Skip to content

feat(api-server): user-scoped queries for multi-tenant isolation#899

Draft
maskarb wants to merge 2 commits intomainfrom
feat/user-scoped-queries
Draft

feat(api-server): user-scoped queries for multi-tenant isolation#899
maskarb wants to merge 2 commits intomainfrom
feat/user-scoped-queries

Conversation

@maskarb
Copy link
Contributor

@maskarb maskarb commented Mar 12, 2026
edited
Loading

Summary

  • Upgrade rh-trex-ai from v0.0.19 to v0.0.23 (auth config consolidation, JWK key rotation fixes)
  • Register UserScopeConfig for Sessions, filtering List queries by created_by_user_id with admin role bypass
  • Pass actual JWT username via auth.GetUsernameFromContext instead of hardcoded "id" in all 8 List handlers (4 HTTP + 4 gRPC)
  • Update code generator template so new plugins get the correct pattern
  • Regenerate OpenAPI client with updated generator

User scoping is applied to Sessions only — Projects, ProjectSettings, and Users are not scoped. Project/org-level scoping (likely via org_id from JWT) is deferred to a follow-up.

Blocked on

Jira: RHOAIENG-52960

Test plan

  • go build ./... passes with replace directive
  • go vet ./... clean
  • All pre-commit hooks pass (gofmt, golangci-lint)
  • Integration tests: user A creates sessions, user B lists → sees nothing
  • Admin user lists → sees all sessions
  • JWT disabled (dev mode) → sees all sessions (backward compat)
  • Remove replace directive after upstream merge + tag

🤖 Generated with Claude Code

@maskarb @claude
feat(api-server): add user-scoped queries and upgrade rh-trex-ai to v…
a2eadfa 
…0.0.23

Upgrade rh-trex-ai from v0.0.19 to v0.0.23 and wire up user-scoped
query filtering for multi-tenant isolation.

Framework upgrade (v0.0.23 breaking changes):
- Migrate JwkCertFile/JwkCertURL from ServerConfig to AuthConfig in
  development and production environments
- NewAuthzMiddleware signature change handled by upstream routebuilder

User-scoped queries:
- Register UserScopeConfig for Session kind, filtering List queries by
  created_by_user_id with admin/platform-admin role bypass
- Pass actual JWT username (via auth.GetUsernameFromContext) instead of
  hardcoded "id" in all HTTP and gRPC List handlers
- Update code generator template to use auth context for new plugins

Jira: RHOAIENG-52960

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link

coderabbitai bot commented Mar 12, 2026
edited
Loading

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6943f894-1cad-4bbf-8ea4-056cebf6e3d0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feat/user-scoped-queries
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@maskarb @claude
chore(api-server): regenerate OpenAPI client with updated generator
c40b6e2 
Regenerated OpenAPI Go client using openapi-generator v7.16.0. No
schema changes — cosmetic diffs only (doc formatting, API scaffolding).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maskarb