Skip to content

Launchpad MP (500665) - r00ta/openfga-permission-layer#427

Open
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
r00tabot:5601e9b2-1c68-4d6d-8ce7-273e37561a6f
Open

Launchpad MP (500665) - r00ta/openfga-permission-layer#427
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
r00tabot:5601e9b2-1c68-4d6d-8ce7-273e37561a6f

Conversation

@r00tabot
Copy link
Collaborator

This is autogenerated by maas.r00ta.com. Enjoy!

Commit message: feat: replace built-in permission layer with openfga.
Details:

  • introduce a sync/async client to interact with openfga
  • introduce a context cache in maasserver: when a new websocket/http request is processed, all the calls to openfga are cached so to avoid hammering the server.
  • migrate existing users to the pre-defined groups users/administrators.
  • grant a set of default permissions to users/administrators groups so to guarantee backwards compatibility.
  • Introduce a new check_permission decorator so to simplify the permission checks on openfga
  • minor changes to the openfga model, so to have feature parity with RBAC.
  • adopting perftests to include resource pools

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces MAAS's built-in permission layer with OpenFGA (an authorization/permission system). It introduces synchronous and asynchronous OpenFGA clients, implements context-aware caching to prevent hammering the OpenFGA server, migrates existing users to predefined groups (users/administrators), grants default permissions for backwards compatibility, and introduces a check_permission decorator to simplify permission checks throughout the codebase.

Changes:

  • Introduced OpenFGA sync/async clients with comprehensive permission checking methods
  • Added authorization middleware and caching layer to prevent redundant OpenFGA calls
  • Replaced admin_method decorator with check_permission decorator throughout API handlers
  • Added signal handlers for automatic OpenFGA tuple management on user/resource pool creation/deletion
  • Updated permission checks across websocket handlers, API handlers, and service layers

Reviewed changes

Copilot reviewed 152 out of 154 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/tests/maasservicelayer/services/test_users.py Added test for OpenFGA tuple deletion on user deletion
src/tests/maasservicelayer/services/test_openfga_tuples.py New test file for OpenFGA tuple service operations
src/tests/maasservicelayer/db/repositories/test_openfga_tuples.py Tests for OpenFGA tuple repository clause factories
src/tests/maasservicelayer/builders/test_openfga_tuple.py Updated tests for refactored OpenFGA tuple builder methods
src/tests/maasserver/* Multiple test files updated with OpenFGA mocking and integration tests
src/tests/maascommon/openfga/* New tests for sync/async OpenFGA clients
src/tests/fixtures/init.py Added mock_openfga fixture
src/tests/e2e/conftest.py Added OpenFGA server fixture for e2e tests
src/perftests/maasserver/* Updated performance tests to include OpenFGA server
src/maastesting/djangotestcase.py Added query filtering for OpenFGA-related queries
src/maasservicelayer/services/users.py Added OpenFGA tuple deletion on user deletion
src/maasservicelayer/services/resource_pools.py Added OpenFGA tuple management hooks
src/maasservicelayer/services/openfga_tuples.py Implemented OpenFGA tuple service with caching
src/maasservicelayer/services/init.py Integrated OpenFGA tuple service
src/maasservicelayer/db/repositories/openfga_tuples.py Added clause factories for OpenFGA tuple queries
src/maasserver/websockets/* Replaced RBAC cache clearing with unified authorization cache clearing
src/maasserver/testing/* Added OpenFGA mocking infrastructure
src/maasserver/openfga.py New module for thread-local OpenFGA caching
src/maasserver/models/* Updated permission checks to use OpenFGA
src/maasserver/middleware.py Renamed RBACMiddleware to AuthorizationCacheMiddleware
src/maasserver/forms/init.py Removed user-based form selection, always use admin forms
src/maasserver/djangosettings/settings.py Updated middleware name
src/maasserver/authorization.py New module with unified permission check functions
src/maasserver/api/* Replaced admin_method with check_permission decorator
src/maasopenfga/* Updated OpenFGA model with expanded permissions
src/maascommon/openfga/* New sync/async OpenFGA clients with base class
Makefile Updated sampledata target to build before running

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants