Skip to content

feat(frontier): add SetGroupMemberRole RPC#485

Merged
whoAbhishekSah merged 1 commit into
mainfrom
feat/frontier-set-group-member-role
May 12, 2026
Merged

feat(frontier): add SetGroupMemberRole RPC#485
whoAbhishekSah merged 1 commit into
mainfrom
feat/frontier-set-group-member-role

Conversation

@whoAbhishekSah
Copy link
Copy Markdown
Member

@whoAbhishekSah whoAbhishekSah commented May 12, 2026

Summary

  • Adds SetGroupMemberRole RPC + request/response messages to FrontierService, mirroring SetOrganizationMemberRole.
  • Lets callers change an existing group member's role with an explicit role_id and principal_type (currently app/user; field is generic so future principal types can be supported without a proto change).
  • AddGroupUsers is left untouched for backward compatibility — it will be migrated and eventually removed in a follow-up.

Why

Today the group membership APIs hardcode role assignments (AddGroupUsers → member, group creation → owner) and update policies and direct SpiceDB relations separately. A dedicated SetGroupMemberRole is needed so the frontier implementation can change a member's role atomically and keep policy + direct relation in sync — fixing the leaky-relation bug at the group layer (see raystack/frontier#1478).

Test plan

  • buf lint
  • buf build
  • buf breaking --against main (wire-compatible)

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 12, 2026
edited
Loading

Review Change Stack
No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 675a1b82-c765-42f3-a4bc-0370ee940d32

📥 Commits

Reviewing files that changed from the base of the PR and between 2ff8b62 and 7587672.

📒 Files selected for processing (1)
  • raystack/frontier/v1beta1/frontier.proto
🚧 Files skipped from review as they are similar to previous changes (1)
  • raystack/frontier/v1beta1/frontier.proto
📝 Walkthrough

Walkthrough

This PR extends the FrontierService gRPC API by adding a new SetGroupMemberRole RPC method for updating group member roles. The change introduces the RPC method signature and two accompanying message types: SetGroupMemberRoleRequest containing group identifier, organization identifier, principal identifier, principal type, and role identifier fields with validation constraints, and SetGroupMemberRoleResponse as an empty response type.

Suggested reviewers

  • rohilsurana
  • AmanGIT07
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the primary change: adding a new SetGroupMemberRole RPC to the FrontierService, which is the main focus of the changeset.
Description check ✅ Passed The description is directly related to the changeset, providing context on why the RPC was added, what it does, and how it addresses the leaky-relation bug while maintaining backward compatibility.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026
edited
Loading

The latest Buf updates on your PR. Results from workflow Validate / validate (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed⏩ skipped✅ passed✅ passedMay 12, 2026, 7:12 AM

@whoAbhishekSah whoAbhishekSah mentioned this pull request May 12, 2026
Open
5 tasks
@whoAbhishekSah @claude
feat(frontier): add SetGroupMemberRole RPC
7587672 
Introduces a new RPC to change an existing group member's role, mirroring
SetOrganizationMemberRole. Supports user (and future principal types) with
an explicit role, replacing the implicit role assignment in AddGroupUsers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@whoAbhishekSah whoAbhishekSah force-pushed the feat/frontier-set-group-member-role branch from 2ff8b62 to 7587672 Compare May 12, 2026 07:11
whoAbhishekSah added a commit to raystack/frontier that referenced this pull request May 12, 2026
@whoAbhishekSah @claude
feat(membership): add group membership management
77f2253 
Introduces the SetGroupMemberRole RPC and three service methods on the
membership package: AddGroupMember, SetGroupMemberRole, and OnGroupCreated.
These manage policy + SpiceDB relation atomically and keep them in sync,
fixing the leaky-relation pattern at the group layer.

- AddGroupMember validates org membership of the principal and rejects
  duplicates with ErrAlreadyMember (service-only, no proto).
- SetGroupMemberRole rejects non-members with ErrNotMember and enforces
  a min-owner constraint (ErrLastGroupOwnerRole) on demotion.
- OnGroupCreated bundles the group<->org hierarchy relations with the
  initial owner add, so group.Create can wire SpiceDB with one call.
- Principal validation is restricted to app/user; the switch is kept
  extensible for future principal types.

Audit events are added for both the added and role-changed cases.

No call sites are migrated yet — group.Create, AddGroupUsers, and the
deletion of legacy group service methods will follow in subsequent PRs.

PROTON_COMMIT is temporarily pinned to the feature-branch SHA on
raystack/proton#485; it will be re-pinned to the merge commit once that
PR lands.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@whoAbhishekSah whoAbhishekSah merged commit 0c49425 into main May 12, 2026
3 checks passed
@whoAbhishekSah whoAbhishekSah deleted the feat/frontier-set-group-member-role branch May 12, 2026 07:44
whoAbhishekSah added a commit to raystack/frontier that referenced this pull request May 12, 2026
@whoAbhishekSah @claude
chore: pin PROTON_COMMIT to merged main
4eb055c 
raystack/proton#485 has merged. Re-pin from the feature-branch SHA
to the merge commit on proton main.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohilsurana rohilsurana rohilsurana approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@whoAbhishekSah @rohilsurana