Skip to content

Launchpad MP (500665) - r00ta/openfga-permission-layer#425

Open
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
r00tabot:360734c4-2f3f-4d2d-9fa6-3ec97023af37
Open

Launchpad MP (500665) - r00ta/openfga-permission-layer#425
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
r00tabot:360734c4-2f3f-4d2d-9fa6-3ec97023af37

Conversation

@r00tabot
Copy link
Collaborator

@r00tabot r00tabot commented Feb 25, 2026

This is autogenerated by maas.r00ta.com. Enjoy!

Commit message: feat: replace built-in permission layer with openfga.
Details:

  • introduce a sync/async client to interact with openfga
  • introduce a context cache in maasserver: when a new websocket/http request is processed, all the calls to openfga are cached so to avoid hammering the server.
  • migrate existing users to the pre-defined groups users/administrators.
  • grant a set of default permissions to users/administrators groups so to guarantee backwards compatibility.
  • Introduce a new check_permission decorator so to simplify the permission checks on openfga
  • minor changes to the openfga model, so to have feature parity with RBAC.

@r00ta r00ta requested a review from Copilot February 25, 2026 15:37
Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces the existing built-in/RBAC-style permission checks with an OpenFGA-backed permission layer across MAAS, adding OpenFGA clients (sync/async), request-scoped caching, and updating APIs/websockets/services/tests to use the new permission model.

Changes:

  • Introduces OpenFGA clients + caching layers and integrates them into request handling (middleware/websocket execution paths) to reduce repeated permission calls.
  • Migrates many API/websocket authorization checks from is_superuser / admin_method to OpenFGA permission checks (check_permission(...), maasserver.authorization helpers).
  • Adds/updates service-layer logic and tests to create/delete OpenFGA tuples for users and resource pools (plus perf/e2e scaffolding).

Reviewed changes

Copilot reviewed 145 out of 147 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
src/tests/maasservicelayer/services/test_users.py Updates user deletion tests to assert OpenFGA tuples are cleaned up.
src/tests/maasservicelayer/services/test_resource_pools.py Adds integration/unit tests for pool tuple creation/deletion.
src/tests/maasservicelayer/services/test_openfga_tuples.py New service tests for tuple operations and service cache behavior.
src/tests/maasservicelayer/db/repositories/test_openfga_tuples.py Adds clause-factory tests for OpenFGA tuple repository filtering.
src/tests/maasservicelayer/builders/test_openfga_tuple.py Updates builder coverage for new permission relations.
src/tests/maasserver/websockets/handlers/test_machine.py Ensures websocket machine handler tests run with OpenFGA mocked.
src/tests/maasserver/test_sessiontimeout.py Marks session timeout tests to use mocked OpenFGA.
src/tests/maasserver/test_openfga.py New tests for thread-local OpenFGA call caching.
src/tests/maasserver/conftest.py Exposes mock_openfga fixture for maasserver tests.
src/tests/maascommon/openfga/test_sync_client.py New tests for the sync OpenFGA client payloads/behavior.
src/tests/maascommon/openfga/test_async_client.py New tests for the async OpenFGA client payloads/behavior.
src/tests/maascommon/openfga/client/test_client.py Removes old client tests (replaced by async/sync client tests).
src/tests/maascommon/openfga/base.py Shared test constants for permission/list method matrices.
src/tests/maascommon/conftest.py Adds a stub OpenFGA unix-socket server fixture for client tests.
src/tests/fixtures/init.py Adds mock_openfga fixture (patches server OpenFGA client getter).
src/tests/e2e/conftest.py Adds e2e OpenFGA server subprocess + env/socket fixtures.
src/perftests/maasserver/websockets/test_machines.py Updates perftests to run against OpenFGA server + env fixtures.
src/perftests/maasserver/conftest.py Adds perftest OpenFGA fixtures and clears cached client between tests.
src/perftests/maasserver/api_v3/test_machines.py Minor cleanup (removes stray print) and copyright year bump.
src/perftests/maasserver/api/test_machines.py Updates perftests to authenticate via DB superuser and run with OpenFGA server.
src/maastesting/djangotestcase.py Adjusts query counting to ignore tagged queries and include sqlalchemy counter.
src/maasservicelayer/services/users.py Ensures user deletion triggers OpenFGA tuple cleanup.
src/maasservicelayer/services/resource_pools.py Ensures pool create/delete hooks create/delete OpenFGA tuples.
src/maasservicelayer/services/openfga_tuples.py Adds service cache + helper methods (delete_pool/delete_user) and cached client getter.
src/maasservicelayer/services/init.py Wires OpenFGATupleService into ServiceCollectionV3 and injects into services.
src/maasservicelayer/db/repositories/openfga_tuples.py Adds OpenFGATuplesClauseFactory for repository filtering.
src/maasserver/websockets/tests/test_protocol.py Adjusts test to use real DB user instead of MagicMock for protocol user.
src/maasserver/websockets/handlers/vmcluster.py Replaces RBAC cache clearing with unified clear_caches().
src/maasserver/websockets/handlers/tests/test_machine.py Copyright year bump.
src/maasserver/websockets/handlers/tests/test_device.py Fixes device factory usage to set owner for permission-dependent behavior.
src/maasserver/websockets/handlers/staticroute.py Switches superuser check to can_edit_global_entities.
src/maasserver/websockets/handlers/reservedip.py Switches superuser check to can_edit_global_entities.
src/maasserver/websockets/handlers/pod.py Switches superuser/config checks to OpenFGA helpers and unified cache clearing.
src/maasserver/websockets/handlers/packagerepository.py Switches superuser check to can_edit_global_entities.
src/maasserver/websockets/handlers/machine.py Copyright year bump.
src/maasserver/websockets/handlers/general.py Replaces superuser-only logic with controller/machine edit permission helpers.
src/maasserver/websockets/handlers/dhcpsnippet.py Switches superuser check to can_edit_global_entities.
src/maasserver/websockets/handlers/controller.py Switches superuser check to can_edit_global_entities.
src/maasserver/websockets/handlers/config.py Switches superuser checks to configuration permission helpers.
src/maasserver/websockets/base.py Uses unified clear_caches() instead of RBAC-only clear calls.
src/maasserver/urls_api.py Reorders admin-restricted resources (boot* and license keys now not in “Admin handlers” block).
src/maasserver/tests/test_middleware.py Renames RBAC middleware test to AuthorizationCacheMiddleware.
src/maasserver/testing/testcase.py Adds automatic OpenFGA mocking in region test base.
src/maasserver/testing/sampledata/sampledata.py Adds resource pool generation and uses it when creating machines.
src/maasserver/testing/sampledata/resourcepool.py New helper to create sample resource pools.
src/maasserver/testing/sampledata/main.py Adds --resourcepools option to sampledata tool.
src/maasserver/testing/sampledata/machine.py Assigns sample machines to random resource pools.
src/maasserver/testing/openfga.py Adds OpenFGA client mock implementation used by tests.
src/maasserver/testing/fixtures.py Adds fixture to patch OpenFGA client getter + clear caches.
src/maasserver/testing/api.py Adds internal-user test scenario and auto OpenFGA mocking for API tests.
src/maasserver/openfga.py Adds lru-cached OpenFGA client getter and a thread-local call-result cache wrapper.
src/maasserver/node_action.py Replaces superuser check with can_edit_machines.
src/maasserver/models/tests/test_vlan.py Removes stray print.
src/maasserver/models/tests/test_node.py Adds integration scenarios validating OpenFGA-backed node access logic.
src/maasserver/models/signals/users.py Adds user create/delete hooks to write OpenFGA tuples and updates event username update query.
src/maasserver/models/signals/tests/test_users.py Adds tests for OpenFGA tuple creation/deletion on user save/delete.
src/maasserver/models/signals/tests/test_resourcepool.py New tests for OpenFGA tuple creation/deletion on resource pool save/delete.
src/maasserver/models/signals/resourcepool.py New resource pool signal handlers to maintain pool tuples.
src/maasserver/models/signals/init.py Registers new resourcepool and users signals modules.
src/maasserver/models/notification.py Uses can_view_notifications instead of superuser checks for admin notifications.
src/maasserver/models/node.py Switches non-RBAC visibility filtering to OpenFGA list/check calls.
src/maasserver/middleware.py Introduces AuthorizationCacheMiddleware to clear RBAC/OpenFGA caches per request.
src/maasserver/forms/tests/test_helpers.py Removes tests tied to removed edit-form selection helpers.
src/maasserver/forms/init.py Removes get_machine_edit_form/get_node_edit_form; updates create-form gating to OpenFGA helper.
src/maasserver/djangosettings/settings.py Replaces RBACMiddleware with AuthorizationCacheMiddleware.
src/maasserver/authorization.py New centralized permission helper functions + unified cache clearing.
src/maasserver/auth/local.py Switches many permission checks to OpenFGA helpers for non-RBAC mode.
src/maasserver/api/zones.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/vmcluster.py Removes @admin_method from update/delete (relies on other permission paths).
src/maasserver/api/users.py Replaces @admin_method with @check_permission("can_edit_identities").
src/maasserver/api/tags.py Adds permission decorators for tag modification operations and removes manual superuser checks.
src/maasserver/api/support.py Adds check_permission and internal_method, updates AdminRestrictedResource behavior/messages.
src/maasserver/api/subnets.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/staticroutes.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/ssh_keys.py Allows specifying user only if can_edit_global_entities.
src/maasserver/api/spaces.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/scripts.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/scriptresults.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/reservedip.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/regioncontrollers.py Uses check_permission("can_edit_controllers") and simplifies object lookup.
src/maasserver/api/rackcontrollers.py Uses controller view/edit permission decorators and simplifies object lookup.
src/maasserver/api/pods.py Removes @admin_method annotations (relies on underlying permission checks).
src/maasserver/api/partitions.py Uses can_edit_machine_in_pool instead of superuser-only check for Ready state ops.
src/maasserver/api/packagerepositories.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/notification.py Uses notification-specific permission checks and allows view-all via OpenFGA.
src/maasserver/api/nodes.py Replaces power-parameters @admin_method with @check_permission("can_edit_machines").
src/maasserver/api/nodedevices.py Replaces @admin_method with @check_permission("can_edit_machines").
src/maasserver/api/networks.py Replaces @admin_method uses with @check_permission("can_edit_global_entities").
src/maasserver/api/machines.py Updates create/update/deploy logic to use OpenFGA helpers and permission decorators.
src/maasserver/api/maas.py Uses @check_permission("can_edit_configurations") for set_config.
src/maasserver/api/license_keys.py Adds view/edit permission decorators for license key APIs.
src/maasserver/api/ipranges.py Uses can_edit_global_entities in ownership/admin gating.
src/maasserver/api/ip_addresses.py Uses OpenFGA-based admin-equivalent permissions for listing/force operations.
src/maasserver/api/image_sync.py Switches from admin-only to internal-user-only gating with @internal_method.
src/maasserver/api/fabrics.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/domains.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/dnsresources.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/dnsresourcerecords.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/dhcpsnippets.py Replaces @admin_method with @check_permission("can_edit_global_entities").
src/maasserver/api/boot_sources.py Adds view/edit boot-entities permission decorators.
src/maasserver/api/boot_source_selections.py Adds view/edit boot-entities permission decorators.
src/maasserver/api/boot_resources.py Replaces @admin_method with boot-entities permission decorators.
src/maasserver/api/blockdevices.py Uses can_edit_machine_in_pool for Ready-state operations and drops admin_method on create.
src/maasserver/api/agent.py Switches from admin-only to internal-user-only gating with @internal_method.
src/maasopenfga/internal/migrations/00001_add_model.go Updates OpenFGA model DSL for new relations/feature parity.
src/maasopenfga/go.mod Adds direct ulid dependency and adjusts indirect list.
src/maascommon/openfga/sync_client.py Adds sync OpenFGA client implementation (httpx over unix socket).
src/maascommon/openfga/client/client.py Removes older async client implementation (replaced elsewhere).
src/maascommon/openfga/base.py Adds base class with socket path resolution and list-object parsing.
Makefile Ensures sampledata target builds before running.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@r00tabot