feat(BA-6254): add superadmin ensure-system-role repository/service/action#11891
Open
fregataa wants to merge 2 commits into
Open
feat(BA-6254): add superadmin ensure-system-role repository/service/action#11891fregataa wants to merge 2 commits into
fregataa wants to merge 2 commits into
Conversation
…ction Add an idempotent operation that ensures each given user has a SYSTEM role and user-role mapping: it creates the role with its permissions and the mapping when missing, and reuses existing ones on repeat calls. Wires the repository, service, action, and processor layers (USER scope, batch input). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
size:L
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new idempotent “ensure SYSTEM role” operation to the permission controller stack (repository → service → action → processor) for superadmin use, plus repository-level DB-backed tests and a changelog entry.
Changes:
- Introduce
ensure_user_system_roles(specs)in the permission controller repository/DB source and wire it through a newEnsureSystemRoleActionand processor/service entrypoint. - Add
RoleMappingDataDTO to represent ensured user→role mappings. - Add unit tests (real DB via
with_tables) covering create-when-missing, idempotency, mixed batches, and empty input.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/manager/repositories/permission_controller/test_ensure_user_system_roles.py | Adds repository-level tests for ensuring SYSTEM roles and mappings. |
| src/ai/backend/manager/services/permission_contoller/service.py | Adds service method to execute the new ensure action via repository. |
| src/ai/backend/manager/services/permission_contoller/processors.py | Registers the new action processor and declares it supported. |
| src/ai/backend/manager/services/permission_contoller/actions/ensure_system_role.py | Introduces EnsureSystemRoleAction and result type. |
| src/ai/backend/manager/services/permission_contoller/actions/init.py | Exposes the new action/result from the actions package. |
| src/ai/backend/manager/repositories/permission_controller/repository.py | Adds repository method delegating to DB source. |
| src/ai/backend/manager/repositories/permission_controller/db_source/db_source.py | Implements DB logic to ensure user SYSTEM roles + mappings. |
| src/ai/backend/manager/data/permission/user_role.py | Adds RoleMappingData DTO used by the new operation. |
| changes/11891.feature.md | Adds changelog entry for the new superadmin operation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+167
to
+172
| """Ensure the SYSTEM role(s) for the given scope exist. | ||
|
|
||
| Idempotent: roles already present in the scope (matched by name) are | ||
| reused; missing ones are created together with their permissions. For | ||
| the USER scope, the user-to-role mapping is ensured as well. | ||
| """ |
Comment on lines
+123
to
+127
| """ | ||
| Ensure the SYSTEM role(s) for the given scope exist (idempotent). | ||
|
|
||
| Returns the ensured roles. | ||
| """ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ensure_user_system_roles(specs)across repository → service → action → processor: an idempotent superadmin operation that guarantees each given user has a SYSTEM role and its user-role mapping.UserSystemRoleSpecand returnsRoleMappingDataper user._get_user_role_iderror change are sibling issues BA-6255/6256/6257).Test plan
pants fmt / fix / lint / checkpass on changed filestest_ensure_user_system_roles.py, real DB viawith_tables): create-when-missing grants role + permissions + mapping; idempotent reuse on repeated calls; batch with mixed existing/missing users; empty input is a no-opResolves BA-6254