Skip to content

Feat: move resource pools check to authz#1248

Merged
SalimKayal merged 14 commits intoFeat/Move-Resource-Pool-Authorization-To-Authzedfrom
feat/move-resource-pools-check-to-authz
Apr 20, 2026
Merged

Feat: move resource pools check to authz#1248
SalimKayal merged 14 commits intoFeat/Move-Resource-Pool-Authorization-To-Authzedfrom
feat/move-resource-pools-check-to-authz

Conversation

@SalimKayal
Copy link
Copy Markdown
Collaborator

@SalimKayal SalimKayal commented Mar 30, 2026
edited
Loading

Summary

This PR implements ResourcePool authorization in SpiceDB/Authzed, enabling centralized access control while maintaining feature parity with the DB-based implementation.

What Changed

Authzed Schema (v9):

  • Added resource_pool resource type with relations: member, prohibited, public_viewer, resource_pool_platform
  • Permissions: use = (member + public_viewer + admin) - prohibited, write = admin-only
    Supporting Code:
  • Extended ResourceType enum with resource_pool
  • Updated _AuthzConverter.resource_pool() and related methods to handle int IDs
  • Enhanced permission checking signatures throughout authz module
    Migration:
  • Alembic migration cd424c01676e deploys Authzed schema v9
  • Schema-only migration (data migration deferred for safety)

Tests

  • Authorization tests: member/prohibited/public patterns, admin bypass, isolation
  • Schema Validation: SpiceDB zed validate confirms v9 schema correctness

Deferred Items

  1. Core Logic Updates: Update CRC core and db modules to use Authzed for membership checks
  2. API Refactoring: Update blueprints to leverage updated core logic
  3. Cleanup Migration: Remove old DB tables after Phase 1 verification
  4. Authz Relationship: Add groups and projects for authorization.

PR stack

/deploy renku=salimkayal-add-AUTHZ-config-to-k8s-watcher

@SalimKayal SalimKayal requested review from leafty and sgaist March 30, 2026 14:07
@SalimKayal SalimKayal force-pushed the feat/move-resource-pools-check-to-authz branch from c19e6d0 to d4c7f78 Compare March 30, 2026 15:12
@coveralls
Copy link
Copy Markdown

coveralls commented Mar 30, 2026
edited
Loading

Coverage Report for CI Build 24656849513

Warning

No base build found for commit bd0bf2e on Feat/Move-Resource-Pool-Authorization-To-Authzed.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 86.387%

Details

  • Patch coverage: 29 uncovered changes across 3 files (294 of 323 lines covered, 91.02%).

Uncovered Changes

File Changed Covered %
components/renku_data_services/crc/db.py 129 115 89.15%
components/renku_data_services/authz/authz.py 99 91 91.92%
components/renku_data_services/migrations/versions/cd424c01676e_add_resource_pool_authorization_schema.py 70 63 90.0%

Coverage Regressions

Requires a base build to compare against. How to fix this →

Coverage Stats

Coverage Status
Relevant Lines: 29832
Covered Lines: 25771
Line Coverage: 86.39%
Coverage Strength: 1.5 hits per line
💛 - Coveralls

sgaist
sgaist requested changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@sgaist sgaist left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am no specialist of Authz but the code in itself looks good.

Just some minor things.

Comment thread ...nku_data_services/migrations/versions/cd424c01676e_add_resource_pool_authorization_schema.py Outdated
Comment thread test/components/renku_data_services/authz/test_authorization.py Outdated
leafty
leafty reviewed Apr 7, 2026
View reviewed changes
Comment thread components/renku_data_services/authz/schemas.py Outdated
SalimKayal
SalimKayal commented Apr 10, 2026
View reviewed changes
Comment thread components/renku_data_services/authz/schemas.py Outdated
@SalimKayal SalimKayal force-pushed the feat/move-resource-pools-check-to-authz branch from 7dab40e to 378a7a0 Compare April 14, 2026 11:03
olevski
olevski requested changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@olevski olevski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overarching comment the target is main can this go to a feature branch? Mainly because I think we should test the migration on a ci deployment we artificially put a lot of users into. And then see if the migration is quick enough. So for now we can merge into a feature branch and you can continue with your work and then when we merge the feature branch to main we do the test.

Comment thread components/renku_data_services/authz/schemas.py Outdated
Comment thread ...nku_data_services/migrations/versions/cd424c01676e_add_resource_pool_authorization_schema.py
@olevski
Copy link
Copy Markdown
Member

olevski commented Apr 15, 2026

For example on renkulab.io we have a total of 598 resource pool member entries spread across 34 resource pools. We can use this info to test.

@SalimKayal SalimKayal force-pushed the feat/move-resource-pools-check-to-authz branch from 84d72b3 to f9f5b0b Compare April 15, 2026 14:25
SalimKayal
SalimKayal commented Apr 16, 2026
View reviewed changes
Comment thread test/bases/renku_data_services/data_api/test_migrations.py
@SalimKayal SalimKayal mentioned this pull request Apr 17, 2026
Merged
@SalimKayal SalimKayal marked this pull request as ready for review April 17, 2026 11:15
@SalimKayal SalimKayal requested a review from a team as a code owner April 17, 2026 11:15
leafty
leafty requested changes Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@leafty leafty left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we merge this into a feature branch? This code is not "usable" as is in main.

@SalimKayal SalimKayal force-pushed the feat/move-resource-pools-check-to-authz branch from 63522bf to aa3ad41 Compare April 17, 2026 13:35
@SalimKayal SalimKayal changed the base branch from main to Feat/Move-Resource-Pool-Authorization-To-Authzed April 17, 2026 13:36
@SalimKayal SalimKayal requested a review from sgaist April 17, 2026 22:16
@SalimKayal
Feat: authz resource pools feature parity (#1256)
e02133a 
* feat: add ResourcePool and membership types

* feat: add ResourcePool as a supported authorization resource

* feat: add member and prohibited relationships

* refactor: authz_change decorator for multiple APIUser args

* fix: session commit responsibility to session creator

* refactor: move authorization logic to authz schema

* feat: wire Authz into dependency graphs

* feat: update blueprint func for single rp

* fix: use proper non admin user in visibility tests

* feat: visibility toggle test for rp

* feat: update test utils setup for rp_repo with authz

* refactor: update functions for authz usage

* feat: new authorization tests

* fix: use NonCachingAuthz in nb_config for tests

* squashme: remove debug print

* squashme: fix comments

* fix: edge case for noop visibility change

* refactor: authz consistency

* fix: call spicedb only on authz updates

* chore: fix error message

* refactor: DRY some stuff

* squashme: remove commented out code

* fix: await resource pool creation with authz
@RenkuBot
Copy link
Copy Markdown
Contributor

RenkuBot commented Apr 20, 2026

You can access the deployment of this PR at https://renku-ci-ds-1248.dev.renku.ch

@SalimKayal SalimKayal merged commit 15bfb56 into Feat/Move-Resource-Pool-Authorization-To-Authzed Apr 20, 2026
47 of 57 checks passed
@SalimKayal SalimKayal deleted the feat/move-resource-pools-check-to-authz branch April 20, 2026 13:25
@RenkuBot
Copy link
Copy Markdown
Contributor

RenkuBot commented Apr 20, 2026

Tearing down the temporary RenkuLab deployment for this PR.

@SalimKayal SalimKayal mentioned this pull request Apr 20, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leafty leafty leafty approved these changes

@olevski olevski olevski approved these changes

@sgaist sgaist Awaiting requested review from sgaist sgaist is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@SalimKayal @coveralls @olevski @RenkuBot @sgaist @leafty