feat(BA-6868): RBAC-gate AppConfig fragment single writes at the processors#12827
Closed
jopemachine wants to merge 4 commits into
Closed
feat(BA-6868): RBAC-gate AppConfig fragment single writes at the processors#12827jopemachine wants to merge 4 commits into
jopemachine wants to merge 4 commits into
Conversation
Entity-agnostic RBAC write primitives extracted so any entity can reuse them: - RBACWriteOps.create_scoped / purge_scoped: single scoped create/purge that also writes/clears the entity's scope association in the same transaction. - entity_creator: a None primary scope_ref marks a global-scoped entity (no association). - scope_unbinder: scope_ref is Optional to support global-scoped entities. - BulkScopeActionRBACValidator: per-scope RBAC validation for bulk scope actions. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
…(repository layer) A user/domain fragment is associated to its RBAC scope on create and unbound on purge; public fragments are global-scoped and carry no association, so fragment writes can be authorized by RBAC (BEP-1052). Registers APP_CONFIG_FRAGMENT as a ScopeType so the fragment is a full entity-as-scope, and backfills its permissions onto existing roles. Stacks on BA-6867 (RBAC scoped-ops primitives). Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
a7b0d89 to
8663ee7
Compare
…(repository layer) A user/domain fragment is associated to its RBAC scope on create and unbound on purge; public fragments are global-scoped and carry no association, so fragment writes can be authorized by RBAC (BEP-1052). Registers APP_CONFIG_FRAGMENT as a ScopeType so the fragment is a full entity-as-scope, and backfills its permissions onto existing roles. Stacks on BA-6867 (RBAC scoped-ops primitives). Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
…essors Attach the RBAC validators to the fragment write processors so create / update / purge are authorized at the fragment scope, and register the service/processors in the DI containers. A user may write their own user-scope fragment; a cross-user write is denied; public fragments are superadmin-only. Enforced only when RBAC enforcement is enabled. Bulk-write authorization ships with the API PR. Stacks on BA-6859. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
bb4b764 to
4103d55
Compare
c27f8f4 to
9897e3d
Compare
Member
Author
|
Superseded — the write-authorization design changed (public is determined by the app-config service, not RBAC; RBAC scoped-ops stay concrete). Folding the authz into #12826. Closing. |
9897e3d to
fe6c0df
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Attach the RBAC validators to the fragment write processors so
create/update/purgeare authorized at the fragment scope, and register the service/processors in the DI containers. A user may write their ownuser-scope fragment; a cross-user write is denied;publicfragments are superadmin-only. Enforced only when RBAC enforcement is enabled.Bulk-write authorization (bulk scope targets + bulk-scope validator wiring) ships with the API PR (#12759).
📚 Stacked PRs
Part of the AppConfigFragment / AppConfig stack under BEP-1052 (epic BA-5781). Merge in order (#12801 was split into #12825 / #12826 / #12827):
feat(BA-6552): app_config_fragments DB model and Alembic migrationfeat(BA-6553): repository layerrefactor(BA-6619): consolidate AppConfigScopeType into common.datarefactor(BA-6620): ExistsQuerier + AppConfigAllowList.existsfeat(BA-6554): AppConfigFragment service layerfeat(BA-6702): move fragment rank to the allow list with scope defaultsfeat(BA-6701): expose allow-list rank on the v2 API surfacefeat(BA-6704): cascade app config subtree deletion from the definitionfeat(BA-6626): app_config_fragment bulk repository layerfeat(BA-6618): app_config_fragment bulk CRUD service layerfeat(BA-6810): AppConfigFragment visible-fragments query (repository layer)feat(BA-6867): add generic RBAC scoped-ops primitives #12825—feat(BA-6867): RBAC scoped-ops primitives (closed — folded into feat(BA-6859): bind AppConfig fragments to their RBAC scope on write (repository layer) #12826)feat(BA-6859): bind fragments to their RBAC scope on write (repository layer)feat(BA-6868): RBAC-gate fragment single writes at the processors ← you are herefeat(BA-6555): AppConfig merge engine + resolve service (service layer)feat(BA-6556): AppConfig REST v2 APIfeat(BA-6860): fragment write API routes + bulk write authzJira: https://lablup.atlassian.net/browse/BA-6868
🤖 Generated with Claude Code