feat(policy): Seed existing namespaces with standard actions#3228
Conversation
📝 WalkthroughWalkthroughA migration seeds namespace-scoped standard CRUD actions for every existing namespace; the fixture loader now only reads global standard actions (where Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a database migration to ensure that all existing namespaces are populated with the required standard CRUD actions. This change is necessary to support policy migration tooling that expects these actions to be present within each namespace scope, addressing a gap for namespaces created prior to the introduction of action namespacing. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. The namespaces stood empty and bare, / With standard actions missing in there. / A migration was run, / The work is now done, / And consistency fills up the air. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request introduces a database migration to retroactively seed standard actions for existing namespaces and updates the test fixtures to correctly filter for global standard actions. A high-severity issue was identified in the migration's rollback script, which is overly destructive as it deletes all namespaced standard actions, including those created during normal system operation; it is recommended to change the rollback to a no-op to ensure system stability.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
service/internal/fixtures/fixtures.go (1)
790-818: 🛠️ Refactor suggestion | 🟠 MajorAdd a regression test for
namespace_id IS NULLaction loading.Please add/update a test that proves
loadMigratedStandardActionsexcludes namespaced standard actions when both global and namespaced records share the same action names. As per coding guidelines, "Rungo test ./...ormake testand ensure all existing tests pass; add tests for new functionality".🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@service/internal/fixtures/fixtures.go` around lines 790 - 818, The test suite is missing a regression test ensuring loadMigratedStandardActions only loads actions where namespace_id IS NULL even when a namespaced action has the same name; add a unit/integration test that sets up the DB with two actions of the same name (one with namespace_id NULL and one with a non-NULL namespace_id), invokes Fixtures.loadMigratedStandardActions (via the existing Fixtures test helper or creating a Fixtures instance), and asserts that f.MigratedData.StandardActions contains the global action ID (and not the namespaced one); make sure to clean up test rows or use a transaction/fixture helper so go test ./... passes and follow existing test patterns for DB setup/teardown.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In
`@service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.sql`:
- Around line 22-24: The down migration currently deletes all namespaced
standard actions via the DELETE FROM actions WHERE is_standard = TRUE AND
namespace_id IS NOT NULL statement, which will remove valid actions created
later by normal CreateNamespace() flow; change the down migration to be
explicitly irreversible instead of performing that broad DELETE — e.g., replace
the DELETE in this migration file
(20260331000000_seed_standard_actions_for_existing_namespaces.sql) with a
statement that raises an error/exception indicating the migration cannot be
reverted (so rollbacks fail safely), or alternatively implement a targeted
delete that only removes rows deterministically inserted by this migration
(using unique markers if available); reference the DELETE FROM actions clause
and the CreateNamespace() flow when making the change.
---
Outside diff comments:
In `@service/internal/fixtures/fixtures.go`:
- Around line 790-818: The test suite is missing a regression test ensuring
loadMigratedStandardActions only loads actions where namespace_id IS NULL even
when a namespaced action has the same name; add a unit/integration test that
sets up the DB with two actions of the same name (one with namespace_id NULL and
one with a non-NULL namespace_id), invokes Fixtures.loadMigratedStandardActions
(via the existing Fixtures test helper or creating a Fixtures instance), and
asserts that f.MigratedData.StandardActions contains the global action ID (and
not the namespaced one); make sure to clean up test rows or use a
transaction/fixture helper so go test ./... passes and follow existing test
patterns for DB setup/teardown.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 013dba12-e09e-4c15-9ee8-723c0ad03427
📒 Files selected for processing (3)
service/internal/fixtures/fixtures.goservice/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.mdservice/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.sql
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
Rollback options: Option 1: Destructive Down (Delete Namespaced Standard Actions)
Option 2: Non-Destructive Down (No-Op) — Recommended
Decision Rationale
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In
`@service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.md`:
- Around line 25-29: Add a concrete rollback preflight and remediation checklist
to the migration note in
20260331000000_seed_standard_actions_for_existing_namespaces.md: include exact
preflight SQL queries to detect conflicting rows in the actions table (e.g.,
SELECT name, array_agg(DISTINCT namespace) FROM actions WHERE name IN
('create','read','update','delete') GROUP BY name HAVING count(DISTINCT
namespace) > 1), criteria to identify safe-to-remove rows vs rows that require
manual merging, steps to back up affected rows (COPY or SELECT INTO), and
explicit manual cleanup commands/decision rules to restore the
pre-20260312000000 unique(name) constraint; reference the prior migration
20260312000000_add_namespace_to_actions.sql, the actions table, the name column,
and the standard action names so operators can run the checks and remediation
under incident pressure.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: f7c5f080-210e-4d6a-a097-8939ed692aee
📒 Files selected for processing (2)
service/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.mdservice/policy/db/migrations/20260331000000_seed_standard_actions_for_existing_namespaces.sql
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@adr/decisions/2026-04-01-database-migration-backup-first-rollback.md`:
- Around line 42-44: Three consecutive bullets all start with "🟩 **Good**",
making the ADR repetitive; edit the three bullets that begin with "🟩 **Good**"
(the ones referencing deterministic operator recovery, reduced dependence on
rollback logic, and alignment with production practice) to be more concise and
varied — either combine closely related points (e.g., merge deterministic
recovery and alignment with practice into one succinct bullet) and rephrase the
other to highlight reduced reliance on risky rollback logic, or use different
openings (e.g., "Helps", "Reduces", "Aligns with") so the list scans quickly and
avoids repeated wording.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2dbb218b-bdbb-4dbc-9a89-0745456e2a3e
📒 Files selected for processing (1)
adr/decisions/2026-04-01-database-migration-backup-first-rollback.md
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
🤖 I have created a release *beep* *boop* --- ## [0.14.0](opentdf/platform@service/v0.13.0...service/v0.14.0) (2026-04-21) ### ⚠ BREAKING CHANGES * **sdk:** reclassify KAS 400 errors — distinguish tamper from misconfiguration ([opentdf#3166](opentdf#3166)) * **policy:** optional namespace for RRs ([opentdf#3165](opentdf#3165)) * **policy:** Namespace subject mappings and subject condition sets. ([opentdf#3143](opentdf#3143)) * **policy:** Optional namespace on actions protos, NamespacedPolicy feature flag ([opentdf#3155](opentdf#3155)) * **policy:** add namespaced actions schema and namespace-aware action queries ([opentdf#3154](opentdf#3154)) * **policy:** only require namespace on GetAction if no id provided ([opentdf#3144](opentdf#3144)) * **policy:** add namespace field to Actions proto ([opentdf#3130](opentdf#3130)) * **policy:** namespace Registered Resources ([opentdf#3111](opentdf#3111)) * **policy:** add namespace field to RegisteredResource proto ([opentdf#3110](opentdf#3110)) ### Features * **authz:** Namespaced policy in decisioning ([opentdf#3226](opentdf#3226)) ([0355934](opentdf@0355934)) * **cli:** migrate otdfctl into platform monorepo ([opentdf#3205](opentdf#3205)) ([5177bec](opentdf@5177bec)) * fix tracing ([opentdf#3242](opentdf#3242)) ([57e5680](opentdf@57e5680)) * **policy:** add GetObligationTrigger RPC ([opentdf#3318](opentdf#3318)) ([d68e39d](opentdf@d68e39d)) * **policy:** add namespace field to Actions proto ([opentdf#3130](opentdf#3130)) ([bedc9b3](opentdf@bedc9b3)) * **policy:** add namespace field to RegisteredResource proto ([opentdf#3110](opentdf#3110)) ([04fd85d](opentdf@04fd85d)) * **policy:** add namespaced actions schema and namespace-aware action queries ([opentdf#3154](opentdf#3154)) ([c0443f1](opentdf@c0443f1)) * **policy:** add sort ListSubjectMappings API ([opentdf#3255](opentdf#3255)) ([9d5d757](opentdf@9d5d757)) * **policy:** Add sort support listregisteredresources api ([opentdf#3312](opentdf#3312)) ([91a3ff3](opentdf@91a3ff3)) * **policy:** add sort support to ListAttributes API ([opentdf#3223](opentdf#3223)) ([ec3312f](opentdf@ec3312f)) * **policy:** add sort support to ListKeyAccessServer ([opentdf#3287](opentdf#3287)) ([7fae2d7](opentdf@7fae2d7)) * **policy:** Add sort support to ListNamespaces API ([opentdf#3192](opentdf#3192)) ([aac86cd](opentdf@aac86cd)) * **policy:** add sort support to listobligations api ([opentdf#3300](opentdf#3300)) ([9221cac](opentdf@9221cac)) * **policy:** add sort support to ListSubjectConditionSets API ([opentdf#3272](opentdf#3272)) ([9010f12](opentdf@9010f12)) * **policy:** add SortField proto and update PageRequest for sort support ([opentdf#3187](opentdf#3187)) ([6cf1862](opentdf@6cf1862)) * **policy:** Enforce same namespace when actions referenced downstream ([opentdf#3206](opentdf#3206)) ([4b5463a](opentdf@4b5463a)) * **policy:** namespace Registered Resources ([opentdf#3111](opentdf#3111)) ([6db1883](opentdf@6db1883)) * **policy:** Namespace subject mappings and condition sets ([opentdf#3172](opentdf#3172)) ([6deed50](opentdf@6deed50)) * **policy:** Namespace subject mappings and subject condition sets. ([opentdf#3143](opentdf#3143)) ([3006780](opentdf@3006780)) * **policy:** optional namespace for RRs ([opentdf#3165](opentdf#3165)) ([8948018](opentdf@8948018)) * **policy:** rollback migration strategy for namespaced actions ([opentdf#3235](opentdf#3235)) ([f7e5e01](opentdf@f7e5e01)) * **policy:** Seed existing namespaces with standard actions ([opentdf#3228](opentdf#3228)) ([12136b0](opentdf@12136b0)) * **policy:** Seed namespaces with standard actions on creation + namespaced actions for obligation triggers ([opentdf#3161](opentdf#3161)) ([984d76b](opentdf@984d76b)) ### Bug Fixes * **ci:** Upgrade toolchain version to 1.25.8 ([opentdf#3116](opentdf#3116)) ([e1b7882](opentdf@e1b7882)) * **core:** do not concat slashes directly in url/file paths ([opentdf#3290](opentdf#3290)) ([114c2a7](opentdf@114c2a7)) * **deps:** bump github.com/jackc/pgx/v5 from 5.7.5 to 5.9.0 in /service ([opentdf#3316](opentdf#3316)) ([017362e](opentdf@017362e)) * **deps:** bump github.com/opentdf/platform/lib/identifier from 0.2.0 to 0.3.0 in /service ([opentdf#3162](opentdf#3162)) ([8bc5dcd](opentdf@8bc5dcd)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.16.0 to 0.17.0 in /service ([opentdf#3125](opentdf#3125)) ([29fec61](opentdf@29fec61)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.17.0 to 0.21.0 in /service ([opentdf#3220](opentdf#3220)) ([e63add2](opentdf@e63add2)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.21.0 to 0.22.0 in /service ([opentdf#3248](opentdf#3248)) ([1ebce73](opentdf@1ebce73)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.22.0 to 0.23.0 in /service ([opentdf#3271](opentdf#3271)) ([3338b8e](opentdf@3338b8e)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.23.0 to 0.24.0 in /service ([opentdf#3321](opentdf#3321)) ([78e6022](opentdf@78e6022)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.24.0 to 0.25.0 in /service ([opentdf#3333](opentdf#3333)) ([3940bf8](opentdf@3940bf8)) * **deps:** bump github.com/opentdf/platform/sdk from 0.13.0 to 0.16.0 in /service ([opentdf#3356](opentdf#3356)) ([5617077](opentdf@5617077)) * **deps:** bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.42.0 to 1.43.0 in /service ([opentdf#3282](opentdf#3282)) ([046374a](opentdf@046374a)) * **deps:** bump go.opentelemetry.io/otel/sdk from 1.42.0 to 1.43.0 in /service ([opentdf#3281](opentdf#3281)) ([56b33f2](opentdf@56b33f2)) * **deps:** bump google.golang.org/grpc from 1.77.0 to 1.79.3 in /service ([opentdf#3176](opentdf#3176)) ([3289502](opentdf@3289502)) * **deps:** remove direct github.com/docker/docker dependency ([opentdf#3229](opentdf#3229)) ([2becb27](opentdf@2becb27)) * **deps:** upgrade testcontainers-go to resolve vulns ([opentdf#3299](opentdf#3299)) ([72c6f9b](opentdf@72c6f9b)) * **ers:** include standard JWT claims in claims mode entity resolution ([opentdf#3196](opentdf#3196)) ([6d50da1](opentdf@6d50da1)) * **ers:** ldap multi-strategy ers ([opentdf#3117](opentdf#3117)) ([d3aaf1a](opentdf@d3aaf1a)) * **policy:** deprecate ListAttributeValues in favor of existing GetAttribute ([opentdf#3108](opentdf#3108)) ([7e17c2d](opentdf@7e17c2d)) * **policy:** make obligation trigger uniqueness client-aware ([opentdf#3114](opentdf#3114)) ([9265bc3](opentdf@9265bc3)) * **policy:** omit empty attribute values from create responses ([opentdf#3193](opentdf#3193)) ([d298378](opentdf@d298378)) * **policy:** only require namespace on GetAction if no id provided ([opentdf#3144](opentdf#3144)) ([10d0c0f](opentdf@10d0c0f)) * **policy:** Optional namespace on actions protos, NamespacedPolicy feature flag ([opentdf#3155](opentdf#3155)) ([c20f039](opentdf@c20f039)) * **policy:** order List* results by created_at ([opentdf#3088](opentdf#3088)) ([ea90ac2](opentdf@ea90ac2)) * **sdk:** normalize issuer URL before OIDC discovery ([opentdf#3261](opentdf#3261)) ([61f98c9](opentdf@61f98c9)) * **sdk:** reclassify KAS 400 errors — distinguish tamper from misconfiguration ([opentdf#3166](opentdf#3166)) ([f04a385](opentdf@f04a385)) * **sdk:** remove testcontainers from consumer dependency graph ([opentdf#3129](opentdf#3129)) ([f17dcdd](opentdf@f17dcdd)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Proposed Changes
Checklist
Testing Instructions
Summary by CodeRabbit