Launchpad MP (500665) - r00ta/openfga-permission-layer#425
Open
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
Open
Launchpad MP (500665) - r00ta/openfga-permission-layer#425r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR replaces the existing built-in/RBAC-style permission checks with an OpenFGA-backed permission layer across MAAS, adding OpenFGA clients (sync/async), request-scoped caching, and updating APIs/websockets/services/tests to use the new permission model.
Changes:
- Introduces OpenFGA clients + caching layers and integrates them into request handling (middleware/websocket execution paths) to reduce repeated permission calls.
- Migrates many API/websocket authorization checks from
is_superuser/admin_methodto OpenFGA permission checks (check_permission(...),maasserver.authorizationhelpers). - Adds/updates service-layer logic and tests to create/delete OpenFGA tuples for users and resource pools (plus perf/e2e scaffolding).
Reviewed changes
Copilot reviewed 145 out of 147 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/tests/maasservicelayer/services/test_users.py | Updates user deletion tests to assert OpenFGA tuples are cleaned up. |
| src/tests/maasservicelayer/services/test_resource_pools.py | Adds integration/unit tests for pool tuple creation/deletion. |
| src/tests/maasservicelayer/services/test_openfga_tuples.py | New service tests for tuple operations and service cache behavior. |
| src/tests/maasservicelayer/db/repositories/test_openfga_tuples.py | Adds clause-factory tests for OpenFGA tuple repository filtering. |
| src/tests/maasservicelayer/builders/test_openfga_tuple.py | Updates builder coverage for new permission relations. |
| src/tests/maasserver/websockets/handlers/test_machine.py | Ensures websocket machine handler tests run with OpenFGA mocked. |
| src/tests/maasserver/test_sessiontimeout.py | Marks session timeout tests to use mocked OpenFGA. |
| src/tests/maasserver/test_openfga.py | New tests for thread-local OpenFGA call caching. |
| src/tests/maasserver/conftest.py | Exposes mock_openfga fixture for maasserver tests. |
| src/tests/maascommon/openfga/test_sync_client.py | New tests for the sync OpenFGA client payloads/behavior. |
| src/tests/maascommon/openfga/test_async_client.py | New tests for the async OpenFGA client payloads/behavior. |
| src/tests/maascommon/openfga/client/test_client.py | Removes old client tests (replaced by async/sync client tests). |
| src/tests/maascommon/openfga/base.py | Shared test constants for permission/list method matrices. |
| src/tests/maascommon/conftest.py | Adds a stub OpenFGA unix-socket server fixture for client tests. |
| src/tests/fixtures/init.py | Adds mock_openfga fixture (patches server OpenFGA client getter). |
| src/tests/e2e/conftest.py | Adds e2e OpenFGA server subprocess + env/socket fixtures. |
| src/perftests/maasserver/websockets/test_machines.py | Updates perftests to run against OpenFGA server + env fixtures. |
| src/perftests/maasserver/conftest.py | Adds perftest OpenFGA fixtures and clears cached client between tests. |
| src/perftests/maasserver/api_v3/test_machines.py | Minor cleanup (removes stray print) and copyright year bump. |
| src/perftests/maasserver/api/test_machines.py | Updates perftests to authenticate via DB superuser and run with OpenFGA server. |
| src/maastesting/djangotestcase.py | Adjusts query counting to ignore tagged queries and include sqlalchemy counter. |
| src/maasservicelayer/services/users.py | Ensures user deletion triggers OpenFGA tuple cleanup. |
| src/maasservicelayer/services/resource_pools.py | Ensures pool create/delete hooks create/delete OpenFGA tuples. |
| src/maasservicelayer/services/openfga_tuples.py | Adds service cache + helper methods (delete_pool/delete_user) and cached client getter. |
| src/maasservicelayer/services/init.py | Wires OpenFGATupleService into ServiceCollectionV3 and injects into services. |
| src/maasservicelayer/db/repositories/openfga_tuples.py | Adds OpenFGATuplesClauseFactory for repository filtering. |
| src/maasserver/websockets/tests/test_protocol.py | Adjusts test to use real DB user instead of MagicMock for protocol user. |
| src/maasserver/websockets/handlers/vmcluster.py | Replaces RBAC cache clearing with unified clear_caches(). |
| src/maasserver/websockets/handlers/tests/test_machine.py | Copyright year bump. |
| src/maasserver/websockets/handlers/tests/test_device.py | Fixes device factory usage to set owner for permission-dependent behavior. |
| src/maasserver/websockets/handlers/staticroute.py | Switches superuser check to can_edit_global_entities. |
| src/maasserver/websockets/handlers/reservedip.py | Switches superuser check to can_edit_global_entities. |
| src/maasserver/websockets/handlers/pod.py | Switches superuser/config checks to OpenFGA helpers and unified cache clearing. |
| src/maasserver/websockets/handlers/packagerepository.py | Switches superuser check to can_edit_global_entities. |
| src/maasserver/websockets/handlers/machine.py | Copyright year bump. |
| src/maasserver/websockets/handlers/general.py | Replaces superuser-only logic with controller/machine edit permission helpers. |
| src/maasserver/websockets/handlers/dhcpsnippet.py | Switches superuser check to can_edit_global_entities. |
| src/maasserver/websockets/handlers/controller.py | Switches superuser check to can_edit_global_entities. |
| src/maasserver/websockets/handlers/config.py | Switches superuser checks to configuration permission helpers. |
| src/maasserver/websockets/base.py | Uses unified clear_caches() instead of RBAC-only clear calls. |
| src/maasserver/urls_api.py | Reorders admin-restricted resources (boot* and license keys now not in “Admin handlers” block). |
| src/maasserver/tests/test_middleware.py | Renames RBAC middleware test to AuthorizationCacheMiddleware. |
| src/maasserver/testing/testcase.py | Adds automatic OpenFGA mocking in region test base. |
| src/maasserver/testing/sampledata/sampledata.py | Adds resource pool generation and uses it when creating machines. |
| src/maasserver/testing/sampledata/resourcepool.py | New helper to create sample resource pools. |
| src/maasserver/testing/sampledata/main.py | Adds --resourcepools option to sampledata tool. |
| src/maasserver/testing/sampledata/machine.py | Assigns sample machines to random resource pools. |
| src/maasserver/testing/openfga.py | Adds OpenFGA client mock implementation used by tests. |
| src/maasserver/testing/fixtures.py | Adds fixture to patch OpenFGA client getter + clear caches. |
| src/maasserver/testing/api.py | Adds internal-user test scenario and auto OpenFGA mocking for API tests. |
| src/maasserver/openfga.py | Adds lru-cached OpenFGA client getter and a thread-local call-result cache wrapper. |
| src/maasserver/node_action.py | Replaces superuser check with can_edit_machines. |
| src/maasserver/models/tests/test_vlan.py | Removes stray print. |
| src/maasserver/models/tests/test_node.py | Adds integration scenarios validating OpenFGA-backed node access logic. |
| src/maasserver/models/signals/users.py | Adds user create/delete hooks to write OpenFGA tuples and updates event username update query. |
| src/maasserver/models/signals/tests/test_users.py | Adds tests for OpenFGA tuple creation/deletion on user save/delete. |
| src/maasserver/models/signals/tests/test_resourcepool.py | New tests for OpenFGA tuple creation/deletion on resource pool save/delete. |
| src/maasserver/models/signals/resourcepool.py | New resource pool signal handlers to maintain pool tuples. |
| src/maasserver/models/signals/init.py | Registers new resourcepool and users signals modules. |
| src/maasserver/models/notification.py | Uses can_view_notifications instead of superuser checks for admin notifications. |
| src/maasserver/models/node.py | Switches non-RBAC visibility filtering to OpenFGA list/check calls. |
| src/maasserver/middleware.py | Introduces AuthorizationCacheMiddleware to clear RBAC/OpenFGA caches per request. |
| src/maasserver/forms/tests/test_helpers.py | Removes tests tied to removed edit-form selection helpers. |
| src/maasserver/forms/init.py | Removes get_machine_edit_form/get_node_edit_form; updates create-form gating to OpenFGA helper. |
| src/maasserver/djangosettings/settings.py | Replaces RBACMiddleware with AuthorizationCacheMiddleware. |
| src/maasserver/authorization.py | New centralized permission helper functions + unified cache clearing. |
| src/maasserver/auth/local.py | Switches many permission checks to OpenFGA helpers for non-RBAC mode. |
| src/maasserver/api/zones.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/vmcluster.py | Removes @admin_method from update/delete (relies on other permission paths). |
| src/maasserver/api/users.py | Replaces @admin_method with @check_permission("can_edit_identities"). |
| src/maasserver/api/tags.py | Adds permission decorators for tag modification operations and removes manual superuser checks. |
| src/maasserver/api/support.py | Adds check_permission and internal_method, updates AdminRestrictedResource behavior/messages. |
| src/maasserver/api/subnets.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/staticroutes.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/ssh_keys.py | Allows specifying user only if can_edit_global_entities. |
| src/maasserver/api/spaces.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/scripts.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/scriptresults.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/reservedip.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/regioncontrollers.py | Uses check_permission("can_edit_controllers") and simplifies object lookup. |
| src/maasserver/api/rackcontrollers.py | Uses controller view/edit permission decorators and simplifies object lookup. |
| src/maasserver/api/pods.py | Removes @admin_method annotations (relies on underlying permission checks). |
| src/maasserver/api/partitions.py | Uses can_edit_machine_in_pool instead of superuser-only check for Ready state ops. |
| src/maasserver/api/packagerepositories.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/notification.py | Uses notification-specific permission checks and allows view-all via OpenFGA. |
| src/maasserver/api/nodes.py | Replaces power-parameters @admin_method with @check_permission("can_edit_machines"). |
| src/maasserver/api/nodedevices.py | Replaces @admin_method with @check_permission("can_edit_machines"). |
| src/maasserver/api/networks.py | Replaces @admin_method uses with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/machines.py | Updates create/update/deploy logic to use OpenFGA helpers and permission decorators. |
| src/maasserver/api/maas.py | Uses @check_permission("can_edit_configurations") for set_config. |
| src/maasserver/api/license_keys.py | Adds view/edit permission decorators for license key APIs. |
| src/maasserver/api/ipranges.py | Uses can_edit_global_entities in ownership/admin gating. |
| src/maasserver/api/ip_addresses.py | Uses OpenFGA-based admin-equivalent permissions for listing/force operations. |
| src/maasserver/api/image_sync.py | Switches from admin-only to internal-user-only gating with @internal_method. |
| src/maasserver/api/fabrics.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/domains.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/dnsresources.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/dnsresourcerecords.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/dhcpsnippets.py | Replaces @admin_method with @check_permission("can_edit_global_entities"). |
| src/maasserver/api/boot_sources.py | Adds view/edit boot-entities permission decorators. |
| src/maasserver/api/boot_source_selections.py | Adds view/edit boot-entities permission decorators. |
| src/maasserver/api/boot_resources.py | Replaces @admin_method with boot-entities permission decorators. |
| src/maasserver/api/blockdevices.py | Uses can_edit_machine_in_pool for Ready-state operations and drops admin_method on create. |
| src/maasserver/api/agent.py | Switches from admin-only to internal-user-only gating with @internal_method. |
| src/maasopenfga/internal/migrations/00001_add_model.go | Updates OpenFGA model DSL for new relations/feature parity. |
| src/maasopenfga/go.mod | Adds direct ulid dependency and adjusts indirect list. |
| src/maascommon/openfga/sync_client.py | Adds sync OpenFGA client implementation (httpx over unix socket). |
| src/maascommon/openfga/client/client.py | Removes older async client implementation (replaced elsewhere). |
| src/maascommon/openfga/base.py | Adds base class with socket path resolution and list-object parsing. |
| Makefile | Ensures sampledata target builds before running. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is autogenerated by maas.r00ta.com. Enjoy!
Commit message: feat: replace built-in permission layer with openfga.
Details:
check_permissiondecorator so to simplify the permission checks on openfga