feat(BA-5840): add effective-permissions DataLoader for batched RBAC resolution#11499
Draft
feat(BA-5840): add effective-permissions DataLoader for batched RBAC resolution#11499
Conversation
…resolution Adds a request-scoped DataLoader keyed by PermissionResolutionKey so GraphQL list queries can resolve per-row permission fields without N+1 round-trips. - Register resolve_effective_permissions ActionProcessor on the permission controller package (action and service method already existed). - Add RBACAdapter.batch_resolve_effective_permissions wrapping the processor. - Add DataLoaders.effective_permissions_loader; missing keys map to an empty frozenset so callers do not have to handle None. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
size:M
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Wires up an existing effective-permissions resolution action through the permission controller, exposes it via the RBAC adapter, and adds a request-scoped GraphQL DataLoader to batch permission resolution for list views (avoiding N+1).
Changes:
- Register
resolve_effective_permissionsonPermissionControllerProcessors. - Add
RBACAdapter.batch_resolve_effective_permissions()wrapper around the processor action. - Introduce
effective_permissions_loaderGraphQL DataLoader keyed byPermissionResolutionKey.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/ai/backend/manager/services/permission_contoller/processors.py | Registers the effective-permissions action processor so it can be invoked via the controller. |
| src/ai/backend/manager/api/gql/data_loader/data_loaders.py | Adds a request-scoped DataLoader to batch and cache effective permission resolution. |
| src/ai/backend/manager/api/adapters/rbac/adapter.py | Exposes a batched adapter method that forwards to the permission controller action. |
| changes/11499.feature.md | Adds changelog entry for the new GraphQL DataLoader capability. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| action_result = await self._processors.permission_controller.resolve_effective_permissions.wait_for_complete( | ||
| ResolveEffectivePermissionsAction(keys=list(keys)) | ||
| ) | ||
| return action_result.permissions |
Comment on lines
+647
to
+652
| ) -> Mapping[PermissionResolutionKey, frozenset[InternalOperationType]]: | ||
| """Resolve granted operations for each input key; missing keys map to an empty frozenset.""" | ||
| action_result = await self._processors.permission_controller.resolve_effective_permissions.wait_for_complete( | ||
| ResolveEffectivePermissionsAction(keys=list(keys)) | ||
| ) | ||
| return action_result.permissions |
Comment on lines
+695
to
+699
| async def load_fn( | ||
| keys: list[PermissionResolutionKey], | ||
| ) -> list[frozenset[OperationType]]: | ||
| result = await adapter.batch_resolve_effective_permissions(keys) | ||
| return [result.get(key, frozenset()) for key in keys] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
resolve_effective_permissionsActionProcessor onPermissionControllerProcessors(the action and service method already existed but were not wired through a processor).RBACAdapter.batch_resolve_effective_permissionsas a thin wrapper over the processor.DataLoaders.effective_permissions_loaderkeyed byPermissionResolutionKey; keys with no grant map to an emptyfrozenset[OperationType]. Repository-level grouping by(user_id, element_type, subject_entity_type)already collapses to one SQL round-trip per group, so a single page of same-typed nodes resolves in one query.This enables BA-5841 (shared per-node
permissionsGraphQL field) to resolve per-row permissions in list views without N+1 round-trips.Test plan
pants check/pants teston impacted targets.vfolder_node).Resolves BA-5840