refactor: make rbac package generic and reusable#3581
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors the RBAC implementation into an exported pkg/auth/rbac package and moves Hatchet’s server-specific wiring (embedded YAML + OpenAPI spec loading) into api/v1/server/authz, aiming to make the RBAC logic reusable outside the API server.
Changes:
- Refactor
pkg/auth/rbacto accept an injected permission map + OpenAPI spec instead of embedding/owning server-specific assets. - Add
api/v1/server/authz/rbac.go+rbac.yamlto host the Hatchet-specific embedded RBAC configuration and authorizer construction. - Update the authz middleware and tests to use the new authorizer constructor.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/auth/rbac/rbac.go | Makes the RBAC package more generic by removing embedded YAML/spec loading and exposing LoadPermissionMap + a new NewAuthorizer signature. |
| api/v1/server/authz/rbac.yaml | Adds the server’s RBAC permission definitions as an embedded asset under authz. |
| api/v1/server/authz/rbac.go | Introduces Hatchet-specific authorizer construction by embedding YAML and loading the generated OpenAPI spec. |
| api/v1/server/authz/rbac_test.go | Updates tests to the new authz package layout and the new authorizer construction path. |
| api/v1/server/authz/middleware.go | Switches middleware wiring to use the new Hatchet-specific authorizer constructor and the new RBAC import path. |
Comments suppressed due to low confidence (3)
pkg/auth/rbac/rbac.go:12
- The new reusable pkg/auth/rbac package still imports sqlcv1 and Authorizer.IsAuthorized is typed to sqlcv1.TenantMemberRole, which couples this “generic” RBAC package to the repository layer. Consider making the RBAC API accept a role name string (or rbac-defined type) and do sqlcv1 role conversion in api/v1/server/authz instead.
pkg/auth/rbac/rbac.go:35 - NewAuthorizer dereferences permMap and spec without nil checks (permMap.ValidateSpec(*spec) and later *permMap). As this is now a reusable package API, it should return a clear error when permMap or spec is nil to avoid panics in callers.
pkg/auth/rbac/rbac.go:146 - LoadPermissionMap can succeed when yamlBytes is empty/invalid but still unmarshals to a zero-value PermissionMap (e.g., Roles is nil), because Validate() currently returns nil in that case. That can lead to panics later when authorizing. Consider validating that yamlContents.Roles is non-nil/non-empty and returning an RBACError if not.
Contributor
Benchmark resultsCompared against |
mnafees
approved these changes
Apr 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Moves the RBAC package to its own exported
/pkg/auth/rbacdirectory so we can reuse it elsewhere. Decouples the OSS implementation from the permissions implementation.Drive-by fix for CI issues:
defer- no change in risk since the method panicking out ofdeferwould prevent startup regardless. There was some evidence locally of the security check blocking startup for a significant amount of timewg.Addfrom a retry loop when our cleanup method was inwg.WaitType of change