Refactor RBAC to use new CRUD roles actions, update CI

tsmith023 · tsmith023 · commit 3f440ad95e1d · 2025-02-13T16:53:29.000Z
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -12,7 +12,7 @@ env:
   WEAVIATE_126: 1.26.14
   WEAVIATE_127: 1.27.11
   WEAVIATE_128: 1.28.4
-  WEAVIATE_129: 1.29.0-rc.0-a8c0bce
+  WEAVIATE_129: 1.29.0-rc.1
 
 jobs:
   checks:
diff --git a/src/openapi/schema.ts b/src/openapi/schema.ts
@@ -340,8 +340,10 @@ export interface definitions {
       | 'update_data'
       | 'delete_data'
       | 'read_nodes'
-      | 'manage_roles'
+      | 'create_roles'
       | 'read_roles'
+      | 'update_roles'
+      | 'delete_roles'
       | 'create_collections'
       | 'read_collections'
       | 'update_collections'
@@ -1933,7 +1935,9 @@ export interface operations {
         schema: definitions['ErrorResponse'];
       };
       /** role or user is not found. */
-      404: unknown;
+      404: {
+        schema: definitions['ErrorResponse'];
+      };
       /** An error has occurred while trying to fulfill the request. Most likely the ErrorResponse will contain more information about the error. */
       500: {
         schema: definitions['ErrorResponse'];
@@ -1967,7 +1971,9 @@ export interface operations {
         schema: definitions['ErrorResponse'];
       };
       /** role or user is not found. */
-      404: unknown;
+      404: {
+        schema: definitions['ErrorResponse'];
+      };
       /** An error has occurred while trying to fulfill the request. Most likely the ErrorResponse will contain more information about the error. */
       500: {
         schema: definitions['ErrorResponse'];
diff --git a/src/roles/index.ts b/src/roles/index.ts
@@ -182,12 +182,20 @@ export const permissions = {
       return out;
     });
   },
-  roles: (args: { role: string | string[]; read?: boolean; manage?: boolean }): RolesPermission[] => {
+  roles: (args: {
+    role: string | string[];
+    create?: boolean;
+    read?: boolean;
+    update?: boolean;
+    delete?: boolean;
+  }): RolesPermission[] => {
     const roles = Array.isArray(args.role) ? args.role : [args.role];
     return roles.flatMap((role) => {
       const out: RolesPermission = { role, actions: [] };
+      if (args.create) out.actions.push('create_roles');
       if (args.read) out.actions.push('read_roles');
-      if (args.manage) out.actions.push('manage_roles');
+      if (args.update) out.actions.push('update_roles');
+      if (args.delete) out.actions.push('delete_roles');
       return out;
     });
   },
diff --git a/src/roles/integration.test.ts b/src/roles/integration.test.ts
@@ -157,15 +157,23 @@ only('Integration testing of the roles namespace', () => {
       },
       {
         roleName: 'roles',
-        permissions: weaviate.permissions.roles({ role: 'some-role', manage: true }),
+        permissions: weaviate.permissions.roles({
+          role: 'some-role',
+          create: true,
+          read: true,
+          update: true,
+          delete: true,
+        }),
         expected: {
           name: 'roles',
           backupsPermissions: [],
           clusterPermissions: [],
           collectionsPermissions: [],
           dataPermissions: [],
           nodesPermissions: [],
-          rolesPermissions: [{ role: 'some-role', actions: ['manage_roles'] }],
+          rolesPermissions: [
+            { role: 'some-role', actions: ['create_roles', 'read_roles', 'update_roles', 'delete_roles'] },
+          ],
         },
       },
     ];
diff --git a/src/roles/types.ts b/src/roles/types.ts
@@ -15,7 +15,7 @@ export type DataAction = Extract<
   'create_data' | 'delete_data' | 'read_data' | 'update_data' | 'manage_data'
 >;
 export type NodesAction = Extract<Action, 'read_nodes'>;
-export type RolesAction = Extract<Action, 'manage_roles' | 'read_roles'>;
+export type RolesAction = Extract<Action, 'create_roles' | 'read_roles' | 'update_roles' | 'delete_roles'>;
 
 export type BackupsPermission = {
   collection: string;
diff --git a/src/roles/util.ts b/src/roles/util.ts
@@ -45,7 +45,7 @@ export class PermissionGuards {
   static isNodes = (permission: Permission): permission is NodesPermission =>
     PermissionGuards.includes(permission, 'read_nodes');
   static isRoles = (permission: Permission): permission is RolesPermission =>
-    PermissionGuards.includes(permission, 'manage_roles');
+    PermissionGuards.includes(permission, 'create_role', 'read_roles', 'update_roles', 'delete_roles');
   static isPermission = (permissions: PermissionsInput): permissions is Permission =>
     !Array.isArray(permissions);
   static isPermissionArray = (permissions: PermissionsInput): permissions is Permission[] =>
@@ -90,7 +90,7 @@ export class Map {
     } else if (PermissionGuards.isRoles(permission)) {
       return Array.from(permission.actions).map((action) => ({ roles: { role: permission.role }, action }));
     } else {
-      throw new Error(`Unknown permission type: ${permission}`);
+      throw new Error(`Unknown permission type: ${JSON.stringify(permission, null, 2)}`);
     }
   };
 
