Skip to content

Commit f69ad26

Browse files
dirkkuldirkkul
authored
Merge pull request #1593 from weaviate/1.30/rbac-tenant-filtering
Add `tenant` option to `Permissions.data` and `Permissions.tenants`
2 parents 09c71e8 + 073a283 commit f69ad26

2 files changed

Lines changed: 115 additions & 29 deletions

File tree

integration/test_rbac.py

Lines changed: 70 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,36 @@
8585
collections_permissions=[],
8686
roles_permissions=[],
8787
data_permissions=[
88-
DataPermissionOutput(collection="*", actions={Actions.Data.CREATE})
88+
DataPermissionOutput(collection="*", tenant="*", actions={Actions.Data.CREATE})
89+
],
90+
backups_permissions=[],
91+
nodes_permissions=[],
92+
tenants_permissions=[],
93+
),
94+
),
95+
(
96+
Permissions.data(
97+
collection=["ColA", "ColB"], tenant=["tenant1", "tenant2"], create=True
98+
),
99+
Role(
100+
name="CreateDataInColsAndTenants",
101+
cluster_permissions=[],
102+
users_permissions=[],
103+
collections_permissions=[],
104+
roles_permissions=[],
105+
data_permissions=[
106+
DataPermissionOutput(
107+
collection="ColA", tenant="tenant1", actions={Actions.Data.CREATE}
108+
),
109+
DataPermissionOutput(
110+
collection="ColA", tenant="tenant2", actions={Actions.Data.CREATE}
111+
),
112+
DataPermissionOutput(
113+
collection="ColB", tenant="tenant1", actions={Actions.Data.CREATE}
114+
),
115+
DataPermissionOutput(
116+
collection="ColB", tenant="tenant2", actions={Actions.Data.CREATE}
117+
),
89118
],
90119
backups_permissions=[],
91120
nodes_permissions=[],
@@ -159,11 +188,50 @@
159188
nodes_permissions=[],
160189
tenants_permissions=[
161190
TenantsPermissionOutput(
162-
collection="*", actions={Actions.Tenants.READ, Actions.Tenants.UPDATE}
191+
collection="*",
192+
tenant="*",
193+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
163194
)
164195
],
165196
),
166197
),
198+
(
199+
Permissions.tenants(
200+
collection=["ColA", "ColB"], tenant=["tenant1", "tenant2"], read=True, update=True
201+
),
202+
Role(
203+
name="ReadSpecificTenantsInCols",
204+
cluster_permissions=[],
205+
users_permissions=[],
206+
collections_permissions=[],
207+
roles_permissions=[],
208+
data_permissions=[],
209+
backups_permissions=[],
210+
nodes_permissions=[],
211+
tenants_permissions=[
212+
TenantsPermissionOutput(
213+
collection="ColA",
214+
tenant="tenant1",
215+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
216+
),
217+
TenantsPermissionOutput(
218+
collection="ColA",
219+
tenant="tenant2",
220+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
221+
),
222+
TenantsPermissionOutput(
223+
collection="ColB",
224+
tenant="tenant1",
225+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
226+
),
227+
TenantsPermissionOutput(
228+
collection="ColB",
229+
tenant="tenant2",
230+
actions={Actions.Tenants.READ, Actions.Tenants.UPDATE},
231+
),
232+
],
233+
),
234+
),
167235
(
168236
Permissions.users(user="*", assign_and_revoke=True, read=True),
169237
Role(
@@ -199,7 +267,6 @@ def test_create_role(
199267
role = client.roles.get(expected.name)
200268
assert role is not None
201269
assert role == expected
202-
assert len(role.permissions) == 1
203270
finally:
204271
client.roles.delete(expected.name)
205272

weaviate/rbac/models.py

Lines changed: 45 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@ class RoleScope(str, BaseEnum):
4040

4141
class PermissionData(TypedDict):
4242
collection: str
43+
tenant: str
4344

4445

4546
class PermissionCollections(TypedDict):
@@ -220,14 +221,15 @@ def _to_weaviate(self) -> List[WeaviatePermission]:
220221

221222
class _TenantsPermission(_Permission[TenantsAction]):
222223
collection: str
224+
tenant: str
223225

224226
def _to_weaviate(self) -> List[WeaviatePermission]:
225227
return [
226228
{
227229
"action": action,
228230
"tenants": {
229231
"collection": _capitalize_first_letter(self.collection),
230-
"tenant": "*",
232+
"tenant": self.tenant,
231233
},
232234
}
233235
for action in self.actions
@@ -303,13 +305,15 @@ def _to_weaviate(self) -> List[WeaviatePermission]:
303305

304306
class _DataPermission(_Permission[DataAction]):
305307
collection: str
308+
tenant: str
306309

307310
def _to_weaviate(self) -> List[WeaviatePermission]:
308311
return [
309312
{
310313
"action": action,
311314
"data": {
312315
"collection": _capitalize_first_letter(self.collection),
316+
"tenant": self.tenant,
313317
},
314318
}
315319
for action in self.actions
@@ -428,6 +432,7 @@ def _from_weaviate_role(cls, role: WeaviateRole) -> "Role":
428432
tenants_permissions.append(
429433
TenantsPermissionOutput(
430434
collection=tenants["collection"],
435+
tenant=tenants.get("tenant", "*"),
431436
actions={TenantsAction(permission["action"])},
432437
)
433438
)
@@ -448,6 +453,7 @@ def _from_weaviate_role(cls, role: WeaviateRole) -> "Role":
448453
data_permissions.append(
449454
DataPermissionOutput(
450455
collection=data["collection"],
456+
tenant=data.get("tenant", "*"),
451457
actions={DataAction(permission["action"])},
452458
)
453459
)
@@ -576,6 +582,7 @@ class Permissions:
576582
def data(
577583
*,
578584
collection: Union[str, Sequence[str]],
585+
tenant: Union[str, Sequence[str], None] = None,
579586
create: bool = False,
580587
read: bool = False,
581588
update: bool = False,
@@ -584,20 +591,25 @@ def data(
584591
permissions: List[_Permission] = []
585592
if isinstance(collection, str):
586593
collection = [collection]
594+
if tenant is None:
595+
tenant = ["*"]
596+
if isinstance(tenant, str):
597+
tenant = [tenant]
587598
for c in collection:
588-
permission = _DataPermission(collection=c, actions=set())
589-
590-
if create:
591-
permission.actions.add(DataAction.CREATE)
592-
if read:
593-
permission.actions.add(DataAction.READ)
594-
if update:
595-
permission.actions.add(DataAction.UPDATE)
596-
if delete:
597-
permission.actions.add(DataAction.DELETE)
598-
599-
if len(permission.actions) > 0:
600-
permissions.append(permission)
599+
for t in tenant:
600+
permission = _DataPermission(collection=c, tenant=t, actions=set())
601+
602+
if create:
603+
permission.actions.add(DataAction.CREATE)
604+
if read:
605+
permission.actions.add(DataAction.READ)
606+
if update:
607+
permission.actions.add(DataAction.UPDATE)
608+
if delete:
609+
permission.actions.add(DataAction.DELETE)
610+
611+
if len(permission.actions) > 0:
612+
permissions.append(permission)
601613
return permissions
602614

603615
@staticmethod
@@ -631,6 +643,7 @@ def collections(
631643
def tenants(
632644
*,
633645
collection: Union[str, Sequence[str]],
646+
tenant: Union[str, Sequence[str], None] = None,
634647
create: bool = False,
635648
read: bool = False,
636649
update: bool = False,
@@ -639,19 +652,25 @@ def tenants(
639652
permissions: List[_Permission] = []
640653
if isinstance(collection, str):
641654
collection = [collection]
655+
if tenant is None:
656+
tenant = ["*"]
657+
if isinstance(tenant, str):
658+
tenant = [tenant]
642659
for c in collection:
643-
permission = _TenantsPermission(collection=c, actions=set())
644-
if create:
645-
permission.actions.add(TenantsAction.CREATE)
646-
if read:
647-
permission.actions.add(TenantsAction.READ)
648-
if update:
649-
permission.actions.add(TenantsAction.UPDATE)
650-
if delete:
651-
permission.actions.add(TenantsAction.DELETE)
652-
653-
if len(permission.actions) > 0:
654-
permissions.append(permission)
660+
for t in tenant:
661+
permission = _TenantsPermission(collection=c, tenant=t, actions=set())
662+
663+
if create:
664+
permission.actions.add(TenantsAction.CREATE)
665+
if read:
666+
permission.actions.add(TenantsAction.READ)
667+
if update:
668+
permission.actions.add(TenantsAction.UPDATE)
669+
if delete:
670+
permission.actions.add(TenantsAction.DELETE)
671+
672+
if len(permission.actions) > 0:
673+
permissions.append(permission)
655674

656675
return permissions
657676

0 commit comments

Comments
 (0)