Launchpad MP (500665) - r00ta/openfga-permission-layer

[r00tabot]

This is autogenerated by maas.r00ta.com. Enjoy!

Commit message: feat: replace built-in permission layer with openfga.
Details:

• introduce a sync/async client to interact with openfga
• introduce a context cache in maasserver: when a new websocket/http request is processed, all the calls to openfga are cached so to avoid hammering the server.
• migrate existing users to the pre-defined groups users/administrators.
• grant a set of default permissions to users/administrators groups so to guarantee backwards compatibility.
• Introduce a new check_permission decorator so to simplify the permission checks on openfga
• minor changes to the openfga model, so to have feature parity with RBAC.

[Copilot]

Pull request overview

This PR replaces MAAS’s built-in permission checks with an OpenFGA-backed permission layer, including new OpenFGA sync/async clients, request-scoped caching, and broad updates to API/websocket authorization gates and test scaffolding to validate the new behavior.

Changes:

• Add OpenFGA clients (sync + async) and thread-local/request caching to reduce repeated authorization calls.
• Introduce OpenFGA tuple service + tuple lifecycle hooks (users/resource pools) to keep the OpenFGA tuple store in sync.
• Migrate many admin-only checks to permission-based decorators/helpers (check_permission, can_* helpers) and update tests/perftests accordingly.

Reviewed changes

Copilot reviewed 145 out of 147 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/tests/maasservicelayer/services/test_users.py	Ensures user deletion cascades OpenFGA tuples.
src/tests/maasservicelayer/services/test_openfga_tuples.py	Adds integration/unit tests for tuple service + cache.
src/tests/maasservicelayer/db/repositories/test_openfga_tuples.py	Adds clause factory tests for tuple queries.
src/tests/maasservicelayer/builders/test_openfga_tuple.py	Updates builder coverage for new relations/scopes.
src/tests/maasserver/websockets/handlers/test_machine.py	Uses OpenFGA mocking in websocket handler tests.
src/tests/maasserver/test_sessiontimeout.py	Adds OpenFGA mocking for session timeout tests.
src/tests/maasserver/test_openfga.py	Adds tests for thread-local OpenFGA call caching.
src/tests/maasserver/conftest.py	Exposes mock_openfga fixture for maasserver tests.
src/tests/maascommon/openfga/test_sync_client.py	Adds sync-client request/response contract tests.
src/tests/maascommon/openfga/test_async_client.py	Adds async-client request/response contract tests.
src/tests/maascommon/openfga/client/test_client.py	Removes old OpenFGA client tests (replaced by new clients).
src/tests/maascommon/openfga/base.py	Centralizes OpenFGA test method matrices.
src/tests/maascommon/conftest.py	Adds stub OpenFGA unix-socket server fixture.
src/tests/fixtures/init.py	Adds mock_openfga fixture using OpenFGAClientMock.
src/tests/e2e/conftest.py	Starts OpenFGA server subprocess + env wiring for e2e.
src/perftests/maasserver/websockets/test_machines.py	Updates perf tests to run with OpenFGA server.
src/perftests/maasserver/conftest.py	Clears cached OpenFGA client between perf tests.
src/perftests/maasserver/api_v3/test_machines.py	Removes stray debug print in perf test.
src/perftests/maasserver/api/test_machines.py	Updates perf tests to create admin + call APIs under OpenFGA.
src/maastesting/djangotestcase.py	Adjusts query counting to ignore marked queries + include SA count.
src/maasservicelayer/services/users.py	Deletes OpenFGA tuples on user deletion hook.
src/maasservicelayer/services/resource_pools.py	Creates/deletes OpenFGA pool tuples on pool lifecycle hooks.
src/maasservicelayer/services/openfga_tuples.py	Adds tuple service cache + helpers to delete pool/user tuples.
src/maasservicelayer/services/init.py	Wires OpenFGA tuple service into service collection + cache.
src/maasservicelayer/db/repositories/openfga_tuples.py	Adds clause factory for OpenFGA tuple filtering.
src/maasserver/websockets/tests/test_protocol.py	Ensures websocket protocol has a real user object.
src/maasserver/websockets/handlers/vmcluster.py	Switches cache clearing to unified clear_caches().
src/maasserver/websockets/handlers/tests/test_machine.py	Copyright year update only.
src/maasserver/websockets/handlers/tests/test_device.py	Ensures device owner is set to match new auth rules.
src/maasserver/websockets/handlers/staticroute.py	Replaces is_superuser checks with can_edit_global_entities.
src/maasserver/websockets/handlers/reservedip.py	Replaces is_superuser checks with can_edit_global_entities.
src/maasserver/websockets/handlers/pod.py	Uses OpenFGA-aware authorization helpers + unified cache clearing.
src/maasserver/websockets/handlers/packagerepository.py	Replaces is_superuser checks with can_edit_global_entities.
src/maasserver/websockets/handlers/machine.py	Copyright year update only.
src/maasserver/websockets/handlers/general.py	Uses OpenFGA-aware authorization for controller/admin actions.
src/maasserver/websockets/handlers/dhcpsnippet.py	Replaces is_superuser checks with can_edit_global_entities.
src/maasserver/websockets/handlers/controller.py	Uses can_edit_global_entities for restricted endpoint.
src/maasserver/websockets/handlers/config.py	Uses OpenFGA-aware authorization for config read/write.
src/maasserver/websockets/base.py	Clears RBAC/OpenFGA caches before executing handler code.
src/maasserver/urls_api.py	Reorders admin handlers and adjusts resource restrictions.
src/maasserver/tests/test_middleware.py	Renames middleware test to AuthorizationCacheMiddleware.
src/maasserver/testing/testcase.py	Auto-mocks OpenFGA by default in region test base.
src/maasserver/testing/sampledata/sampledata.py	Adds resource pool generation to sampledata.
src/maasserver/testing/sampledata/resourcepool.py	New helper to create resource pools in sampledata.
src/maasserver/testing/sampledata/main.py	Adds --resourcepools CLI flag.
src/maasserver/testing/sampledata/machine.py	Assigns machines to random resource pools in sampledata.
src/maasserver/testing/openfga.py	Adds DB-backed OpenFGA mock implementing permission methods.
src/maasserver/testing/fixtures.py	Adds fixture to patch OpenFGA client + clear cache.
src/maasserver/testing/api.py	Auto-mocks OpenFGA in API tests + adds internal-user scenario.
src/maasserver/openfga.py	Adds thread-local cache wrapper + cached OpenFGA client getter.
src/maasserver/node_action.py	Replaces superuser-only check with can_edit_machines.
src/maasserver/models/tests/test_vlan.py	Removes stray debug print.
src/maasserver/models/tests/test_node.py	Adds OpenFGA integration scenarios for node access.
src/maasserver/models/signals/users.py	Adds signals to create/delete user group membership tuples.
src/maasserver/models/signals/tests/test_users.py	Tests OpenFGA tuple creation/deletion on user signals.
src/maasserver/models/signals/tests/test_resourcepool.py	Tests OpenFGA tuple creation/deletion on resource pool signals.
src/maasserver/models/signals/resourcepool.py	Adds signals to create/delete pool tuples.
src/maasserver/models/signals/init.py	Registers new signals modules (resourcepool/users).
src/maasserver/models/notification.py	Uses OpenFGA permission for “view all notifications”.
src/maasserver/models/node.py	Adds OpenFGA-based node visibility filtering when RBAC disabled.
src/maasserver/middleware.py	Replaces RBAC middleware with unified RBAC/OpenFGA cache middleware.
src/maasserver/forms/tests/test_helpers.py	Removes tests tied to removed edit-form selection functions.
src/maasserver/forms/init.py	Uses OpenFGA-aware checks for create form; removes edit form selectors.
src/maasserver/djangosettings/settings.py	Switches middleware to AuthorizationCacheMiddleware.
src/maasserver/authorization.py	New OpenFGA-aware permission helper functions + cache clearing.
src/maasserver/auth/local.py	Updates backend permission checks to consult OpenFGA when RBAC off.
src/maasserver/api/zones.py	Replaces admin_method with check_permission.
src/maasserver/api/vmcluster.py	Removes admin_method decoration from VMCluster operations.
src/maasserver/api/users.py	Replaces admin_method with check_permission.
src/maasserver/api/tests/test_zones.py	Adds OpenFGA integration test for zones create.
src/maasserver/api/tests/test_zone.py	Adds OpenFGA integration tests for zone update/delete.
src/maasserver/api/tests/test_users.py	Adds OpenFGA integration tests for users create/delete.
src/maasserver/api/tests/test_support.py	Updates decorator tests to use check_permission + OpenFGA mock.
src/maasserver/api/tests/test_subnets.py	Adds OpenFGA integration test for subnets create.
src/maasserver/api/tests/test_staticroutes.py	Adds OpenFGA integration test for staticroutes create.
src/maasserver/api/tests/test_spaces.py	Adds OpenFGA integration test for spaces create.
src/maasserver/api/tests/test_scripts.py	Refactors scripts URI helper + adds OpenFGA integration tests.
src/maasserver/api/tests/test_reservedip.py	Adds OpenFGA integration tests for reserved IP operations.
src/maasserver/api/tests/test_regioncontroller.py	Adds OpenFGA integration tests for controller update/delete.
src/maasserver/api/tests/test_rackcontroller.py	Adds OpenFGA integration tests for rack controller ops.
src/maasserver/api/tests/test_notification.py	Adds OpenFGA integration tests for notifications.
src/maasserver/api/tests/test_node.py	Adds OpenFGA integration test for power parameters op.
src/maasserver/api/tests/test_machine.py	Adds OpenFGA integration tests for commissioning.
src/maasserver/api/tests/test_maas.py	Adds OpenFGA integration test for set_config op.
src/maasserver/api/tests/test_image_sync.py	Changes image sync tests to internal-user scenario.
src/maasserver/api/tests/test_fabrics.py	Adds OpenFGA integration test for fabrics create.
src/maasserver/api/tests/test_domains.py	Adds OpenFGA integration tests for domain ops.
src/maasserver/api/tests/test_dnsresources.py	Adds OpenFGA integration test for DNS resource create.
src/maasserver/api/tests/test_dnsresourcerecords.py	Adds OpenFGA integration test for DNS record create.
src/maasserver/api/tests/test_devices.py	Adds OpenFGA integration tests for device listing behavior.
src/maasserver/api/tests/test_boot_sources.py	Adds OpenFGA integration tests for boot source access.
src/maasserver/api/tests/test_boot_source_selections.py	Adds OpenFGA integration tests for boot source selections.
src/maasserver/api/tests/test_boot_resources.py	Adds OpenFGA integration tests for boot resources ops.
src/maasserver/api/tests/test_blockdevice.py	Adds OpenFGA integration tests for blockdevice operations.
src/maasserver/api/tags.py	Replaces superuser gating with check_permission on mutating ops.
src/maasserver/api/support.py	Adds internal_method + check_permission decorator infrastructure.
src/maasserver/api/subnets.py	Replaces admin_method with check_permission.
src/maasserver/api/staticroutes.py	Replaces admin_method with check_permission.
src/maasserver/api/ssh_keys.py	Uses OpenFGA-aware global edit check when specifying user.
src/maasserver/api/spaces.py	Replaces admin_method with check_permission.
src/maasserver/api/scripts.py	Replaces admin_method with check_permission on script ops.
src/maasserver/api/scriptresults.py	Replaces admin_method with check_permission.
src/maasserver/api/reservedip.py	Replaces admin_method with check_permission.
src/maasserver/api/regioncontrollers.py	Uses check_permission + simpler object lookup.
src/maasserver/api/rackcontrollers.py	Uses check_permission + simpler object lookup.
src/maasserver/api/pods.py	Removes admin_method decoration from pod operations.
src/maasserver/api/partitions.py	Uses OpenFGA pool edit check for READY-node operations.
src/maasserver/api/packagerepositories.py	Replaces admin_method with check_permission.
src/maasserver/api/notification.py	Uses check_permission for edit + OpenFGA “view all” logic.
src/maasserver/api/nodes.py	Uses check_permission("can_edit_machines") for power ops.
src/maasserver/api/nodedevices.py	Uses check_permission("can_edit_machines") for deletion.
src/maasserver/api/networks.py	Replaces admin_method with check_permission.
src/maasserver/api/machines.py	Uses OpenFGA-aware checks for commission/add_chassis gating.
src/maasserver/api/maas.py	Uses check_permission("can_edit_configurations") for set_config.
src/maasserver/api/license_keys.py	Adds permission gates for license key CRUD.
src/maasserver/api/ipranges.py	Uses OpenFGA-aware global edit check for IP range ownership ops.
src/maasserver/api/ip_addresses.py	Uses OpenFGA-aware global edit/view checks for IP listing/release.
src/maasserver/api/image_sync.py	Switches admin-only endpoints to internal-user-only endpoints.
src/maasserver/api/fabrics.py	Replaces admin_method with check_permission.
src/maasserver/api/domains.py	Replaces admin_method with check_permission.
src/maasserver/api/dnsresources.py	Replaces admin_method with check_permission.
src/maasserver/api/dnsresourcerecords.py	Replaces admin_method with check_permission.
src/maasserver/api/dhcpsnippets.py	Replaces admin_method with check_permission.
src/maasserver/api/boot_sources.py	Adds permission gates for boot source CRUD.
src/maasserver/api/boot_source_selections.py	Adds permission gates for boot source selection CRUD.
src/maasserver/api/boot_resources.py	Adds permission gates for boot resource upload/import/delete.
src/maasserver/api/blockdevices.py	Uses OpenFGA pool edit check for READY-node operations.
src/maasserver/api/agent.py	Switches admin-only endpoint to internal-user-only endpoint.
src/maasopenfga/internal/migrations/00001_add_model.go	Updates OpenFGA model DSL to expanded permission set.
src/maasopenfga/go.mod	Promotes ULID dependency to direct requirement.
src/maascommon/openfga/sync_client.py	Adds new synchronous OpenFGA client implementation.
src/maascommon/openfga/client/client.py	Removes old OpenFGA client implementation.
src/maascommon/openfga/base.py	Adds shared base utilities for OpenFGA clients.
src/maascommon/openfga/async_client.py	Adds new async OpenFGA client implementation.
Makefile	Ensures sampledata build step runs before sampledata generation.

Comments suppressed due to low confidence (1)

src/maasserver/authorization.py:88

• can_view_ipaddresses delegates to can_view_notifications, which will grant/deny IP address visibility based on the wrong OpenFGA relation. This will break /api/2.0/ipaddresses/ authorization logic.

Update this to call get_openfga_client().can_view_ipaddresses(user).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.