Merge branch 'dev/1.30' of https://github.com/weaviate/weaviate-python-client into poc-separate-sync-and-async

tsmith023 · tsmith023 · commit 6c46ad473966 · 2025-04-03T15:51:05.000+01:00
diff --git a/integration/test_rbac.py b/integration/test_rbac.py
@@ -84,7 +84,36 @@
                 collections_permissions=[],
                 roles_permissions=[],
                 data_permissions=[
-                    DataPermissionOutput(collection="*", actions={Actions.Data.CREATE})
+                    DataPermissionOutput(collection="*", tenant="*", actions={Actions.Data.CREATE})
+                ],
+                backups_permissions=[],
+                nodes_permissions=[],
+                tenants_permissions=[],
+            ),
+        ),
+        (
+            Permissions.data(
+                collection=["ColA", "ColB"], tenant=["tenant1", "tenant2"], create=True
+            ),
+            Role(
+                name="CreateDataInColsAndTenants",
+                cluster_permissions=[],
+                users_permissions=[],
+                collections_permissions=[],
+                roles_permissions=[],
+                data_permissions=[
+                    DataPermissionOutput(
+                        collection="ColA", tenant="tenant1", actions={Actions.Data.CREATE}
+                    ),
+                    DataPermissionOutput(
+                        collection="ColA", tenant="tenant2", actions={Actions.Data.CREATE}
+                    ),
+                    DataPermissionOutput(
+                        collection="ColB", tenant="tenant1", actions={Actions.Data.CREATE}
+                    ),
+                    DataPermissionOutput(
+                        collection="ColB", tenant="tenant2", actions={Actions.Data.CREATE}
+                    ),
                 ],
                 backups_permissions=[],
                 nodes_permissions=[],
@@ -158,11 +187,50 @@
                 nodes_permissions=[],
                 tenants_permissions=[
                     TenantsPermissionOutput(
-                        collection="*", actions={Actions.Tenants.READ, Actions.Tenants.UPDATE}
+                        collection="*",
+                        tenant="*",
+                        actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
                     )
                 ],
             ),
         ),
+        (
+            Permissions.tenants(
+                collection=["ColA", "ColB"], tenant=["tenant1", "tenant2"], read=True, update=True
+            ),
+            Role(
+                name="ReadSpecificTenantsInCols",
+                cluster_permissions=[],
+                users_permissions=[],
+                collections_permissions=[],
+                roles_permissions=[],
+                data_permissions=[],
+                backups_permissions=[],
+                nodes_permissions=[],
+                tenants_permissions=[
+                    TenantsPermissionOutput(
+                        collection="ColA",
+                        tenant="tenant1",
+                        actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
+                    ),
+                    TenantsPermissionOutput(
+                        collection="ColA",
+                        tenant="tenant2",
+                        actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
+                    ),
+                    TenantsPermissionOutput(
+                        collection="ColB",
+                        tenant="tenant1",
+                        actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
+                    ),
+                    TenantsPermissionOutput(
+                        collection="ColB",
+                        tenant="tenant2",
+                        actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
+                    ),
+                ],
+            ),
+        ),
         (
             Permissions.users(user="*", assign_and_revoke=True, read=True),
             Role(
@@ -198,7 +266,6 @@ def test_create_role(
             role = client.roles.get(expected.name)
             assert role is not None
             assert role == expected
-            assert len(role.permissions) == 1
         finally:
             client.roles.delete(expected.name)
 
diff --git a/weaviate/collections/tenants/executor.py b/weaviate/collections/tenants/executor.py
@@ -340,14 +340,35 @@ def get_by_name(
             _validate_input(
                 _ValidateArgument(expected=[Union[str, Tenant]], name="tenant", value=tenant)
             )
+        tenant_name = tenant.name if isinstance(tenant, Tenant) else tenant
+        if self._connection._weaviate_version.is_lower_than(1, 28, 0):
+            # For Weaviate versions < 1.28.0, we need to use the gRPC API
+            # such versions don't have RBAC so the filtering issue doesn't exist therein
+            def resp_grpc(res: Dict[str, TenantOutputType]) -> Optional[TenantOutputType]:
+                return res.get(tenant_name)
+
+            return executor.execute(
+                response_callback=resp_grpc,
+                method=self.__get_with_grpc,
+                tenants=[tenant_name],
+            )
 
-        def resp(res: Dict[str, TenantOutputType]) -> Optional[TenantOutputType]:
-            return res.get(tenant.name if isinstance(tenant, Tenant) else tenant)
+        # For Weaviate versions >= 1.28.0, we need to use the REST API
+        # as the gRPC API filters out tenants that are not accessible to the user
+        # due to RBAC requirements
+        def resp_rest(res: Response) -> Optional[TenantOutputType]:
+            if res.status_code == 404:
+                return None
+            return Tenant(**res.json())
 
         return executor.execute(
-            response_callback=resp,
-            method=self.get_by_names,
-            tenants=[tenant],
+            response_callback=resp_rest,
+            method=self._connection.get,
+            path=f"/schema/{self._name}/tenants/{tenant_name}",
+            error_msg=f"Could not get tenant {tenant_name} for collection {self._name}",
+            status_codes=_ExpectedStatusCodes(
+                ok_in=[200, 404], error=f"Get tenant {tenant_name} for collection {self._name}"
+            ),
         )
 
     def __update(
diff --git a/weaviate/rbac/models.py b/weaviate/rbac/models.py
@@ -40,6 +40,7 @@ class RoleScope(str, BaseEnum):
 
 class PermissionData(TypedDict):
     collection: str
+    tenant: str
 
 
 class PermissionCollections(TypedDict):
@@ -220,14 +221,15 @@ def _to_weaviate(self) -> List[WeaviatePermission]:
 
 class _TenantsPermission(_Permission[TenantsAction]):
     collection: str
+    tenant: str
 
     def _to_weaviate(self) -> List[WeaviatePermission]:
         return [
             {
                 "action": action,
                 "tenants": {
                     "collection": _capitalize_first_letter(self.collection),
-                    "tenant": "*",
+                    "tenant": self.tenant,
                 },
             }
             for action in self.actions
@@ -303,13 +305,15 @@ def _to_weaviate(self) -> List[WeaviatePermission]:
 
 class _DataPermission(_Permission[DataAction]):
     collection: str
+    tenant: str
 
     def _to_weaviate(self) -> List[WeaviatePermission]:
         return [
             {
                 "action": action,
                 "data": {
                     "collection": _capitalize_first_letter(self.collection),
+                    "tenant": self.tenant,
                 },
             }
             for action in self.actions
@@ -428,6 +432,7 @@ def _from_weaviate_role(cls, role: WeaviateRole) -> "Role":
                     tenants_permissions.append(
                         TenantsPermissionOutput(
                             collection=tenants["collection"],
+                            tenant=tenants.get("tenant", "*"),
                             actions={TenantsAction(permission["action"])},
                         )
                     )
@@ -448,6 +453,7 @@ def _from_weaviate_role(cls, role: WeaviateRole) -> "Role":
                     data_permissions.append(
                         DataPermissionOutput(
                             collection=data["collection"],
+                            tenant=data.get("tenant", "*"),
                             actions={DataAction(permission["action"])},
                         )
                     )
@@ -576,6 +582,7 @@ class Permissions:
     def data(
         *,
         collection: Union[str, Sequence[str]],
+        tenant: Union[str, Sequence[str], None] = None,
         create: bool = False,
         read: bool = False,
         update: bool = False,
@@ -584,20 +591,25 @@ def data(
         permissions: List[_Permission] = []
         if isinstance(collection, str):
             collection = [collection]
+        if tenant is None:
+            tenant = ["*"]
+        if isinstance(tenant, str):
+            tenant = [tenant]
         for c in collection:
-            permission = _DataPermission(collection=c, actions=set())
-
-            if create:
-                permission.actions.add(DataAction.CREATE)
-            if read:
-                permission.actions.add(DataAction.READ)
-            if update:
-                permission.actions.add(DataAction.UPDATE)
-            if delete:
-                permission.actions.add(DataAction.DELETE)
-
-            if len(permission.actions) > 0:
-                permissions.append(permission)
+            for t in tenant:
+                permission = _DataPermission(collection=c, tenant=t, actions=set())
+
+                if create:
+                    permission.actions.add(DataAction.CREATE)
+                if read:
+                    permission.actions.add(DataAction.READ)
+                if update:
+                    permission.actions.add(DataAction.UPDATE)
+                if delete:
+                    permission.actions.add(DataAction.DELETE)
+
+                if len(permission.actions) > 0:
+                    permissions.append(permission)
         return permissions
 
     @staticmethod
@@ -631,6 +643,7 @@ def collections(
     def tenants(
         *,
         collection: Union[str, Sequence[str]],
+        tenant: Union[str, Sequence[str], None] = None,
         create: bool = False,
         read: bool = False,
         update: bool = False,
@@ -639,19 +652,25 @@ def tenants(
         permissions: List[_Permission] = []
         if isinstance(collection, str):
             collection = [collection]
+        if tenant is None:
+            tenant = ["*"]
+        if isinstance(tenant, str):
+            tenant = [tenant]
         for c in collection:
-            permission = _TenantsPermission(collection=c, actions=set())
-            if create:
-                permission.actions.add(TenantsAction.CREATE)
-            if read:
-                permission.actions.add(TenantsAction.READ)
-            if update:
-                permission.actions.add(TenantsAction.UPDATE)
-            if delete:
-                permission.actions.add(TenantsAction.DELETE)
-
-            if len(permission.actions) > 0:
-                permissions.append(permission)
+            for t in tenant:
+                permission = _TenantsPermission(collection=c, tenant=t, actions=set())
+
+                if create:
+                    permission.actions.add(TenantsAction.CREATE)
+                if read:
+                    permission.actions.add(TenantsAction.READ)
+                if update:
+                    permission.actions.add(TenantsAction.UPDATE)
+                if delete:
+                    permission.actions.add(TenantsAction.DELETE)
+
+                if len(permission.actions) > 0:
+                    permissions.append(permission)
 
         return permissions
 
