cognee_database/ops/acl.rs
1//! ACL trait-level helper operations.
2//!
3//! The direct-`DatabaseConnection` implementations that backed the
4//! `AclDb` blanket impl moved into the closed `cognee-access-control`
5//! crate: the auth entities
6//! they depended on (`acl`, `permission`, `principal`, `user_role`,
7//! `user_tenant`) no longer exist on the OSS schema.
8//!
9//! What remains here is the trait-only helper used by the OSS ingestion
10//! pipeline (which still wires an `&dyn AclDb`) and the canonical
11//! `PERMISSION_NAMES` list both halves of the split agree on.
12
13use tracing::instrument;
14use uuid::Uuid;
15
16use crate::types::DatabaseError;
17
18/// All permission names defined in the system.
19pub const PERMISSION_NAMES: &[&str] = &["read", "write", "delete", "share"];
20
21/// Grant all four permissions (read, write, delete, share) to a principal
22/// on a dataset via the [`AclDb`](crate::traits::AclDb) trait.
23///
24/// Used by the ingestion pipeline to bless the dataset owner on every
25/// `add` of a freshly-created dataset. Works with any `&dyn AclDb`
26/// implementation, so OSS callers can pair it with `MockAclDb` (tests)
27/// or with the closed `AccessControl` newtype (production cloud builds).
28#[instrument(
29 name = "cognee.db.relational.acl.grant_all_permissions_on_dataset_via_trait",
30 level = "info",
31 skip_all,
32 err
33)]
34pub async fn grant_all_permissions_on_dataset_via_trait(
35 acl_db: &dyn crate::traits::AclDb,
36 principal_id: Uuid,
37 dataset_id: Uuid,
38) -> Result<(), DatabaseError> {
39 acl_db.ensure_principal(principal_id, "user").await?;
40
41 for perm_name in PERMISSION_NAMES {
42 acl_db
43 .grant_permission(principal_id, dataset_id, perm_name)
44 .await?;
45 }
46
47 Ok(())
48}