feat(BA-3519): Add utils for RBAC entity data migration

[fregataa]

resolves #7530 (BA-3519)

Summary

Add reusable utility classes and adapters for RBAC entity data migration.

Changes

Added Components:

1. MigrationAdapter (src/ai/backend/manager/models/rbac_models/migration/adapter.py)
   - Parses entity-typed permissions into PermissionCreateInput
   - Parses entity scope associations into AssociationScopesEntitiesCreateInput
2. Abstract Entity Interfaces (src/ai/backend/manager/models/rbac_models/migration/entity/abc.py)
   - AbstractEntity: Interface for accessing entity scopes and IDs
   - AbstractEntityType: Interface for defining entity type operations in system/custom roles
3. EntityMigrator (src/ai/backend/manager/models/rbac_models/migration/migrator.py)
   - Query permission groups with their role sources
   - Add entity-typed permissions to permission groups based on role source
   - Associate entities with scopes in association_scopes_entities table

---

Implementation Details

Entity Scope Mapping:

• Entities (VFolder, Session, etc.) can be mapped to their owning scopes
• Relationships stored in association_scopes_entities table
• Supports user and project scopes

Entity Type Permission Creation:

• Permissions dynamically created based on entity type and role source (system/custom)
• Each permission specifies: entity_type + operation (read/delete/update)
• Permissions bound to permission groups

Checklist: (if applicable)

• Milestone metadata specifying the target backport version
• Mention to the original issue
• Installer updates including:
  • Fixtures for db schema changes
  • New mandatory config options
• Update of end-to-end CLI integration tests in ai.backend.test
• API server-client counterparts (e.g., manager API -> client SDK)
• Test case(s) to:
  • Demonstrate the difference of before/after
  • Demonstrate the flow of abstract/conceptual models with a concrete implementation
• Documentation
  • Contents in the docs directory
  • docstrings in public interfaces and type annotations

[Copilot]

Pull request overview

This PR introduces reusable utility infrastructure for RBAC entity migration, enabling systematic migration of entity data and permissions from the original database to the RBAC database. The changes provide abstract interfaces and concrete adapters to transform migration data into the appropriate RBAC table formats.

Key Changes

• Introduces abstract interfaces (AbstractEntity and AbstractEntityType) to define entity migration contracts
• Adds MigrationAdapter to transform migration data into RBAC table input formats
• Implements EntityMigrationUtil with methods for querying permission groups and adding entity permissions/scope associations

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 10 comments.

File	Description
src/ai/backend/manager/models/rbac_models/migration/entity/__init__.py	Empty package marker for new entity subdirectory
src/ai/backend/manager/models/rbac_models/migration/entity/abc.py	Defines abstract interfaces for entities and entity types used during migration
src/ai/backend/manager/models/rbac_models/migration/adapter.py	Implements data transformation adapter that parses entity data into RBAC table input formats
src/ai/backend/manager/models/rbac_models/migration/utils.py	Adds EntityMigrationUtil class with database operations for entity migration, including new imports for adapter and entity abstractions

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Type mismatch in return value. The method signature declares it returns list[tuple[uuid.UUID, RoleSource]], but the roles_table.c.source column is defined as VARCHAR(16) in models.py, so querying it returns a string, not a RoleSource enum. The return value at line 180 will be list[tuple[uuid.UUID, str]]. Consider either converting the string to RoleSource enum (e.g., RoleSource(row.role_source)) or updating the return type annotation to match the actual type.

Suggested change

	return [(row.permission_group_id, row.role_source) for row in rows]
	return [
	(row.permission_group_id, RoleSource(row.role_source))
	for row in rows
	]

[Copilot]

Missing docstring. This public method should document its purpose, parameters, and behavior. Specifically, it should explain how permissions are determined based on role_source (SYSTEM roles get admin operations, CUSTOM roles get member operations from the entity type).

[Copilot]

Missing test coverage for the new MigrationAdapter class and its methods. The existing test files in tests/manager/rbac/ show comprehensive testing of migration utilities. Consider adding tests to verify that parse_entity_typed_permissions correctly creates PermissionCreateInput instances and that parse_association_scopes_entities properly handles entity scope mappings.

[Copilot]

The match statement lacks a default case. If role_source somehow has an unexpected value, the operations variable will be undefined, causing a NameError at line 195. Consider adding a case _ clause to handle unexpected values or raise an explicit error for invalid role sources.

Suggested change

	operations = entity_type.operations_in_custom_role()
	operations = entity_type.operations_in_custom_role()
	case _:
	raise ValueError(f"Unexpected role source: {role_source!r}")

[Copilot]

Missing docstring. This public method would benefit from documentation explaining its purpose, parameters (especially the pagination parameters offset and limit), and return value format. Consider documenting that it returns tuples of (permission_group_id, role_source) and how the pagination works.

[Copilot]

Missing docstring. This public method should document its purpose and behavior. It should explain that it creates associations between an entity and its owning scopes in the association_scopes_entities table, using insert_skip_on_conflict to handle duplicates.

[Copilot]

Missing class docstring. Consider adding a docstring that explains the purpose of this interface and what concrete implementations should represent (e.g., "Represents an entity instance during RBAC migration, providing access to the entity's ID and associated scopes").

[Copilot]

Missing class docstring. Consider adding a docstring that explains the purpose of this interface and what concrete implementations should represent (e.g., "Defines the entity type configuration for RBAC migration, specifying which operations are available in system vs. custom roles").

Suggested change

	class AbstractEntityType(ABC):
	class AbstractEntityType(ABC):
	"""
	Defines the entity type configuration for RBAC migration.
	Concrete implementations represent a specific entity type and declare
	which operations are permitted when that entity is used in system roles
	versus custom roles.
	"""

[Copilot]

Missing test coverage for the new EntityMigrationUtil class and its methods. The existing test files show comprehensive testing of migration utilities. Consider adding tests to verify: 1) get_permission_group_ids_with_role_source correctly queries and paginates results, 2) add_entity_typed_permission_to_permission_groups properly handles both SYSTEM and CUSTOM role sources, and 3) add_entity_to_scopes correctly creates scope-entity associations.

[Copilot]

Missing test coverage for the new abstract interfaces. The existing test files show comprehensive testing patterns. Consider adding tests with concrete implementations of AbstractEntity and AbstractEntityType to demonstrate the expected behavior and validate the interface design.