: RBACElementTypeGQL | None = None
+    operation: OperationTypeGQL | None = None
+
+    def to_updater(self) -> Updater[PermissionRow]:
+        spec = PermissionUpdaterSpec(
+            scope_type=(
+                OptionalState.update(self.scope_type.to_element().to_scope_type())
+                if self.scope_type is not None
+                else OptionalState.nop()
+            ),
+            scope_id=(
+                OptionalState.update(self.scope_id)
+                if self.scope_id is not None
+                else OptionalState.nop()
+            ),
+            entity_type=(
+                OptionalState.update(self.entity_type.to_element().to_entity_type())
+                if self.entity_type is not None
+                else OptionalState.nop()
+            ),
+            operation=(
+                OptionalState.update(self.operation.to_internal())
+                if self.operation is not None
+                else OptionalState.nop()
+            ),
+        )
+        return Updater(spec=spec, pk_value=self.id)
+
+
 @strawberry.input(description="Added in 26.3.0. Input for deleting a scoped permission")
 class DeletePermissionInput:
     id: uuid.UUID

src/ai/backend/manager/api/gql/schema.py

@@ -179,6 +179,7 @@
     admin_role,
     admin_role_assignments,
     admin_roles,
+    admin_update_permission,
     admin_update_role,
     my_roles,
     rbac_scope_entity_combinations,
@@ -479,6 +480,7 @@ class Mutation:
     admin_delete_role = admin_delete_role
     admin_purge_role = admin_purge_role
     admin_create_permission = admin_create_permission
+    admin_update_permission = admin_update_permission
     admin_delete_permission = admin_delete_permission
     admin_assign_role = admin_assign_role
     admin_revoke_role = admin_revoke_role