Feat: ResourcePool Authorization via Authzed/SpiceDB (#1266)

* Feat: move resource pools check to authz (#1248)

* feat: update schema for authzed

* feat(authz): add ResourcePool as a supported authorization resource

* feat(authz): add member and prohibited relationship types

* feat(db): add ResourcePool authz schema migration, copy membership

* chore(authz): update schema tests for resource pools

* feat(authz): add the USE Scope

* chore(tests): update the authorization tests for resource pools

* squashme: copy-paste artifact

* squashme: format

* refactor: use vars instead of magic strings

* fix: move migration head

* feat: add test for migration

* refactor: harmonize nomenclature

* Feat: authz resource pools feature parity (#1256)

* feat: add ResourcePool and membership types

* feat: add ResourcePool as a supported authorization resource

* feat: add member and prohibited relationships

* refactor: authz_change decorator for multiple APIUser args

* fix: session commit responsibility to session creator

* refactor: move authorization logic to authz schema

* feat: wire Authz into dependency graphs

* feat: update blueprint func for single rp

* fix: use proper non admin user in visibility tests

* feat: visibility toggle test for rp

* feat: update test utils setup for rp_repo with authz

* refactor: update functions for authz usage

* feat: new authorization tests

* fix: use NonCachingAuthz in nb_config for tests

* squashme: remove debug print

* squashme: fix comments

* fix: edge case for noop visibility change

* refactor: authz consistency

* fix: call spicedb only on authz updates

* chore: fix error message

* refactor: DRY some stuff

* squashme: remove commented out code

* fix: await resource pool creation with authz

* feat: support PROHIBITED role with bidirectional Relation mapping

* refactor: allow Member to represent non-group resources

* refactor: unify resource pool membership under single ResourceType

* refactor: rename default resource pool create function

* refactor: use TypeVar for resource_id

Author: SalimKayal

bases/renku_data_services/data_api/config.py

@@ -51,6 +51,8 @@ def from_env(cls, db: DBConfig | None = None) -> Self:
         if db is None:
             db = DBConfig.from_env()
 
+        authz_config = AuthzConfig.from_env()
+
         if dummy_stores:
             keycloak = None
             gitlab_url = None
@@ -63,7 +65,7 @@ def from_env(cls, db: DBConfig | None = None) -> Self:
             else:
                 gitlab_url = None
 
-        nb_config = NotebooksConfig.from_env(db, enable_internal_gitlab=enable_internal_gitlab)
+        nb_config = NotebooksConfig.from_env(db, authz_config, enable_internal_gitlab=enable_internal_gitlab)
         return cls(
             enable_internal_gitlab=enable_internal_gitlab,
             version=os.environ.get("VERSION", "0.0.1"),
@@ -76,7 +78,7 @@ def from_env(cls, db: DBConfig | None = None) -> Self:
             secrets=PublicSecretsConfig.from_env(),
             sentry=SentryConfig.from_env(),
             posthog=PosthogConfig.from_env(),
-            authz_config=AuthzConfig.from_env(),
+            authz_config=authz_config,
             solr=SolrClientConfig.from_env(),
             trusted_proxies=TrustedProxiesConfig.from_env(),
             keycloak=keycloak,

bases/renku_data_services/data_api/dependencies.py

@@ -326,8 +326,11 @@ def from_env(cls) -> DependencyManager:
             session_maker=config.db.async_session_maker,
             quotas_repo=quota_repo,
             user_repo=kc_user_repo,
+            authz=authz,
+        )
+        rp_repo = ResourcePoolRepository(
+            session_maker=config.db.async_session_maker, quotas_repo=quota_repo, authz=authz
         )
-        rp_repo = ResourcePoolRepository(session_maker=config.db.async_session_maker, quotas_repo=quota_repo)
         storage_repo = StorageRepository(
             session_maker=config.db.async_session_maker,
             gitlab_client=gitlab_client,

bases/renku_data_services/k8s_cache/config.py

@@ -7,6 +7,7 @@
 from typing import Self
 
 from renku_data_services.app_config.config import SentryConfig
+from renku_data_services.authz.config import AuthzConfig
 from renku_data_services.db_config.config import DBConfig
 
 
@@ -74,6 +75,7 @@ class Config:
     metrics: _MetricsConfig
     image_builders: _ImageBuilderConfig
     v1_services: _V1ServicesConfig
+    authz: AuthzConfig
     sentry: SentryConfig
 
     @classmethod
@@ -84,12 +86,14 @@ def from_env(cls) -> Config:
         metrics = _MetricsConfig.from_env()
         image_builders = _ImageBuilderConfig.from_env()
         v1_services = _V1ServicesConfig.from_env()
+        authz = AuthzConfig.from_env()
         sentry = SentryConfig.from_env()
         return cls(
             db=db,
             k8s=k8s,
             metrics=metrics,
             image_builders=image_builders,
             v1_services=v1_services,
+            authz=authz,
             sentry=sentry,
         )

bases/renku_data_services/k8s_cache/dependencies.py

@@ -2,6 +2,7 @@
 
 from dataclasses import dataclass, field
 
+from renku_data_services.authz.authz import Authz
 from renku_data_services.crc.db import ClusterRepository, QuotaRepository, ResourcePoolRepository
 from renku_data_services.k8s.clients import DummyPriorityClassClient, DummyResourceQuotaClient
 from renku_data_services.k8s.db import K8sDbCache
@@ -20,6 +21,7 @@ class DependencyManager:
     _k8s_cache: K8sDbCache | None = field(default=None, repr=False, init=False)
     _metrics_repo: MetricsRepository | None = field(default=None, repr=False, init=False)
     _metrics: StagingMetricsService | None = field(default=None, repr=False, init=False)
+    _authz: Authz | None = field(default=None, repr=False, init=False)
     _rp_repo: ResourcePoolRepository | None = field(default=None, repr=False, init=False)
     _cluster_repo: ClusterRepository | None = field(default=None, repr=False, init=False)
 
@@ -35,11 +37,17 @@ def metrics(self) -> StagingMetricsService:
             self._metrics = StagingMetricsService(enabled=self.config.metrics.enabled, metrics_repo=self.metrics_repo())
         return self._metrics
 
+    def authz(self) -> Authz:
+        """The authorization service."""
+        if not self._authz:
+            self._authz = Authz(authz_config=self.config.authz)
+        return self._authz
+
     def rp_repo(self) -> ResourcePoolRepository:
         """The resource pool repository."""
         if not self._rp_repo:
             self._rp_repo = ResourcePoolRepository(
-                session_maker=self.config.db.async_session_maker, quotas_repo=self.quota_repo()
+                session_maker=self.config.db.async_session_maker, quotas_repo=self.quota_repo(), authz=self.authz()
             )
         return self._rp_repo