PowerOn/wiki
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactored uam to rbac

Browse source
This commit is contained in:
ValueOn AG 2025-12-07 13:48:52 +01:00
parent e4225a88ea
commit a953c51c10
3 changed files with 1150 additions and 194 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
appdoc/doc_gateway_import_map.drawio
View file

@ -1 +1 @@
<mxfile host="Electron" modified="2025-12-03T06:30:20.116Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/20.3.0 Chrome/104.0.5112.114 Electron/20.1.3 Safari/537.36" etag="tHyK4B66sFMeADf-beI2" version="20.3.0" type="device"><diagram name="Module Dependencies" id="module-dependencies">5Vldk5owFP01Pm4nEBT3cVf3ozPdJ6fT9jGGi7BG4sSg0l/fsCaaALYda8FRXuCem5DknOTey9DDo8X2RZBl8sYjYD0fRdseHvd83wuDgbqVSLFD/BDf75CZSCPd6gBM0p+gQaTRPI1g5TSUnDOZLl2Q8iwDKh2MCME3brOYM3fUJZlBDZhQwurotzSSiUYDhA6OV0hniRkaGc+CmNYaWCUk4hsLwk89PBKcy93TYjsCVtJniNn1ez7i3c9MQCb/pgNJKRew67UmLAcXftazlIVZu+B5FkHZ2+vhx02SSpgsCS29GyW3whK5YNodp4yNOOPioy+O4xgDUvhKCj4HywODviJp7zGs+uU7eCYnenzP2Lst4QXKrq9Yk7AGIWFrQZqBF+ALkKJQTYzXG2o59I7EWNsbS14jWWIpO9AY0Ttqtn/3gXP1oGlvlmAFYp1StZ+rIhwc55UhGiIU4iYZHvoIBafJUNqu1Oo6jzz3yFXHb1OdNJMgYtKkj+26bYWC0FUoHLSo0PwtGMsB+fw6HxZfKY2meZzf9Wt6QKRiuDYznqnboysRFzLhM54R9oXzpQbfQcpCs0hyyV3ZFGOi+K4MZIwfpfGpb8zx1naOC225skYQk5zJj1bRQ5mfFDhlnM4bdVaNnlNmprBbZ7m4oxlAQyueC7oPLTQXqSx08iRiBrIejep6C2BEpmt3rH8LfvZEnOBnHOfOQTAFaDpa09CjHu0qB/X77hHyUItHKAYic9EQ4g6O2w5wQ89V5y5oUZ0NF/OYlVVrVR7Lc159AMV+7DXpo9SJTtTnf1RqrR4TxahsOCQGPnOgohAAbZJgOEQQxF1JEODKUfDblKBMdIOaAn8g/oTM3ph2q7nZzcTv+WJpuCeC/o5tNxXb5b+diu1vs0qCbyEzlyMOb4TpapHfDdued1V0V0m9rK3tXdvePlbQX8beNuxeCd1uwXzs+6kzsoMbIbtSGXfEdv+q2K5wellR2w9vhetLiCOm0r8Stu3PN5tqN750RPV11X7HqL6MYgRfVzFyjGy3JuyIanwjVLcarZV5+EX84bN+teOnXw==</diagram></mxfile>
<mxfile host="Electron" modified="2025-12-07T12:20:24.090Z" agent="5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) draw.io/20.3.0 Chrome/104.0.5112.114 Electron/20.1.3 Safari/537.36" etag="cr0QP01cfDrbV7QtecK0" version="20.3.0" type="device"><diagram name="Module Dependencies" id="module-dependencies">7Zpbc9o6EMc/DXOe2pHxBfKYQC+Z0860k/Zc+tIR0hq7CIvKcoB++koggS+iTVrHcOA4D0G7siz/f9JqZbvnj+arVwIvkrecAuv1EV31/HGv3/e8KFD/tGVtLeHV1jIVKTW2veEu/QbGiIy1SCnklYqScybTRdVIeJYBkRUbFoIvq9VizqpXXeApNAx3BLOm9e+UysRYA4T2jteQThN7aWQ9c2xrG0OeYMqXJZP/ouePBOdy+2u+GgHT8llhtue9PODd9UxAJh9ywugr//yJfi7e/3kl3/8lrpMP3tdn/W0r95gV5o6Nklzkuqltz+Xa6iF4kVHQLXo9/2aZpBLuFpho71INAWVL5JwZd5wyNuKMi825Png0hIGy51LwGZQ8V9HAx9HOY5Xu6zZ4Ju/M9T1b3g4TL1Bl038QElYHhfF2cquRCnwOUqxVFXPCDqYZpEFgyssScUsxKcGOjA2bQTbdNb3HoH4YEo+g4jWofLz9I28VBsUwjIkLRkSGMIlPBUa/QxY4JVxAQ3trbnc2xDFMAFwAJgOPeOQ3ADTUdjA5CGAfwdY1Il0gyEHcpwTyBoS9o+Wg5JOhukEHhht0FZY8j8Ggy6WW0OZoB8+wPj/8DumkmQQRYxefsqtdQhFGKI5dhPwBQqNRG4TizdEOofCY82f2NhjLCN++ng3XHwmhkyIunoUNHkBVlmOKGc90GKoi4kImfMozzN5wvjDGLyDl2qiIC8mr2JRiYv2PKiBb+FcXnoe2OF6VneO1KVWxUohxweSmFr3WGZwyThgnMydnVellymwXDtLLeSHILpKQQqRyKyuSWExBuoKP1uiHvAUwLNP7aqb4e8Gv3LNK8LOOy1iDomMGuRiwLIQjxO0dlx3gGhlC1CGdJRezmOl9XR1PyXPZKUKDT6fTRyktHZPHmttFg1CIwDl1EPLGNyc3deq5QZczR69nUYPLT3D8Qh7gXKTrK3l13f5SzBeWCBbk4St5eb0ur+TlnVz367i+4vBClK5vCY6jttd8YvJflrsu6mkNbe/cxvah/cBpjG2r7pnIXU2vT2n7tRE7uBCxa3n0kdQOz0rtmqanFbX7g0vR+hTiiN1xnYna5U1dWepqfDmS1OeV+x2S+jSSEf+8kpFDYldzwiNJ7V+I1MeN1s4X8E3pKZZ4rr9vaf0ZVhzqP9czrGhztPEMa3v0nuQNfeh4RT/o9HOJZs6eJ+p26P+k6k8bj03qAfm+aiVd5KC1TPBCGwnjBf05rCcQLHAM7cihV/BUejVz9ut3tz+QrAOJhrXZ31QodCjkP14hVdx/HLfxlT4y9F98Bw==</diagram></mxfile>

768
appdoc/doc_security_role_based_access.md
View file

File diff suppressed because it is too large Load diff

574
appdoc/doc_security_role_based_access_implementation_plan.md Normal file
View file

@ -0,0 +1,574 @@
# RBAC Implementation Plan
## Overview
This document outlines the implementation plan for migrating from the current User Access Management (UAM) system to the new Role-Based Access Control (RBAC) system as specified in `doc_security_role_based_access.md`.
## Implementation Phases
### Phase 1: Database Schema and Data Models
#### 1.1 Create RBAC Data Models
**File**: `gateway/modules/datamodels/datamodelRbac.py`
**New Models**:
- `AccessRuleContext` (Enum): DATA, UI, RESOURCE
- `AccessRule` (BaseModel): Complete RBAC rule model with context, item, view, read, create, update, delete
- `AccessLevel` (Enum): Already exists in `datamodelUam.py` - verify and ensure consistency
**Dependencies**:
- Import from `datamodelUam.py`: `AccessLevel`, `User`
- Use `ModelMixin` pattern from existing models
- Register model labels using `registerModelLabels()`
**Status**: ✅ `AccessLevel` already exists in `datamodelUam.py`
**Action**: Create `datamodelRbac.py` with `AccessRule` and `AccessRuleContext`
#### 1.2 Update User Model
**File**: `gateway/modules/datamodels/datamodelUam.py`
**Changes**:
- Replace `privilege: UserPrivilege` with `roleLabels: List[str]`
- Update `frontend_options` to use `"user.role"` string reference
- Keep `UserPrivilege` enum for backward compatibility during migration
**Migration Strategy**:
- Add `roleLabels` field alongside `privilege` during transition
- Migration script will populate `roleLabels` from `privilege`
- After migration, `privilege` can be deprecated
**Status**: ⚠️ Partial - `AccessLevel` exists, `roleLabels` needs to be added
#### 1.3 Database Schema Migration
**File**: Database migration script (to be created)
**Schema Changes**:
1. Create `AccessRule` table:
- `id` (UUID, primary key)
- `roleLabel` (string, indexed)
- `context` (enum: DATA, UI, RESOURCE, indexed)
- `item` (string, nullable, indexed)
- `view` (boolean)
- `read` (AccessLevel enum, nullable)
- `create` (AccessLevel enum, nullable)
- `update` (AccessLevel enum, nullable)
- `delete` (AccessLevel enum, nullable)
- Standard fields: `_createdAt`, `_createdBy`, `_updatedAt`, `_updatedBy`
2. Update `User` table:
- Add `roleLabels` column (array of strings)
- Keep `privilege` column for backward compatibility
3. Create indexes:
- `AccessRule(roleLabel, context, item)` - composite index for rule lookups
- `AccessRule(context, item)` - for context/item queries
**Status**: 📝 To be implemented
---
### Phase 2: RBAC Interface and Core Logic
#### 2.1 Create RBAC Interface
**File**: `gateway/modules/interfaces/interfaceRbac.py`
**Purpose**: Centralized RBAC logic and permission resolution
**Key Functions**:
- `getUserPermissions(user: User, context: AccessRuleContext, item: str) -> UserPermissions`
- `findMostSpecificRule(rules: List[AccessRule], item: str) -> Optional[AccessRule]`
- `validateAccessRule(rule: AccessRule) -> bool`
- `_isMorePermissive(level1: AccessLevel, level2: AccessLevel) -> bool`
**Dependencies**:
- `datamodelRbac.py`: `AccessRule`, `AccessRuleContext`
- `datamodelUam.py`: `User`, `UserPermissions`, `AccessLevel`
- `connectorDbPostgre.py`: Database connector for rule queries
**References Check**: ✅
- Can import from `datamodelUam.py` and `datamodelRbac.py`
- Can use database connector from `interfaceDbAppObjects.py` pattern
- Follows same pattern as `interfaceDbAppAccess.py`
**Status**: 📝 To be implemented
#### 2.2 Integrate RBAC CRUD into AppObjects Interface
**File**: `gateway/modules/interfaces/interfaceDbAppObjects.py`
**New Methods** (camelCase):
- `createAccessRule(accessRule: AccessRule) -> AccessRule`
- `getAccessRule(ruleId: str) -> Optional[AccessRule]`
- `updateAccessRule(ruleId: str, accessRule: AccessRule) -> AccessRule`
- `deleteAccessRule(ruleId: str) -> bool`
- `getAccessRules(roleLabel: Optional[str] = None, context: Optional[AccessRuleContext] = None, item: Optional[str] = None) -> List[AccessRule]`
- `getAccessRulesForRoles(roleLabels: List[str], context: AccessRuleContext, item: str) -> List[AccessRule]`
**Integration Points**:
- Use existing `self.db.recordCreate()`, `self.db.recordUpdate()`, `self.db.recordDelete()`, `self.db.getRecordset()` methods
- Follow same pattern as existing CRUD methods (e.g., `createUser()`, `updateUser()`)
- Add RBAC permission checks using `interfaceRbac.getUserPermissions()`
**References Check**: ✅
- Can use `self.db` database connector (already initialized)
- Can import `AccessRule` from `datamodelRbac.py`
- Follows existing interface pattern
**Status**: 📝 To be implemented
---
### Phase 3: Database Bootstrap and Initialization
#### 3.1 Create Centralized Bootstrap Interface
**File**: `gateway/modules/interfaces/interfaceBootstrap.py`
**Purpose**: Centralized bootstrap module containing all initialization logic, specific data (roles, user names, mandate profiles), and RBAC rules converted from existing UAM logic.
**Key Functions**:
- `initBootstrap(db: DatabaseConnector) -> None` - Main bootstrap entry point
- `initRootMandate(db: DatabaseConnector) -> str` - Creates root mandate, returns mandateId
- `initAdminUser(db: DatabaseConnector, mandateId: str) -> str` - Creates admin user, returns userId
- `initEventUser(db: DatabaseConnector, mandateId: str) -> str` - Creates event user, returns userId
- `initRbacRules(db: DatabaseConnector) -> None` - Creates all RBAC rules from UAM logic
- `createDefaultRoleRules(db: DatabaseConnector) -> None` - Creates default role rules
- `createTableSpecificRules(db: DatabaseConnector) -> None` - Creates table-specific rules from UAM logic
- `assignInitialUserRoles(db: DatabaseConnector, adminUserId: str, eventUserId: str) -> None` - Assigns roles to initial users
**Bootstrap Data Configuration**:
- **Root Mandate**: name="Root", language="en", enabled=True
- **Admin User**: username="admin", email="admin@example.com", fullName="Administrator", roleLabels=["sysadmin"]
- **Event User**: username="event", email="event@example.com", fullName="Event", roleLabels=["sysadmin"]
- **Roles**: sysadmin, admin, user, viewer
**RBAC Rules to Create** (converted from `interfaceDbAppAccess.py` logic):
1. **Generic Role Rules** (context: DATA, item: null):
- **sysadmin**: view=true, read="a", create="a", update="a", delete="a"
- **admin**: view=true, read="g", create="g", update="g", delete="n"
- **user**: view=true, read="m", create="m", update="m", delete="m"
- **viewer**: view=true, read="g", create="n", update="n", delete="n"
2. **Table-Specific Rules** (context: DATA, item: `<table>`):
- **Mandate**:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin/user/viewer: view=false (no access)
- **UserInDB**:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (mandate scope)
- user/viewer: view=true, read="m", create="n", update="m", delete="n" (own records only)
- **UserConnection**:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (users in mandate)
- user/viewer: view=true, read="m", create="m", update="m", delete="m" (own connections)
- **DataNeutraliserConfig**:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (mandate scope)
- user/viewer: view=true, read="m", create="m", update="m", delete="m" (own configs)
- **DataNeutralizerAttributes**:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (mandate scope)
- user/viewer: view=true, read="m", create="m", update="m", delete="m" (own attributes)
- **AuthEvent**:
- sysadmin/admin: view=true, read="a", create="n", update="n", delete="a"
- user/viewer: view=true, read="m", create="n", update="n", delete="n" (own events only)
- **Default Tables** (all other tables):
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (mandate scope)
- user/viewer: view=true, read="m", create="m", update="m", delete="m" (own records)
3. **UI Context Rules** (context: UI):
- Generic UI access for all roles (to be defined based on requirements)
- Component-specific rules as needed
4. **RESOURCE Context Rules** (context: RESOURCE):
- AI model access rules (to be defined based on requirements)
- Action access rules (to be defined based on requirements)
**Integration with AppObjects Interface**:
**File**: `gateway/modules/interfaces/interfaceDbAppObjects.py`
**Replace `_initRecords()` method**:
```python
def _initRecords(self):
"""Initialize standard records if they don't exist."""
from modules.interfaces.interfaceBootstrap import initBootstrap
initBootstrap(self.db)
```
**Remove Methods** (moved to `interfaceBootstrap.py`):
- `_initRootMandate()``interfaceBootstrap.initRootMandate()`
- `_initAdminUser()``interfaceBootstrap.initAdminUser()`
- `_initEventUser()``interfaceBootstrap.initEventUser()`
**Status**: 📝 To be implemented
#### 3.2 UAM Logic to RBAC Rules Conversion
**Source Files to Analyze**:
- `gateway/modules/interfaces/interfaceDbAppAccess.py`
- `gateway/modules/interfaces/interfaceDbChatAccess.py`
- `gateway/modules/interfaces/interfaceDbComponentAccess.py`
**Conversion Mapping**:
| UAM Logic (interfaceDbAppAccess.py) | RBAC Rule (context: DATA) |
|-------------------------------------|---------------------------|
| `table_name == "Mandate"` + `privilege == SYSADMIN` | `roleLabel="sysadmin"`, `item="Mandate"`, `view=true`, `read="a"`, `create="a"`, `update="a"`, `delete="a"` |
| `table_name == "UserInDB"` + `privilege == SYSADMIN` | `roleLabel="sysadmin"`, `item="UserInDB"`, `view=true`, `read="a"`, `create="a"`, `update="a"`, `delete="a"` |
| `table_name == "UserInDB"` + `privilege == ADMIN` | `roleLabel="admin"`, `item="UserInDB"`, `view=true`, `read="g"`, `create="g"`, `update="g"`, `delete="g"` |
| `table_name == "UserInDB"` + `privilege == USER` | `roleLabel="user"`, `item="UserInDB"`, `view=true`, `read="m"`, `create="n"`, `update="m"`, `delete="n"` |
| `table_name == "UserConnection"` + `privilege == SYSADMIN` | `roleLabel="sysadmin"`, `item="UserConnection"`, `view=true`, `read="a"`, `create="a"`, `update="a"`, `delete="a"` |
| `table_name == "UserConnection"` + `privilege == ADMIN` | `roleLabel="admin"`, `item="UserConnection"`, `view=true`, `read="g"`, `create="g"`, `update="g"`, `delete="g"` |
| `table_name == "UserConnection"` + `privilege == USER` | `roleLabel="user"`, `item="UserConnection"`, `view=true`, `read="m"`, `create="m"`, `update="m"`, `delete="m"` |
| `table_name == "DataNeutraliserConfig"` + `privilege == SYSADMIN` | `roleLabel="sysadmin"`, `item="DataNeutraliserConfig"`, `view=true`, `read="a"`, `create="a"`, `update="a"`, `delete="a"` |
| `table_name == "DataNeutraliserConfig"` + `privilege == ADMIN` | `roleLabel="admin"`, `item="DataNeutraliserConfig"`, `view=true`, `read="g"`, `create="g"`, `update="g"`, `delete="g"` |
| `table_name == "DataNeutraliserConfig"` + `privilege == USER` | `roleLabel="user"`, `item="DataNeutraliserConfig"`, `view=true`, `read="m"`, `create="m"`, `update="m"`, `delete="m"` |
| `table_name == "DataNeutralizerAttributes"` + `privilege == SYSADMIN` | `roleLabel="sysadmin"`, `item="DataNeutralizerAttributes"`, `view=true`, `read="a"`, `create="a"`, `update="a"`, `delete="a"` |
| `table_name == "DataNeutralizerAttributes"` + `privilege == ADMIN` | `roleLabel="admin"`, `item="DataNeutralizerAttributes"`, `view=true`, `read="g"`, `create="g"`, `update="g"`, `delete="g"` |
| `table_name == "DataNeutralizerAttributes"` + `privilege == USER` | `roleLabel="user"`, `item="DataNeutralizerAttributes"`, `view=true`, `read="m"`, `create="m"`, `update="m"`, `delete="m"` |
| `table_name == "AuthEvent"` + `privilege in [SYSADMIN, ADMIN]` | `roleLabel="sysadmin"`/`"admin"`, `item="AuthEvent"`, `view=true`, `read="a"`, `create="n"`, `update="n"`, `delete="a"` |
| `table_name == "AuthEvent"` + `privilege == USER` | `roleLabel="user"`, `item="AuthEvent"`, `view=true`, `read="m"`, `create="n"`, `update="n"`, `delete="n"` |
| Default tables + `privilege == SYSADMIN` | `roleLabel="sysadmin"`, `item=null`, `view=true`, `read="a"`, `create="a"`, `update="a"`, `delete="a"` |
| Default tables + `privilege == ADMIN` | `roleLabel="admin"`, `item=null`, `view=true`, `read="g"`, `create="g"`, `update="g"`, `delete="g"` |
| Default tables + `privilege == USER` | `roleLabel="user"`, `item=null`, `view=true`, `read="m"`, `create="m"`, `update="m"`, `delete="m"` |
**Implementation Steps**:
1. Read `interfaceDbAppAccess.py` and extract all `uam()` logic
2. Read `interfaceDbChatAccess.py` and extract all `uam()` logic
3. Read `interfaceDbComponentAccess.py` and extract all `uam()` logic
4. Map each permission check to RBAC rule format
5. Create `AccessRule` entries in `interfaceBootstrap.createTableSpecificRules()`
6. Test that RBAC rules produce same results as UAM logic
**Status**: 📝 To be implemented
---
### Phase 4: Database Connector RBAC Support
#### 4.1 Extend Database Connector
**File**: `gateway/modules/connectors/connectorDbPostgre.py`
**New Methods**:
- `getRecordsetWithRBAC(modelClass: Type[BaseModel], currentUser: User, recordFilter: Dict = None, orderBy: str = None, limit: int = None) -> List[Dict]`
- `buildRbacWhereClause(accessRules: List[AccessRule], currentUser: User) -> str`
- `executeQueryWithRbac(...) -> List[Dict]`
**SQL Query Enhancement**:
- Modify SQL generation to include RBAC WHERE clauses
- Support multiple roles with UNION logic
- Optimize queries with proper indexes
**Status**: 📝 To be implemented
---
### Phase 5: Migration from UAM to RBAC
#### 5.1 Create Migration Script
**File**: `gateway/modules/migration/migrateUamToRbac.py`
**Migration Steps**:
1. **Schema Migration**:
- Create `AccessRule` table
- Add `roleLabels` column to `User` table
- Create indexes
2. **Data Migration**:
- Convert `User.privilege``User.roleLabels`:
- `UserPrivilege.SYSADMIN``["sysadmin"]`
- `UserPrivilege.ADMIN``["admin"]`
- `UserPrivilege.USER``["user"]`
- Create default access rules based on current UAM logic
- Map existing table-specific permissions to RBAC rules
3. **Validation**:
- Verify all users have roleLabels assigned
- Verify access rules match current UAM behavior
- Test permission resolution
**Status**: 📝 To be implemented
#### 5.2 Update Interface Methods
**Files to Update**:
- `gateway/modules/interfaces/interfaceDbAppObjects.py`
- `gateway/modules/interfaces/interfaceDbChatObjects.py`
- `gateway/modules/interfaces/interfaceDbComponentObjects.py`
**Changes**:
- Replace `_uam()` calls with `getRecordsetWithRBAC()`
- Replace `_canModify()` checks with RBAC permission checks
- Update all `getRecordset()` calls to use RBAC filtering
**Status**: 📝 To be implemented
---
### Phase 6: UI and Resource Access Control
#### 6.1 UI Access Control Integration
**Files**: Frontend integration (out of scope for backend)
**Backend Support**:
- Ensure `getUserPermissions()` works for UI context
- Create API endpoint: `GET /api/rbac/permissions?context=UI&item=playground.voice.settings`
- Return `UserPermissions` model with `view` attribute
**Status**: 📝 To be implemented
#### 6.2 Resource Access Control Integration
**Files**: Feature modules that use resources
**Integration Points**:
- AI model selection: Check `getUserPermissions(context=RESOURCE, item="ai.model.anthropic")`
- Action execution: Check permissions before allowing action execution
- Create helper functions in feature modules
**Status**: 📝 To be implemented
---
### Phase 7: Testing and Validation
#### 7.1 Unit Tests
**Files**: `gateway/tests/unit/rbac/`
**Test Cases**:
- Permission resolution (single role, multiple roles)
- Rule specificity (generic vs specific)
- Opening rights principle
- System field protection
- Bootstrap initialization
**Status**: 📝 To be implemented
#### 7.2 Integration Tests
**Files**: `gateway/tests/integration/rbac/`
**Test Cases**:
- Database queries with RBAC filtering
- User CRUD operations with RBAC
- Multi-role permission combination
- Migration from UAM to RBAC
**Status**: 📝 To be implemented
#### 7.3 Performance Tests
**Test Cases**:
- Query performance with RBAC (compare to current UAM)
- Memory usage reduction
- Database load reduction
**Status**: 📝 To be implemented
---
## Module Adaptation Summary
### Modules to Create
1. **`gateway/modules/datamodels/datamodelRbac.py`**
- `AccessRule` model
- `AccessRuleContext` enum
- Model label registration
2. **`gateway/modules/interfaces/interfaceRbac.py`**
- RBAC core logic
- Permission resolution functions
- Rule validation functions
3. **`gateway/modules/interfaces/interfaceBootstrap.py`** ⭐ **NEW**
- Centralized bootstrap interface
- All initialization logic (mandate, users, RBAC rules)
- Bootstrap data configuration (roles, user names, mandate profiles)
- RBAC rules converted from UAM logic (`interfaceDbAppAccess.py`, `interfaceDbChatAccess.py`, `interfaceDbComponentAccess.py`)
4. **`gateway/modules/migration/migrateUamToRbac.py`**
- Migration script
- Data transformation logic
- Validation functions
### Modules to Adapt
1. **`gateway/modules/datamodels/datamodelUam.py`** ⚠️ **KEEP - Still Needed**
- ✅ Add `AccessLevel` enum (already done)
- ✅ Add `UserPermissions` model (already done)
- 📝 Add `roleLabels: List[str]` to `User` model
- 📝 Update `frontend_options` to use string references
- ⚠️ **Keep**: `User`, `Mandate`, `UserConnection` models (core data structures)
- ⚠️ **Deprecate**: `UserPrivilege` enum (replaced by `roleLabels` with RBAC)
2. **`gateway/modules/interfaces/interfaceDbAppObjects.py`**
- 📝 Add RBAC CRUD methods
- 📝 Replace `_initRecords()` to call `interfaceBootstrap.initBootstrap()`
- 📝 Remove `_initRootMandate()`, `_initAdminUser()`, `_initEventUser()` (moved to `interfaceBootstrap.py`)
- 📝 Replace `_uam()` with RBAC-based filtering (Phase 5)
- 📝 Remove `self.access` initialization (no longer needed after RBAC migration)
3. **`gateway/modules/connectors/connectorDbPostgre.py`**
- 📝 Add `getRecordsetWithRBAC()` method
- 📝 Add `buildRbacWhereClause()` method
- 📝 Add `executeQueryWithRbac()` method
- 📝 Enhance SQL generation for RBAC
4. **`gateway/modules/interfaces/interfaceDbChatObjects.py`**
- 📝 Replace `_uam()` calls with RBAC filtering
- 📝 Update permission checks to use RBAC
5. **`gateway/modules/interfaces/interfaceDbComponentObjects.py`**
- 📝 Replace `_uam()` calls with RBAC filtering
- 📝 Update permission checks to use RBAC
6. **`gateway/modules/features/options/mainOptions.py`** (if created)
- 📝 Ensure `getOptions()` function exists for dynamic options
### Modules to Remove (After Refactoring)
1. **`gateway/modules/interfaces/interfaceDbAppAccess.py`** ❌ **REMOVE after Phase 5**
- ⚠️ **Convert all UAM logic to RBAC rules in `interfaceBootstrap.py`**
- Current UAM logic (`uam()`, `canModify()`) converted to AccessRule entries
- **Action**: Extract all permission logic from `uam()` and `canModify()` methods
- **Action**: Convert to RBAC rules in `interfaceBootstrap.createTableSpecificRules()`
- Remove after all interfaces migrated to RBAC and rules validated
2. **`gateway/modules/interfaces/interfaceDbChatAccess.py`** ❌ **REMOVE after Phase 5**
- ⚠️ **Convert all UAM logic to RBAC rules in `interfaceBootstrap.py`**
- Similar to `interfaceDbAppAccess.py`
- Extract permission logic and convert to RBAC rules
- Remove after migration complete
3. **`gateway/modules/interfaces/interfaceDbComponentAccess.py`** ❌ **REMOVE after Phase 5**
- ⚠️ **Convert all UAM logic to RBAC rules in `interfaceBootstrap.py`**
- Similar to `interfaceDbAppAccess.py`
- Extract permission logic and convert to RBAC rules
- Remove after migration complete
**Migration Strategy for Access Modules**:
1. **Phase 3**: Analyze all `interface*Access.py` modules
2. **Phase 3**: Extract permission logic from `uam()` and `canModify()` methods
3. **Phase 3**: Convert to RBAC rules in `interfaceBootstrap.createTableSpecificRules()`
4. **Phase 5**: Replace all `_uam()` calls with RBAC filtering
5. **Phase 5**: Remove `self.access` initialization from interfaces
6. **Phase 9-10**: Delete `interface*Access.py` modules after validation
**Note**: Keep these modules during migration for backward compatibility. Remove only after:
- All UAM logic converted to RBAC rules in bootstrap
- All interfaces use RBAC
- All tests pass
- Migration validation complete
- No references to old UAM methods remain
### Database Schema Changes
1. **New Table**: `AccessRule`
2. **Modified Table**: `User` (add `roleLabels` column)
3. **New Indexes**: Performance optimization for RBAC queries
---
## Implementation Timeline
### Week 1-2: Foundation
- ✅ Create `datamodelRbac.py` with `AccessRule` model
- ✅ Create `interfaceRbac.py` with core RBAC logic
- ✅ Create `interfaceBootstrap.py` with centralized bootstrap logic
- ✅ Extract bootstrap logic from `interfaceDbAppObjects.py` to `interfaceBootstrap.py`
- ✅ Analyze `interface*Access.py` modules and extract UAM logic
- ✅ Convert UAM logic to RBAC rules in `interfaceBootstrap.py`
- ✅ Update `datamodelUam.py` with `roleLabels` field
- ✅ Integrate `interfaceBootstrap.initBootstrap()` into `interfaceDbAppObjects.py`
### Week 3-4: Database Integration
- 📝 Extend database connector with RBAC support
- 📝 Create migration script
- 📝 Test database schema changes
- 📝 Validate bootstrap initialization
### Week 5-6: Interface Migration
- 📝 Add RBAC CRUD methods to `interfaceDbAppObjects.py`
- 📝 Update `interfaceDbChatObjects.py` to use RBAC
- 📝 Update `interfaceDbComponentObjects.py` to use RBAC
- 📝 Replace `_uam()` calls with RBAC filtering
### Week 7-8: Testing & Optimization
- 📝 Write unit tests
- 📝 Write integration tests
- 📝 Performance testing
- 📝 Query optimization
- 📝 Documentation updates
### Week 9-10: Cleanup & Deprecation
- 📝 Remove `interfaceDbAppAccess.py` (UAM logic converted to RBAC rules)
- 📝 Remove `interfaceDbChatAccess.py` (UAM logic converted to RBAC rules)
- 📝 Remove `interfaceDbComponentAccess.py` (UAM logic converted to RBAC rules)
- 📝 Deprecate `UserPrivilege` enum in `datamodelUam.py` (keep for backward compatibility, mark as deprecated)
- 📝 Final validation
- 📝 Production deployment
---
## Risk Mitigation
### Backward Compatibility
- Keep `UserPrivilege` enum during migration
- Maintain `_uam()` method alongside RBAC during transition
- Gradual migration allows rollback if needed
### Data Integrity
- Migration script with validation
- Backup before migration
- Test migration on staging environment first
### Performance
- Index optimization for RBAC queries
- Query performance testing before production
- Monitor database load after deployment
---
## Success Criteria
1. ✅ All users have `roleLabels` assigned
2. ✅ All access rules created and validated
3. ✅ RBAC filtering works for all data operations
4. ✅ Performance meets or exceeds current UAM system
5. ✅ All tests pass
6. ✅ No deprecated UAM code remains
7. ✅ Documentation updated
---
## Notes
- Follow camelCase naming convention for all functions and variables
- Internal functions use `_` prefix
- Use Pydantic models for type safety
- Maintain existing error handling patterns
- Follow existing logging patterns
## Important Clarifications
### `datamodelUam.py` Status
- ✅ **KEEP**: Core data models (`User`, `Mandate`, `UserConnection`) are still needed
- ✅ **KEEP**: `AccessLevel` enum (used by RBAC)
- ✅ **KEEP**: `UserPermissions` model (used by RBAC)
- ⚠️ **DEPRECATE**: `UserPrivilege` enum (replaced by `roleLabels` with RBAC rules)
- 📝 **ADD**: `roleLabels: List[str]` field to `User` model
### `interface*Access.py` Modules Status
- ❌ **REMOVE**: All `interface*Access.py` modules after migration
- ⚠️ **CONVERT**: All UAM logic from these modules to RBAC rules in `interfaceBootstrap.py`
- 📝 **ACTION**: Extract permission logic from `uam()` and `canModify()` methods
- 📝 **ACTION**: Create corresponding `AccessRule` entries in bootstrap
### Bootstrap Strategy
- ⭐ **CENTRALIZE**: All bootstrap logic in `interfaceBootstrap.py`
- 📝 **INCLUDE**: Mandate creation, user creation, RBAC rule initialization
- 📝 **INCLUDE**: All bootstrap data (roles, user names, mandate profiles)
- 📝 **INCLUDE**: RBAC rules converted from UAM logic