feat: Add RBAC Global scope

Author: fregataa

changes/6004.feature.md

@@ -0,0 +1 @@
+Add RBAC Global scope

src/ai/backend/manager/data/permission/id.py

@@ -9,6 +9,9 @@ class ScopeId:
     scope_type: ScopeType
     scope_id: str
 
+    def __hash__(self) -> int:
+        return hash((self.scope_type, self.scope_id))
+
     @classmethod
     def from_str(cls, val: str) -> Self:
         scope_type, _, scope_id = val.partition(":")
@@ -23,6 +26,9 @@ class ObjectId:
     entity_type: EntityType
     entity_id: str
 
+    def __hash__(self) -> int:
+        return hash((self.entity_type, self.entity_id))
+
     @classmethod
     def from_str(cls, val: str) -> Self:
         entity_type, _, entity_id = val.partition(":")

src/ai/backend/manager/data/permission/permission_group.py

@@ -2,6 +2,7 @@
 from dataclasses import dataclass
 
 from .id import ScopeId
+from .permission import PermissionData
 
 
 @dataclass
@@ -26,3 +27,5 @@ class PermissionGroupData:
     id: uuid.UUID
     role_id: uuid.UUID
     scope_id: ScopeId
+
+    permissions: list[PermissionData]

src/ai/backend/manager/data/permission/role.py

@@ -1,3 +1,5 @@
+from __future__ import annotations
+
 import uuid
 from dataclasses import dataclass, field
 from datetime import datetime
@@ -10,7 +12,7 @@
     ObjectPermissionCreateInputBeforeRoleCreation,
     ObjectPermissionData,
 )
-from .permission_group import PermissionGroupCreatorBeforeRoleCreation
+from .permission_group import PermissionGroupCreatorBeforeRoleCreation, PermissionGroupData
 from .status import RoleStatus
 from .types import EntityType, OperationType, RoleSource
 
@@ -71,6 +73,7 @@ class RoleDataWithPermissions:
     source: RoleSource
     status: RoleStatus
 
+    permission_groups: list[PermissionGroupData]
     object_permissions: list[ObjectPermissionData]
 
     created_at: datetime
@@ -94,6 +97,28 @@ class SingleEntityPermissionCheckInput:
     operation: OperationType
 
 
+@dataclass
+class BatchEntityPermissionCheckInput:
+    user_id: uuid.UUID
+    target_object_ids: list[ObjectId]
+    operation: OperationType
+
+
+@dataclass
+class ScopePermissionSet:
+    scope_id: ScopeId
+    scope_permissions: set[OperationType]
+    global_permissions: Optional[set[OperationType]]
+
+
+@dataclass
+class ObjectPermissionSet:
+    object_id: ObjectId
+    object_permissions: set[OperationType]
+    mapped_scopes: dict[ScopeId, set[OperationType]]
+    global_permissions: Optional[set[OperationType]]
+
+
 @dataclass
 class UserRoleAssignmentInput:
     """

src/ai/backend/manager/data/permission/types.py

@@ -118,3 +118,8 @@ class ScopeType(enum.StrEnum):
     DOMAIN = "domain"
     PROJECT = "project"
     USER = "user"
+
+    GLOBAL = "global"  # Global scope
+
+
+GLOBAL_SCOPE_ID = "global"

src/ai/backend/manager/models/rbac_models/association_scopes_entities.py

@@ -51,9 +51,6 @@ class AssociationScopesEntitiesRow(Base):
     )
 
     def object_id(self) -> ObjectId:
-        """
-        Convert the association to a tuple of ScopeId and ObjectId.
-        """
         return ObjectId(entity_type=self.entity_type, entity_id=self.entity_id)
 
     def parsed_scope_id(self) -> ScopeId:

src/ai/backend/manager/models/rbac_models/migration/enums.py

@@ -1,3 +1,5 @@
+from __future__ import annotations
+
 import enum
 
 from ai.backend.manager.data.permission.status import (
@@ -54,23 +56,23 @@ def to_original(self) -> OriginalOperationType:
         return OriginalOperationType(self.value)
 
     @classmethod
-    def owner_operations(cls) -> set["OperationType"]:
+    def owner_operations(cls) -> set[OperationType]:
         """
         Returns a set of operations that are considered owner operations.
         Owner operations are those that allow full control over an entity.
         """
         return {op for op in cls}
 
     @classmethod
-    def admin_operations(cls) -> set["OperationType"]:
+    def admin_operations(cls) -> set[OperationType]:
         """
         Returns a set of operations that are considered admin operations.
         Admin operations are those that allow management of entities, including creation and deletion.
         """
         return {op for op in cls}
 
     @classmethod
-    def member_operations(cls) -> set["OperationType"]:
+    def member_operations(cls) -> set[OperationType]:
         """
         Returns a set of operations that are considered member operations.
         Member operations are those that allow read access.
@@ -85,6 +87,8 @@ class ScopeType(enum.StrEnum):
     PROJECT = "project"
     USER = "user"
 
+    GLOBAL = "global"
+
     def to_original(self) -> OriginalScopeType:
         return OriginalScopeType(self.value)
 

src/ai/backend/manager/models/rbac_models/migration/types.py

@@ -3,13 +3,17 @@
 from typing import Any
 
 from ai.backend.manager.data.permission.id import ObjectId, ScopeId
+from ai.backend.manager.data.permission.types import GLOBAL_SCOPE_ID
 
 from .enums import RoleSource, RoleStatus, ScopeType
 
 ROLE_NAME_PREFIX = "role_"
 ADMIN_ROLE_NAME_SUFFIX = "_admin"
 
 
+GLOBAL_SCOPE_ID = GLOBAL_SCOPE_ID
+
+
 @dataclass
 class UserRoleCreateInput:
     user_id: uuid.UUID

src/ai/backend/manager/models/rbac_models/permission/permission_group.py

@@ -23,6 +23,7 @@
 )
 
 if TYPE_CHECKING:
+    from ..association_scopes_entities import AssociationScopesEntitiesRow
     from ..role import RoleRow
     from .permission import PermissionRow
 
@@ -45,6 +46,11 @@ class PermissionGroupRow(Base):
         back_populates="permission_group_rows",
         primaryjoin="RoleRow.id == foreign(PermissionGroupRow.role_id)",
     )
+    mapped_entities: list[AssociationScopesEntitiesRow] = relationship(
+        "AssociationScopesEntitiesRow",
+        primaryjoin="PermissionGroupRow.scope_id == foreign(AssociationScopesEntitiesRow.scope_id)",
+        viewonly=True,
+    )
     permission_rows: list[PermissionRow] = relationship(
         "PermissionRow",
         back_populates="permission_group_row",
@@ -67,4 +73,5 @@ def to_data(self) -> PermissionGroupData:
             id=self.id,
             role_id=self.role_id,
             scope_id=ScopeId(scope_type=self.scope_type, scope_id=self.scope_id),
+            permissions=[permission.to_data() for permission in self.permission_rows],
         )

src/ai/backend/manager/models/rbac_models/role.py

@@ -16,6 +16,7 @@
 from ai.backend.manager.data.permission.role import (
     RoleCreateInput,
     RoleData,
+    RoleDataWithPermissions,
 )
 from ai.backend.manager.data.permission.status import (
     RoleStatus,
@@ -93,6 +94,20 @@ def to_data(self) -> RoleData:
             description=self.description,
         )
 
+    def to_data_with_permissions(self) -> RoleDataWithPermissions:
+        return RoleDataWithPermissions(
+            id=self.id,
+            name=self.name,
+            source=self.source,
+            status=self.status,
+            created_at=self.created_at,
+            updated_at=self.updated_at,
+            deleted_at=self.deleted_at,
+            description=self.description,
+            permission_groups=[pg_row.to_data() for pg_row in self.permission_group_rows],
+            object_permissions=[op_row.to_data() for op_row in self.object_permission_rows],
+        )
+
     @classmethod
     def from_input(cls, data: RoleCreateInput) -> Self:
         return cls(