Launchpad MP (500665) - r00ta/openfga-permission-layer#427
Open
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
Open
Launchpad MP (500665) - r00ta/openfga-permission-layer#427r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
r00tabot wants to merge 1 commit intoSpaghettiHub:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR replaces MAAS's built-in permission layer with OpenFGA (an authorization/permission system). It introduces synchronous and asynchronous OpenFGA clients, implements context-aware caching to prevent hammering the OpenFGA server, migrates existing users to predefined groups (users/administrators), grants default permissions for backwards compatibility, and introduces a check_permission decorator to simplify permission checks throughout the codebase.
Changes:
- Introduced OpenFGA sync/async clients with comprehensive permission checking methods
- Added authorization middleware and caching layer to prevent redundant OpenFGA calls
- Replaced
admin_methoddecorator withcheck_permissiondecorator throughout API handlers - Added signal handlers for automatic OpenFGA tuple management on user/resource pool creation/deletion
- Updated permission checks across websocket handlers, API handlers, and service layers
Reviewed changes
Copilot reviewed 152 out of 154 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/tests/maasservicelayer/services/test_users.py | Added test for OpenFGA tuple deletion on user deletion |
| src/tests/maasservicelayer/services/test_openfga_tuples.py | New test file for OpenFGA tuple service operations |
| src/tests/maasservicelayer/db/repositories/test_openfga_tuples.py | Tests for OpenFGA tuple repository clause factories |
| src/tests/maasservicelayer/builders/test_openfga_tuple.py | Updated tests for refactored OpenFGA tuple builder methods |
| src/tests/maasserver/* | Multiple test files updated with OpenFGA mocking and integration tests |
| src/tests/maascommon/openfga/* | New tests for sync/async OpenFGA clients |
| src/tests/fixtures/init.py | Added mock_openfga fixture |
| src/tests/e2e/conftest.py | Added OpenFGA server fixture for e2e tests |
| src/perftests/maasserver/* | Updated performance tests to include OpenFGA server |
| src/maastesting/djangotestcase.py | Added query filtering for OpenFGA-related queries |
| src/maasservicelayer/services/users.py | Added OpenFGA tuple deletion on user deletion |
| src/maasservicelayer/services/resource_pools.py | Added OpenFGA tuple management hooks |
| src/maasservicelayer/services/openfga_tuples.py | Implemented OpenFGA tuple service with caching |
| src/maasservicelayer/services/init.py | Integrated OpenFGA tuple service |
| src/maasservicelayer/db/repositories/openfga_tuples.py | Added clause factories for OpenFGA tuple queries |
| src/maasserver/websockets/* | Replaced RBAC cache clearing with unified authorization cache clearing |
| src/maasserver/testing/* | Added OpenFGA mocking infrastructure |
| src/maasserver/openfga.py | New module for thread-local OpenFGA caching |
| src/maasserver/models/* | Updated permission checks to use OpenFGA |
| src/maasserver/middleware.py | Renamed RBACMiddleware to AuthorizationCacheMiddleware |
| src/maasserver/forms/init.py | Removed user-based form selection, always use admin forms |
| src/maasserver/djangosettings/settings.py | Updated middleware name |
| src/maasserver/authorization.py | New module with unified permission check functions |
| src/maasserver/api/* | Replaced admin_method with check_permission decorator |
| src/maasopenfga/* | Updated OpenFGA model with expanded permissions |
| src/maascommon/openfga/* | New sync/async OpenFGA clients with base class |
| Makefile | Updated sampledata target to build before running |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is autogenerated by maas.r00ta.com. Enjoy!
Commit message: feat: replace built-in permission layer with openfga.
Details:
check_permissiondecorator so to simplify the permission checks on openfga