Skip to content

Commit 073a283

Browse files
tsmith023tsmith023
committed
Add tenant option to Permissions.data and Permissions.tenants 
1 parent 436b750 commit 073a283

2 files changed

Lines changed: 116 additions & 30 deletions

File tree

integration/test_rbac.py

Lines changed: 71 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@
6464
users_permissions=[],
6565
collections_permissions=[
6666
CollectionsPermissionOutput(
67-
collection="Test", tenant="*", actions={Actions.Collections.CREATE}
67+
collection="Test", actions={Actions.Collections.CREATE}
6868
)
6969
],
7070
roles_permissions=[],
@@ -83,7 +83,36 @@
8383
collections_permissions=[],
8484
roles_permissions=[],
8585
data_permissions=[
86-
DataPermissionOutput(collection="*", actions={Actions.Data.CREATE})
86+
DataPermissionOutput(collection="*", tenant="*", actions={Actions.Data.CREATE})
87+
],
88+
backups_permissions=[],
89+
nodes_permissions=[],
90+
tenants_permissions=[],
91+
),
92+
),
93+
(
94+
Permissions.data(
95+
collection=["ColA", "ColB"], tenant=["tenant1", "tenant2"], create=True
96+
),
97+
Role(
98+
name="CreateDataInColsAndTenants",
99+
cluster_permissions=[],
100+
users_permissions=[],
101+
collections_permissions=[],
102+
roles_permissions=[],
103+
data_permissions=[
104+
DataPermissionOutput(
105+
collection="ColA", tenant="tenant1", actions={Actions.Data.CREATE}
106+
),
107+
DataPermissionOutput(
108+
collection="ColA", tenant="tenant2", actions={Actions.Data.CREATE}
109+
),
110+
DataPermissionOutput(
111+
collection="ColB", tenant="tenant1", actions={Actions.Data.CREATE}
112+
),
113+
DataPermissionOutput(
114+
collection="ColB", tenant="tenant2", actions={Actions.Data.CREATE}
115+
),
87116
],
88117
backups_permissions=[],
89118
nodes_permissions=[],
@@ -157,11 +186,50 @@
157186
nodes_permissions=[],
158187
tenants_permissions=[
159188
TenantsPermissionOutput(
160-
collection="*", actions={Actions.Tenants.READ, Actions.Tenants.UPDATE}
189+
collection="*",
190+
tenant="*",
191+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
161192
)
162193
],
163194
),
164195
),
196+
(
197+
Permissions.tenants(
198+
collection=["ColA", "ColB"], tenant=["tenant1", "tenant2"], read=True, update=True
199+
),
200+
Role(
201+
name="ReadSpecificTenantsInCols",
202+
cluster_permissions=[],
203+
users_permissions=[],
204+
collections_permissions=[],
205+
roles_permissions=[],
206+
data_permissions=[],
207+
backups_permissions=[],
208+
nodes_permissions=[],
209+
tenants_permissions=[
210+
TenantsPermissionOutput(
211+
collection="ColA",
212+
tenant="tenant1",
213+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
214+
),
215+
TenantsPermissionOutput(
216+
collection="ColA",
217+
tenant="tenant2",
218+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
219+
),
220+
TenantsPermissionOutput(
221+
collection="ColB",
222+
tenant="tenant1",
223+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
224+
),
225+
TenantsPermissionOutput(
226+
collection="ColB",
227+
tenant="tenant2",
228+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
229+
),
230+
],
231+
),
232+
),
165233
(
166234
Permissions.users(user="*", assign_and_revoke=True, read=True),
167235
Role(
@@ -197,7 +265,6 @@ def test_create_role(
197265
role = client.roles.get(expected.name)
198266
assert role is not None
199267
assert role == expected
200-
assert len(role.permissions) == 1
201268
finally:
202269
client.roles.delete(expected.name)
203270

weaviate/rbac/models.py

Lines changed: 45 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ class RoleScope(str, BaseEnum):
2323

2424
class PermissionData(TypedDict):
2525
collection: str
26+
tenant: str
2627

2728

2829
class PermissionCollections(TypedDict):
@@ -192,14 +193,15 @@ def _to_weaviate(self) -> List[WeaviatePermission]:
192193

193194
class _TenantsPermission(_Permission[TenantsAction]):
194195
collection: str
196+
tenant: str
195197

196198
def _to_weaviate(self) -> List[WeaviatePermission]:
197199
return [
198200
{
199201
"action": action,
200202
"tenants": {
201203
"collection": _capitalize_first_letter(self.collection),
202-
"tenant": "*",
204+
"tenant": self.tenant,
203205
},
204206
}
205207
for action in self.actions
@@ -275,13 +277,15 @@ def _to_weaviate(self) -> List[WeaviatePermission]:
275277

276278
class _DataPermission(_Permission[DataAction]):
277279
collection: str
280+
tenant: str
278281

279282
def _to_weaviate(self) -> List[WeaviatePermission]:
280283
return [
281284
{
282285
"action": action,
283286
"data": {
284287
"collection": _capitalize_first_letter(self.collection),
288+
"tenant": self.tenant,
285289
},
286290
}
287291
for action in self.actions
@@ -396,6 +400,7 @@ def _from_weaviate_role(cls, role: WeaviateRole) -> "Role":
396400
tenants_permissions.append(
397401
TenantsPermissionOutput(
398402
collection=tenants["collection"],
403+
tenant=tenants.get("tenant", "*"),
399404
actions={TenantsAction(permission["action"])},
400405
)
401406
)
@@ -416,6 +421,7 @@ def _from_weaviate_role(cls, role: WeaviateRole) -> "Role":
416421
data_permissions.append(
417422
DataPermissionOutput(
418423
collection=data["collection"],
424+
tenant=data.get("tenant", "*"),
419425
actions={DataAction(permission["action"])},
420426
)
421427
)
@@ -550,6 +556,7 @@ class Permissions:
550556
def data(
551557
*,
552558
collection: Union[str, Sequence[str]],
559+
tenant: Union[str, Sequence[str], None] = None,
553560
create: bool = False,
554561
read: bool = False,
555562
update: bool = False,
@@ -558,20 +565,25 @@ def data(
558565
permissions: List[_Permission] = []
559566
if isinstance(collection, str):
560567
collection = [collection]
568+
if tenant is None:
569+
tenant = ["*"]
570+
if isinstance(tenant, str):
571+
tenant = [tenant]
561572
for c in collection:
562-
permission = _DataPermission(collection=c, actions=set())
563-
564-
if create:
565-
permission.actions.add(DataAction.CREATE)
566-
if read:
567-
permission.actions.add(DataAction.READ)
568-
if update:
569-
permission.actions.add(DataAction.UPDATE)
570-
if delete:
571-
permission.actions.add(DataAction.DELETE)
572-
573-
if len(permission.actions) > 0:
574-
permissions.append(permission)
573+
for t in tenant:
574+
permission = _DataPermission(collection=c, tenant=t, actions=set())
575+
576+
if create:
577+
permission.actions.add(DataAction.CREATE)
578+
if read:
579+
permission.actions.add(DataAction.READ)
580+
if update:
581+
permission.actions.add(DataAction.UPDATE)
582+
if delete:
583+
permission.actions.add(DataAction.DELETE)
584+
585+
if len(permission.actions) > 0:
586+
permissions.append(permission)
575587
return permissions
576588

577589
@staticmethod
@@ -605,6 +617,7 @@ def collections(
605617
def tenants(
606618
*,
607619
collection: Union[str, Sequence[str]],
620+
tenant: Union[str, Sequence[str], None] = None,
608621
create: bool = False,
609622
read: bool = False,
610623
update: bool = False,
@@ -613,19 +626,25 @@ def tenants(
613626
permissions: List[_Permission] = []
614627
if isinstance(collection, str):
615628
collection = [collection]
629+
if tenant is None:
630+
tenant = ["*"]
631+
if isinstance(tenant, str):
632+
tenant = [tenant]
616633
for c in collection:
617-
permission = _TenantsPermission(collection=c, actions=set())
618-
if create:
619-
permission.actions.add(TenantsAction.CREATE)
620-
if read:
621-
permission.actions.add(TenantsAction.READ)
622-
if update:
623-
permission.actions.add(TenantsAction.UPDATE)
624-
if delete:
625-
permission.actions.add(TenantsAction.DELETE)
626-
627-
if len(permission.actions) > 0:
628-
permissions.append(permission)
634+
for t in tenant:
635+
permission = _TenantsPermission(collection=c, tenant=t, actions=set())
636+
637+
if create:
638+
permission.actions.add(TenantsAction.CREATE)
639+
if read:
640+
permission.actions.add(TenantsAction.READ)
641+
if update:
642+
permission.actions.add(TenantsAction.UPDATE)
643+
if delete:
644+
permission.actions.add(TenantsAction.DELETE)
645+
646+
if len(permission.actions) > 0:
647+
permissions.append(permission)
629648

630649
return permissions
631650

0 commit comments

Comments
 (0)