24 KiB
24 KiB
RBAC Implementation Plan
Overview
This document outlines the implementation plan for migrating from the current User Access Management (UAM) system to the new Role-Based Access Control (RBAC) system as specified in doc_security_role_based_access.md.
Implementation Phases
Phase 1: Database Schema and Data Models
1.1 Create RBAC Data Models
File: gateway/modules/datamodels/datamodelRbac.py
New Models:
AccessRuleContext(Enum): DATA, UI, RESOURCEAccessRule(BaseModel): Complete RBAC rule model with context, item, view, read, create, update, deleteAccessLevel(Enum): Already exists indatamodelUam.py- verify and ensure consistency
Dependencies:
- Import from
datamodelUam.py:AccessLevel,User - Use
ModelMixinpattern from existing models - Register model labels using
registerModelLabels()
Status: ✅ AccessLevel already exists in datamodelUam.py
Action: Create datamodelRbac.py with AccessRule and AccessRuleContext
1.2 Update User Model
File: gateway/modules/datamodels/datamodelUam.py
Changes:
- Replace
privilege: UserPrivilegewithroleLabels: List[str] - Update
frontend_optionsto use"user.role"string reference - Keep
UserPrivilegeenum for backward compatibility during migration
Migration Strategy:
- Add
roleLabelsfield alongsideprivilegeduring transition - Migration script will populate
roleLabelsfromprivilege - After migration,
privilegecan be deprecated
Status: ⚠️ Partial - AccessLevel exists, roleLabels needs to be added
1.3 Database Schema Migration
File: Database migration script (to be created)
Schema Changes:
-
Create
AccessRuletable:id(UUID, primary key)roleLabel(string, indexed)context(enum: DATA, UI, RESOURCE, indexed)item(string, nullable, indexed)view(boolean)read(AccessLevel enum, nullable)create(AccessLevel enum, nullable)update(AccessLevel enum, nullable)delete(AccessLevel enum, nullable)- Standard fields:
_createdAt,_createdBy,_updatedAt,_updatedBy
-
Update
Usertable:- Add
roleLabelscolumn (array of strings) - Keep
privilegecolumn for backward compatibility
- Add
-
Create indexes:
AccessRule(roleLabel, context, item)- composite index for rule lookupsAccessRule(context, item)- for context/item queries
Status: 📝 To be implemented
Phase 2: RBAC Interface and Core Logic
2.1 Create RBAC Interface
File: gateway/modules/interfaces/interfaceRbac.py
Purpose: Centralized RBAC logic and permission resolution
Key Functions:
getUserPermissions(user: User, context: AccessRuleContext, item: str) -> UserPermissionsfindMostSpecificRule(rules: List[AccessRule], item: str) -> Optional[AccessRule]validateAccessRule(rule: AccessRule) -> bool_isMorePermissive(level1: AccessLevel, level2: AccessLevel) -> bool
Dependencies:
datamodelRbac.py:AccessRule,AccessRuleContextdatamodelUam.py:User,UserPermissions,AccessLevelconnectorDbPostgre.py: Database connector for rule queries
References Check: ✅
- Can import from
datamodelUam.pyanddatamodelRbac.py - Can use database connector from
interfaceDbAppObjects.pypattern - Follows same pattern as
interfaceDbAppAccess.py
Status: 📝 To be implemented
2.2 Integrate RBAC CRUD into AppObjects Interface
File: gateway/modules/interfaces/interfaceDbAppObjects.py
New Methods (camelCase):
createAccessRule(accessRule: AccessRule) -> AccessRulegetAccessRule(ruleId: str) -> Optional[AccessRule]updateAccessRule(ruleId: str, accessRule: AccessRule) -> AccessRuledeleteAccessRule(ruleId: str) -> boolgetAccessRules(roleLabel: Optional[str] = None, context: Optional[AccessRuleContext] = None, item: Optional[str] = None) -> List[AccessRule]getAccessRulesForRoles(roleLabels: List[str], context: AccessRuleContext, item: str) -> List[AccessRule]
Integration Points:
- Use existing
self.db.recordCreate(),self.db.recordUpdate(),self.db.recordDelete(),self.db.getRecordset()methods - Follow same pattern as existing CRUD methods (e.g.,
createUser(),updateUser()) - Add RBAC permission checks using
interfaceRbac.getUserPermissions()
References Check: ✅
- Can use
self.dbdatabase connector (already initialized) - Can import
AccessRulefromdatamodelRbac.py - Follows existing interface pattern
Status: 📝 To be implemented
Phase 3: Database Bootstrap and Initialization
3.1 Create Centralized Bootstrap Interface
File: gateway/modules/interfaces/interfaceBootstrap.py
Purpose: Centralized bootstrap module containing all initialization logic, specific data (roles, user names, mandate profiles), and RBAC rules converted from existing UAM logic.
Key Functions:
initBootstrap(db: DatabaseConnector) -> None- Main bootstrap entry pointinitRootMandate(db: DatabaseConnector) -> str- Creates root mandate, returns mandateIdinitAdminUser(db: DatabaseConnector, mandateId: str) -> str- Creates admin user, returns userIdinitEventUser(db: DatabaseConnector, mandateId: str) -> str- Creates event user, returns userIdinitRbacRules(db: DatabaseConnector) -> None- Creates all RBAC rules from UAM logiccreateDefaultRoleRules(db: DatabaseConnector) -> None- Creates default role rulescreateTableSpecificRules(db: DatabaseConnector) -> None- Creates table-specific rules from UAM logicassignInitialUserRoles(db: DatabaseConnector, adminUserId: str, eventUserId: str) -> None- Assigns roles to initial users
Bootstrap Data Configuration:
- Root Mandate: name="Root", language="en", enabled=True
- Admin User: username="admin", email="admin@example.com", fullName="Administrator", roleLabels=["sysadmin"]
- Event User: username="event", email="event@example.com", fullName="Event", roleLabels=["sysadmin"]
- Roles: sysadmin, admin, user, viewer
RBAC Rules to Create (converted from interfaceDbAppAccess.py logic):
-
Generic Role Rules (context: DATA, item: null):
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="n"
- user: view=true, read="m", create="m", update="m", delete="m"
- viewer: view=true, read="g", create="n", update="n", delete="n"
-
Table-Specific Rules (context: DATA, item:
<table>):-
Mandate:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin/user/viewer: view=false (no access)
-
UserInDB:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (mandate scope)
- user/viewer: view=true, read="m", create="n", update="m", delete="n" (own records only)
-
UserConnection:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (users in mandate)
- user/viewer: view=true, read="m", create="m", update="m", delete="m" (own connections)
-
DataNeutraliserConfig:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (mandate scope)
- user/viewer: view=true, read="m", create="m", update="m", delete="m" (own configs)
-
DataNeutralizerAttributes:
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (mandate scope)
- user/viewer: view=true, read="m", create="m", update="m", delete="m" (own attributes)
-
AuthEvent:
- sysadmin/admin: view=true, read="a", create="n", update="n", delete="a"
- user/viewer: view=true, read="m", create="n", update="n", delete="n" (own events only)
-
Default Tables (all other tables):
- sysadmin: view=true, read="a", create="a", update="a", delete="a"
- admin: view=true, read="g", create="g", update="g", delete="g" (mandate scope)
- user/viewer: view=true, read="m", create="m", update="m", delete="m" (own records)
-
-
UI Context Rules (context: UI):
- Generic UI access for all roles (to be defined based on requirements)
- Component-specific rules as needed
-
RESOURCE Context Rules (context: RESOURCE):
- AI model access rules (to be defined based on requirements)
- Action access rules (to be defined based on requirements)
Integration with AppObjects Interface:
File: gateway/modules/interfaces/interfaceDbAppObjects.py
Replace _initRecords() method:
def _initRecords(self):
"""Initialize standard records if they don't exist."""
from modules.interfaces.interfaceBootstrap import initBootstrap
initBootstrap(self.db)
Remove Methods (moved to interfaceBootstrap.py):
_initRootMandate()→interfaceBootstrap.initRootMandate()_initAdminUser()→interfaceBootstrap.initAdminUser()_initEventUser()→interfaceBootstrap.initEventUser()
Status: 📝 To be implemented
3.2 UAM Logic to RBAC Rules Conversion
Source Files to Analyze:
gateway/modules/interfaces/interfaceDbAppAccess.pygateway/modules/interfaces/interfaceDbChatAccess.pygateway/modules/interfaces/interfaceDbComponentAccess.py
Conversion Mapping:
| UAM Logic (interfaceDbAppAccess.py) | RBAC Rule (context: DATA) |
|---|---|
table_name == "Mandate" + privilege == SYSADMIN |
roleLabel="sysadmin", item="Mandate", view=true, read="a", create="a", update="a", delete="a" |
table_name == "UserInDB" + privilege == SYSADMIN |
roleLabel="sysadmin", item="UserInDB", view=true, read="a", create="a", update="a", delete="a" |
table_name == "UserInDB" + privilege == ADMIN |
roleLabel="admin", item="UserInDB", view=true, read="g", create="g", update="g", delete="g" |
table_name == "UserInDB" + privilege == USER |
roleLabel="user", item="UserInDB", view=true, read="m", create="n", update="m", delete="n" |
table_name == "UserConnection" + privilege == SYSADMIN |
roleLabel="sysadmin", item="UserConnection", view=true, read="a", create="a", update="a", delete="a" |
table_name == "UserConnection" + privilege == ADMIN |
roleLabel="admin", item="UserConnection", view=true, read="g", create="g", update="g", delete="g" |
table_name == "UserConnection" + privilege == USER |
roleLabel="user", item="UserConnection", view=true, read="m", create="m", update="m", delete="m" |
table_name == "DataNeutraliserConfig" + privilege == SYSADMIN |
roleLabel="sysadmin", item="DataNeutraliserConfig", view=true, read="a", create="a", update="a", delete="a" |
table_name == "DataNeutraliserConfig" + privilege == ADMIN |
roleLabel="admin", item="DataNeutraliserConfig", view=true, read="g", create="g", update="g", delete="g" |
table_name == "DataNeutraliserConfig" + privilege == USER |
roleLabel="user", item="DataNeutraliserConfig", view=true, read="m", create="m", update="m", delete="m" |
table_name == "DataNeutralizerAttributes" + privilege == SYSADMIN |
roleLabel="sysadmin", item="DataNeutralizerAttributes", view=true, read="a", create="a", update="a", delete="a" |
table_name == "DataNeutralizerAttributes" + privilege == ADMIN |
roleLabel="admin", item="DataNeutralizerAttributes", view=true, read="g", create="g", update="g", delete="g" |
table_name == "DataNeutralizerAttributes" + privilege == USER |
roleLabel="user", item="DataNeutralizerAttributes", view=true, read="m", create="m", update="m", delete="m" |
table_name == "AuthEvent" + privilege in [SYSADMIN, ADMIN] |
roleLabel="sysadmin"/"admin", item="AuthEvent", view=true, read="a", create="n", update="n", delete="a" |
table_name == "AuthEvent" + privilege == USER |
roleLabel="user", item="AuthEvent", view=true, read="m", create="n", update="n", delete="n" |
Default tables + privilege == SYSADMIN |
roleLabel="sysadmin", item=null, view=true, read="a", create="a", update="a", delete="a" |
Default tables + privilege == ADMIN |
roleLabel="admin", item=null, view=true, read="g", create="g", update="g", delete="g" |
Default tables + privilege == USER |
roleLabel="user", item=null, view=true, read="m", create="m", update="m", delete="m" |
Implementation Steps:
- Read
interfaceDbAppAccess.pyand extract alluam()logic - Read
interfaceDbChatAccess.pyand extract alluam()logic - Read
interfaceDbComponentAccess.pyand extract alluam()logic - Map each permission check to RBAC rule format
- Create
AccessRuleentries ininterfaceBootstrap.createTableSpecificRules() - Test that RBAC rules produce same results as UAM logic
Status: 📝 To be implemented
Phase 4: Database Connector RBAC Support
4.1 Extend Database Connector
File: gateway/modules/connectors/connectorDbPostgre.py
New Methods:
getRecordsetWithRBAC(modelClass: Type[BaseModel], currentUser: User, recordFilter: Dict = None, orderBy: str = None, limit: int = None) -> List[Dict]buildRbacWhereClause(accessRules: List[AccessRule], currentUser: User) -> strexecuteQueryWithRbac(...) -> List[Dict]
SQL Query Enhancement:
- Modify SQL generation to include RBAC WHERE clauses
- Support multiple roles with UNION logic
- Optimize queries with proper indexes
Status: 📝 To be implemented
Phase 5: Migration from UAM to RBAC
5.1 Create Migration Script
File: gateway/modules/migration/migrateUamToRbac.py
Migration Steps:
-
Schema Migration:
- Create
AccessRuletable - Add
roleLabelscolumn toUsertable - Create indexes
- Create
-
Data Migration:
- Convert
User.privilege→User.roleLabels:UserPrivilege.SYSADMIN→["sysadmin"]UserPrivilege.ADMIN→["admin"]UserPrivilege.USER→["user"]
- Create default access rules based on current UAM logic
- Map existing table-specific permissions to RBAC rules
- Convert
-
Validation:
- Verify all users have roleLabels assigned
- Verify access rules match current UAM behavior
- Test permission resolution
Status: 📝 To be implemented
5.2 Update Interface Methods
Files to Update:
gateway/modules/interfaces/interfaceDbAppObjects.pygateway/modules/interfaces/interfaceDbChatObjects.pygateway/modules/interfaces/interfaceDbComponentObjects.py
Changes:
- Replace
_uam()calls withgetRecordsetWithRBAC() - Replace
_canModify()checks with RBAC permission checks - Update all
getRecordset()calls to use RBAC filtering
Status: 📝 To be implemented
Phase 6: UI and Resource Access Control
6.1 UI Access Control Integration
Files: Frontend integration (out of scope for backend)
Backend Support:
- Ensure
getUserPermissions()works for UI context - Create API endpoint:
GET /api/rbac/permissions?context=UI&item=playground.voice.settings - Return
UserPermissionsmodel withviewattribute
Status: 📝 To be implemented
6.2 Resource Access Control Integration
Files: Feature modules that use resources
Integration Points:
- AI model selection: Check
getUserPermissions(context=RESOURCE, item="ai.model.anthropic") - Action execution: Check permissions before allowing action execution
- Create helper functions in feature modules
Status: 📝 To be implemented
Phase 7: Testing and Validation
7.1 Unit Tests
Files: gateway/tests/unit/rbac/
Test Cases:
- Permission resolution (single role, multiple roles)
- Rule specificity (generic vs specific)
- Opening rights principle
- System field protection
- Bootstrap initialization
Status: 📝 To be implemented
7.2 Integration Tests
Files: gateway/tests/integration/rbac/
Test Cases:
- Database queries with RBAC filtering
- User CRUD operations with RBAC
- Multi-role permission combination
- Migration from UAM to RBAC
Status: 📝 To be implemented
7.3 Performance Tests
Test Cases:
- Query performance with RBAC (compare to current UAM)
- Memory usage reduction
- Database load reduction
Status: 📝 To be implemented
Module Adaptation Summary
Modules to Create
-
gateway/modules/datamodels/datamodelRbac.pyAccessRulemodelAccessRuleContextenum- Model label registration
-
gateway/modules/interfaces/interfaceRbac.py- RBAC core logic
- Permission resolution functions
- Rule validation functions
-
gateway/modules/interfaces/interfaceBootstrap.py⭐ NEW- Centralized bootstrap interface
- All initialization logic (mandate, users, RBAC rules)
- Bootstrap data configuration (roles, user names, mandate profiles)
- RBAC rules converted from UAM logic (
interfaceDbAppAccess.py,interfaceDbChatAccess.py,interfaceDbComponentAccess.py)
-
gateway/modules/migration/migrateUamToRbac.py- Migration script
- Data transformation logic
- Validation functions
Modules to Adapt
-
gateway/modules/datamodels/datamodelUam.py⚠️ KEEP - Still Needed- ✅ Add
AccessLevelenum (already done) - ✅ Add
UserPermissionsmodel (already done) - 📝 Add
roleLabels: List[str]toUsermodel - 📝 Update
frontend_optionsto use string references - ⚠️ Keep:
User,Mandate,UserConnectionmodels (core data structures) - ⚠️ Deprecate:
UserPrivilegeenum (replaced byroleLabelswith RBAC)
- ✅ Add
-
gateway/modules/interfaces/interfaceDbAppObjects.py- 📝 Add RBAC CRUD methods
- 📝 Replace
_initRecords()to callinterfaceBootstrap.initBootstrap() - 📝 Remove
_initRootMandate(),_initAdminUser(),_initEventUser()(moved tointerfaceBootstrap.py) - 📝 Replace
_uam()with RBAC-based filtering (Phase 5) - 📝 Remove
self.accessinitialization (no longer needed after RBAC migration)
-
gateway/modules/connectors/connectorDbPostgre.py- 📝 Add
getRecordsetWithRBAC()method - 📝 Add
buildRbacWhereClause()method - 📝 Add
executeQueryWithRbac()method - 📝 Enhance SQL generation for RBAC
- 📝 Add
-
gateway/modules/interfaces/interfaceDbChatObjects.py- 📝 Replace
_uam()calls with RBAC filtering - 📝 Update permission checks to use RBAC
- 📝 Replace
-
gateway/modules/interfaces/interfaceDbComponentObjects.py- 📝 Replace
_uam()calls with RBAC filtering - 📝 Update permission checks to use RBAC
- 📝 Replace
-
gateway/modules/features/options/mainOptions.py(if created)- 📝 Ensure
getOptions()function exists for dynamic options
- 📝 Ensure
Modules to Remove (After Refactoring)
-
gateway/modules/interfaces/interfaceDbAppAccess.py❌ REMOVE after Phase 5- ⚠️ Convert all UAM logic to RBAC rules in
interfaceBootstrap.py - Current UAM logic (
uam(),canModify()) converted to AccessRule entries - Action: Extract all permission logic from
uam()andcanModify()methods - Action: Convert to RBAC rules in
interfaceBootstrap.createTableSpecificRules() - Remove after all interfaces migrated to RBAC and rules validated
- ⚠️ Convert all UAM logic to RBAC rules in
-
gateway/modules/interfaces/interfaceDbChatAccess.py❌ REMOVE after Phase 5- ⚠️ Convert all UAM logic to RBAC rules in
interfaceBootstrap.py - Similar to
interfaceDbAppAccess.py - Extract permission logic and convert to RBAC rules
- Remove after migration complete
- ⚠️ Convert all UAM logic to RBAC rules in
-
gateway/modules/interfaces/interfaceDbComponentAccess.py❌ REMOVE after Phase 5- ⚠️ Convert all UAM logic to RBAC rules in
interfaceBootstrap.py - Similar to
interfaceDbAppAccess.py - Extract permission logic and convert to RBAC rules
- Remove after migration complete
- ⚠️ Convert all UAM logic to RBAC rules in
Migration Strategy for Access Modules:
- Phase 3: Analyze all
interface*Access.pymodules - Phase 3: Extract permission logic from
uam()andcanModify()methods - Phase 3: Convert to RBAC rules in
interfaceBootstrap.createTableSpecificRules() - Phase 5: Replace all
_uam()calls with RBAC filtering - Phase 5: Remove
self.accessinitialization from interfaces - Phase 9-10: Delete
interface*Access.pymodules after validation
Note: Keep these modules during migration for backward compatibility. Remove only after:
- All UAM logic converted to RBAC rules in bootstrap
- All interfaces use RBAC
- All tests pass
- Migration validation complete
- No references to old UAM methods remain
Database Schema Changes
- New Table:
AccessRule - Modified Table:
User(addroleLabelscolumn) - New Indexes: Performance optimization for RBAC queries
Implementation Timeline
Week 1-2: Foundation
- ✅ Create
datamodelRbac.pywithAccessRulemodel - ✅ Create
interfaceRbac.pywith core RBAC logic - ✅ Create
interfaceBootstrap.pywith centralized bootstrap logic - ✅ Extract bootstrap logic from
interfaceDbAppObjects.pytointerfaceBootstrap.py - ✅ Analyze
interface*Access.pymodules and extract UAM logic - ✅ Convert UAM logic to RBAC rules in
interfaceBootstrap.py - ✅ Update
datamodelUam.pywithroleLabelsfield - ✅ Integrate
interfaceBootstrap.initBootstrap()intointerfaceDbAppObjects.py
Week 3-4: Database Integration
- 📝 Extend database connector with RBAC support
- 📝 Create migration script
- 📝 Test database schema changes
- 📝 Validate bootstrap initialization
Week 5-6: Interface Migration
- 📝 Add RBAC CRUD methods to
interfaceDbAppObjects.py - 📝 Update
interfaceDbChatObjects.pyto use RBAC - 📝 Update
interfaceDbComponentObjects.pyto use RBAC - 📝 Replace
_uam()calls with RBAC filtering
Week 7-8: Testing & Optimization
- 📝 Write unit tests
- 📝 Write integration tests
- 📝 Performance testing
- 📝 Query optimization
- 📝 Documentation updates
Week 9-10: Cleanup & Deprecation
- 📝 Remove
interfaceDbAppAccess.py(UAM logic converted to RBAC rules) - 📝 Remove
interfaceDbChatAccess.py(UAM logic converted to RBAC rules) - 📝 Remove
interfaceDbComponentAccess.py(UAM logic converted to RBAC rules) - 📝 Deprecate
UserPrivilegeenum indatamodelUam.py(keep for backward compatibility, mark as deprecated) - 📝 Final validation
- 📝 Production deployment
Risk Mitigation
Backward Compatibility
- Keep
UserPrivilegeenum during migration - Maintain
_uam()method alongside RBAC during transition - Gradual migration allows rollback if needed
Data Integrity
- Migration script with validation
- Backup before migration
- Test migration on staging environment first
Performance
- Index optimization for RBAC queries
- Query performance testing before production
- Monitor database load after deployment
Success Criteria
- ✅ All users have
roleLabelsassigned - ✅ All access rules created and validated
- ✅ RBAC filtering works for all data operations
- ✅ Performance meets or exceeds current UAM system
- ✅ All tests pass
- ✅ No deprecated UAM code remains
- ✅ Documentation updated
Notes
- Follow camelCase naming convention for all functions and variables
- Internal functions use
_prefix - Use Pydantic models for type safety
- Maintain existing error handling patterns
- Follow existing logging patterns
Important Clarifications
datamodelUam.py Status
- ✅ KEEP: Core data models (
User,Mandate,UserConnection) are still needed - ✅ KEEP:
AccessLevelenum (used by RBAC) - ✅ KEEP:
UserPermissionsmodel (used by RBAC) - ⚠️ DEPRECATE:
UserPrivilegeenum (replaced byroleLabelswith RBAC rules) - 📝 ADD:
roleLabels: List[str]field toUsermodel
interface*Access.py Modules Status
- ❌ REMOVE: All
interface*Access.pymodules after migration - ⚠️ CONVERT: All UAM logic from these modules to RBAC rules in
interfaceBootstrap.py - 📝 ACTION: Extract permission logic from
uam()andcanModify()methods - 📝 ACTION: Create corresponding
AccessRuleentries in bootstrap
Bootstrap Strategy
- ⭐ CENTRALIZE: All bootstrap logic in
interfaceBootstrap.py - 📝 INCLUDE: Mandate creation, user creation, RBAC rule initialization
- 📝 INCLUDE: All bootstrap data (roles, user names, mandate profiles)
- 📝 INCLUDE: RBAC rules converted from UAM logic