Conversation
Add VALID_SCOPE_ENTITY_COMBINATIONS dict and is_valid_scope_entity_combination() helper based on BEP-1048/entity-edge-catalog.md. This provides a single source of truth for valid scope-entity pairs (auto and ref edges) used by frontend UI filtering and server-side validation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-actions
bot
added
size:L
Contributor
There was a problem hiding this comment.
Pull request overview
Defines a centralized catalog of valid RBAC (scope, entity) combinations (optionally filtered by relation type) and adds unit tests to validate expected combinations.
Changes:
- Added
VALID_SCOPE_ENTITY_COMBINATIONSandVALID_SCOPE_ENTITY_COMBINATIONS_BY_RELATIONconstants. - Added
is_valid_scope_entity_combination()helper supporting optional relation-type filtering. - Added pytest coverage and a Pants
python_tests()target for the new test module.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
src/ai/backend/common/data/permission/scope_entity_combinations.py |
Introduces the scope/entity combination constants and the validation helper. |
tests/common/data/permission/test_scope_entity_combinations.py |
Adds unit tests for valid/invalid combinations and relation-type filtering. |
tests/common/data/permission/BUILD |
Adds a Pants test target for the permission test directory. |
changes/9544.feature.md |
Documents the new RBAC scope/entity combination single source of truth. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/ai/backend/common/data/permission/scope_entity_combinations.py
Outdated
Show resolved
Hide resolved
src/ai/backend/common/data/permission/scope_entity_combinations.py
Outdated
Show resolved
Hide resolved
src/ai/backend/common/data/permission/scope_entity_combinations.py
Outdated
Show resolved
Hide resolved
…l scopes
- Flatten to single VALID_SCOPE_ENTITY_COMBINATIONS dict (remove
BY_RELATION variant and helper function)
- Add AGENT and KERNEL to RBACElementType enum
- Add entity-level scope keys: ResourceGroup->{Agent},
Agent->{Kernel}, ContainerRegistry->{Image}, StorageHost->{VFolder}
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… Domain/Project
- Add ROUTING to RBACElementType enum
- Add scope keys: Session->{Kernel}, ModelDeployment->{Routing, Session}
- Add StorageHost entity to Domain and Project scopes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tity combinations Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New RBACElementType values caused mypy "Missing return statement" errors in permission.py and entity.py match statements. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jopemachine
approved these changes
Mar 4, 2026
jopemachine
reviewed
Mar 4, 2026
| (RBACElementType.SESSION, RBACElementType.SESSION), | ||
| ], | ||
| ) | ||
| def test_invalid_combinations(self, scope: RBACElementType, entity: RBACElementType) -> None: |
Member
There was a problem hiding this comment.
I'm not sure whether parametrize is necessary for this test, since there can be virtually unlimited invalid combinations anyway. Unless there is a specific reason to test all combinations separately.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
VALID_SCOPE_ENTITY_COMBINATIONSas a flatMapping[RBACElementType, frozenset[RBACElementType]]mapping each scope type to its valid entity types based on BEP-1048 entity-edge-catalogRBACElementTypeenumTest plan
pants fmt,fix,lintpassResolves BA-4808