feat(BA-5777): add batch RBAC filtering infrastructure#11191
Open
feat(BA-5777): add batch RBAC filtering infrastructure#11191
Conversation
github-actions
bot
added
size:L
fregataa
added a commit
that referenced
this pull request
Apr 20, 2026
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces infrastructure for per-entity RBAC validation on batch actions (including validator tracing and in-place batch narrowing), and removes an unused/orphaned batch session status-transition path plus several unused intermediate *BatchAction base classes.
Changes:
- Refactors batch action plumbing:
BaseBatchActionbecomes a generic dataclass with mutableentity_ids: list[str]plustyped_entity_ids(), andBatchActionValidatornow returns a structuredBatchValidationResultand provides a stablename(). - Extends
BatchActionProcessorto wrap validator execution in an async scope, record per-validator decisions, and filtercurrent_action.entity_idsbased on validator outcomes. - Deletes the unused
check_and_transit_status_multibatch path and removes now-unused service-level*BatchActionbase classes (and associated tests/imports).
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/unit/manager/services/session/test_session_lifecycle_service.py | Removes orphaned tests for the deleted check_and_transit_status_multi path. |
| src/ai/backend/manager/services/session/service.py | Deletes the unused check_and_transit_status_multi() service method and its imports. |
| src/ai/backend/manager/services/session/actions/check_and_transit_status.py | Removes now-unused batch action/result types for check/transit status. |
| src/ai/backend/manager/services/session/base.py | Removes SessionBatchAction base class (batch infra moves to central action layer). |
| src/ai/backend/manager/services/user_resource_policy/actions/base.py | Removes unused UserResourcePolicyBatchAction. |
| src/ai/backend/manager/services/resource_preset/actions/base.py | Removes unused ResourcePresetBatchAction. |
| src/ai/backend/manager/services/project_resource_policy/actions/base.py | Removes unused ProjectResourcePolicyBatchAction. |
| src/ai/backend/manager/services/keypair_resource_policy/actions/base.py | Removes unused KeypairResourcePolicyBatchAction. |
| src/ai/backend/manager/services/image/actions/base.py | Removes unused ImageBatchAction. |
| src/ai/backend/manager/services/container_registry/actions/base.py | Removes unused ContainerRegistryBatchAction. |
| src/ai/backend/manager/services/artifact_revision/actions/base.py | Removes unused ArtifactRevisionBatchAction. |
| src/ai/backend/manager/services/artifact_registry/actions/base.py | Removes unused ArtifactBatchRegistryAction. |
| src/ai/backend/manager/services/artifact/actions/base.py | Removes unused ArtifactBatchAction. |
| src/ai/backend/manager/actions/validator/batch.py | Adds DeniedEntity + BatchValidationResult, and updates validator interface to return structured per-entity outcomes. |
| src/ai/backend/manager/actions/validators/rbac/batch.py | Implements the new batch validator interface and adds a stable validator name (rbac). |
| src/ai/backend/manager/actions/processor/batch.py | Adds validator scoping + decision tracing and filters batch IDs based on validator results; returns BatchProcessResult. |
| src/ai/backend/manager/actions/action/batch.py | Refactors BaseBatchAction into a generic dataclass with mutable entity_ids and typed_entity_ids(). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- BaseBatchAction is a generic @DataClass carrying only entity_ids: list[str] plus an abstract typed_entity_ids() returning list[T]; user context and per-operation data are deliberately excluded so the processor can rebuild a narrowed action via type(action)(entity_ids=...) without a factory hook - BatchActionValidator exposes name() + validate() returning BatchValidationResult(allowed_entity_ids, denied_entities: list[DeniedEntity(entity_id, deny_reason)]) - BatchActionProcessor runs each validator inside an _validator_scope async context manager (one place for timing/audit), appends a BatchValidatorDecision(validator_name, results) trace, and returns BatchProcessResult(result, validator_decisions) for partial-success responses - Remove orphan check_and_transit_status_multi path, CheckAndTransitStatus batch action/result and its tests, and 10 unused intermediate batch base classes (Session/Image/ContainerRegistry/*ResourcePolicy/ResourcePreset/ Artifact/ArtifactRevision/ArtifactRegistry) - Add unit tests for BatchActionProcessor covering no-validator pass-through, partial/full deny, multi-validator ordering, and original-action immutability - News fragment 11191.feature.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
fregataa
force-pushed
the
feature/BA-5777-batch-rbac-filtering-infra
branch
from
654bb5f to
32a0fa8
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BaseBatchActionbecomes a generic@dataclasswith a mutableentity_ids: list[str]field and atyped_entity_ids() -> list[T]abstract method so services still see native ID types (e.g.SessionId) while the processor can narrow the batch in place.BatchActionValidatorgains aname()classmethod and returnsBatchValidationResult(allowed IDs +DeniedEntity(entity_id, deny_reason)list).BatchActionProcessorwraps every validator call in a_validator_scopeasync context manager, aggregates results intoBatchProcessResult.validator_decisions, and filterscurrent_action.entity_idsdirectly — laying the wiring for the follow-up that will callcheck_batch_permission_with_scope_chain()(BA-5776).check_and_transit_status_multiservice path (itsCheckAndTransitStatusBatchAction/tests had no production wiring) and the 10 unused intermediate*BatchActionbase classes.Test plan
pants fmt :: / fix :: / lint --changed-since=origin/mainpants check --changed-since=HEAD --changed-dependents=transitive(1849 files)pants test tests/unit/manager/actions/:: tests/unit/manager/services/session/:: tests/unit/manager/services/artifact_revision/::Resolves BA-5777
🤖 Generated with Claude Code