Update docstring for AccessRoles special roles

Annotate config values in PermissionsConfig to describe application of permissions Add a `users` permission to define access to the users service independent of the rest of the backend (matches `node` and `llm` behavior)
NeonGeckoCom · Nov 19, 2024 · 131c5fa · 131c5fa
1 parent af9baf2
commit 131c5fa
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 10 deletions.
diff --git a/neon_data_models/enum.py b/neon_data_models/enum.py
@@ -36,8 +36,10 @@ class AccessRoles(IntEnum):
     admins, and owners.
 
     Special Roles:
-        NODE: Reserved for use by a Node service account
-        READ_USERS: Used by service accounts to read users from the database
+        NODE: Reserved for use by a Node device service account to access
+            various services
+        RW_USERS: Reserved for use by service accounts to access and modify the
+            users database
     """
     NONE = 0
     # 1-9 reserved for unauthenticated connections
@@ -53,7 +55,7 @@ class AccessRoles(IntEnum):
     # 50 Reserved for "unlimited access"
 
     NODE = -1
-    READ_USERS = -2, "Used by service accounts to read users from the database"
+    RW_USERS = -2
 
 
 class UserData(IntEnum):

diff --git a/neon_data_models/models/user/database.py b/neon_data_models/models/user/database.py
@@ -115,14 +115,28 @@ class BrainForgeConfig(BaseModel):
 
 class PermissionsConfig(BaseModel):
     """
-    Defines roles for supported projects/service families.
+    Defines roles for supported projects/services.
     """
-    klat: AccessRoles = AccessRoles.NONE
-    core: AccessRoles = AccessRoles.NONE
-    diana: AccessRoles = AccessRoles.NONE
-    node: AccessRoles = AccessRoles.NONE
-    hub: AccessRoles = AccessRoles.NONE
-    llm: AccessRoles = AccessRoles.NONE
+    klat: AccessRoles = Field(
+        AccessRoles.NONE, description="Defines access to Klat chat services.")
+    core: AccessRoles = Field(
+        AccessRoles.NONE, description="Defines access to Neon core services.")
+    diana: AccessRoles = Field(
+        AccessRoles.NONE,
+        description="Defines access to DIANA backend services. "
+                    "(i.e. API proxy, email proxy).")
+    users: AccessRoles = Field(
+        AccessRoles.NONE, description="Defines access to the users service.")
+    node: AccessRoles = Field(
+        AccessRoles.NONE,
+        description="Defines access to the node websocket in HANA.")
+    hub: AccessRoles = Field(
+        AccessRoles.NONE, description="Defines access to a hub device.")
+    llm: AccessRoles = Field(
+        AccessRoles.NONE,
+        description="Defines access to the BrainForge LLM backend. Note that "
+                    "per-model permissions may also apply and further restrict "
+                    "a user's access to some models for inference.")
 
     class Config:
         use_enum_values = True