feat(BA-2937): Migrate VFolder invitations to RBAC DB

[fregataa]

resolves #6609 (BA-2937)

Checklist: (if applicable)

• Milestone metadata specifying the target backport version
• Mention to the original issue
• Installer updates including:
  • Fixtures for db schema changes
  • New mandatory config options
• Update of end-to-end CLI integration tests in ai.backend.test
• API server-client counterparts (e.g., manager API -> client SDK)
• Test case(s) to:
  • Demonstrate the difference of before/after
  • Demonstrate the flow of abstract/conceptual models with a concrete implementation
• Documentation
  • Contents in the docs directory
  • docstrings in public interfaces and type annotations

[Copilot]

Pull request overview

This PR implements a database migration to migrate VFolder invitations from the legacy system to the new RBAC (Role-Based Access Control) permission groups system. The migration aims to preserve existing vfolder access permissions by creating corresponding permission groups in the RBAC database.

Key Changes:

• Adds Alembic migration script to query existing vfolder_permissions and create permission groups
• Implements temporary unique constraint management during migration to prevent duplicates
• Creates USER-scoped permission groups for users who have vfolder permissions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The variable name input shadows the built-in Python function. Consider using a more descriptive name like permission_input or pg_input to avoid shadowing the built-in.

Suggested change

	input = cls._invitiee_user_to_permission_group_input(
	role_id=row.role_id,
	user_id=row.user_id,
	)
	permission_group_inputs.append(input)
	permission_group_input = cls._invitiee_user_to_permission_group_input(
	role_id=row.role_id,
	user_id=row.user_id,
	)
	permission_group_inputs.append(permission_group_input)

[Copilot]

The vfolder_permissions table includes a permission column that stores different permission levels (READ_ONLY, READ_WRITE, RW_DELETE), but this migration ignores these permission levels when creating permission groups. All users with vfolder permissions will receive the same permission group regardless of their original permission level. This loses important access control information. The migration should either preserve the permission levels or document why they are being discarded.

[Copilot]

The _invitiee_user_to_permission_group_input method name suggests it's converting invitee user data to permission group input, but there's no documentation explaining what this conversion does or why it's creating a USER-scoped permission group. Adding a docstring would help clarify the intended behavior and migration strategy.

[Copilot]

The query selects users from vfolder_permissions and joins with their system roles, but it doesn't include the vfolder column from vfolder_permissions. This means the migration creates permission groups at the USER scope level regardless of which vfolder the permission was for. This appears to be granting users a role-based permission to all vfolders, rather than preserving the specific vfolder invitations. If the intent is to migrate specific vfolder invitations to permission groups, the query should include the vfolder ID and create permission groups or object permissions that are scoped to specific vfolders.

[Copilot]

The unique constraint on permission_groups is added before inserting data and then dropped afterward. This pattern is unusual - typically, a unique constraint is either permanently present or not. If the constraint is needed to prevent duplicate insertions during migration, the insert_skip_on_conflict function already handles conflicts. If duplicate permission groups should be prevented permanently, the constraint should remain. The current approach of adding and then removing the constraint suggests unclear intent and could lead to duplicate permission groups being created after the migration completes.

Suggested change

PermissionCreator.drop_unique_constraint_from_permission_groups_role_id_scope_id()

[Copilot]

The query doesn't filter or exclude any rows, which means it will attempt to create permission groups for all users who have vfolder permissions. This includes potentially creating duplicate permission groups for the same user if they have permissions on multiple vfolders. While insert_skip_on_conflict handles conflicts, the migration may still create multiple permission groups with identical role_id, scope_type, and scope_id if a user has permissions on multiple vfolders. Consider adding a DISTINCT clause or grouping by (user_id, role_id) to prevent processing the same user-role combination multiple times.

[Copilot]

The downgrade() function is empty, which means this migration cannot be rolled back. If the migration needs to be reversed, all permission groups created by this migration would remain in the database. Consider implementing a downgrade that either removes the migrated permission groups or documents why rollback is not supported.

Suggested change

	pass
	"""
	Remove permission groups created by this migration.
	"""
	conn = op.get_bind()
	permission_groups_table = get_permission_groups_table()
	# Delete permission groups with scope_type=USER that were created for vfolder permissions
	delete_stmt = (
	permission_groups_table.delete()
	.where(permission_groups_table.c.scope_type == ScopeType.USER)
	)
	conn.execute(delete_stmt)

[jopemachine]

Is this change an irreversible migration?

[jopemachine]

If that’s the case, the PR prefix should be marked as ‘breaking’, or the PR should more explicitly indicate that it is non-reversible.

[fregataa]

it is not breaking because the RBAC DB is not used in any API yet. This is a preparation step for RBAC implementation

[jopemachine]

In my personal opinion, having these as separate methods actually hurts readability. The methods are very simple, but their names are too long.