feat: Update GQL user mutation to allow set uid/gid

fregataa · fregataa · commit 6c4b57115094 · 2025-02-05T19:07:59.000+09:00
diff --git a/changes/3352.feature.md b/changes/3352.feature.md
@@ -0,0 +1 @@
+Enable per-user UID/GID set for containers via user creation and update GraphQL APIs
diff --git a/docs/manager/graphql-reference/schema.graphql b/docs/manager/graphql-reference/schema.graphql
@@ -732,6 +732,21 @@ type UserNode implements Node {
   totp_activated: Boolean
   totp_activated_at: DateTime
   sudo_session_enabled: Boolean
+
+  """
+  Added in 25.2.0. The user ID (UID) assigned to processes running inside the container.
+  """
+  container_uid: Int
+
+  """
+  Added in 25.2.0. The primary group ID (GID) assigned to processes running inside the container.
+  """
+  container_main_gid: Int
+
+  """
+  Added in 25.2.0. Supplementary group IDs assigned to processes running inside the container.
+  """
+  container_gids: [Int]
 }
 
 """Added in 24.03.0"""
@@ -835,6 +850,21 @@ type User implements Item {
   Added in 24.03.0. Used as the default authentication credential for password-based logins and sets the user's total resource usage limit. User's main_access_key cannot be deleted, and only super-admin can replace main_access_key.
   """
   main_access_key: String
+
+  """
+  Added in 25.2.0. The user ID (UID) assigned to processes running inside the container.
+  """
+  container_uid: Int
+
+  """
+  Added in 25.2.0. The primary group ID (GID) assigned to processes running inside the container.
+  """
+  container_main_gid: Int
+
+  """
+  Added in 25.2.0. Supplementary group IDs assigned to processes running inside the container.
+  """
+  container_gids: [Int]
   groups: [UserGroup]
 }
 
@@ -2131,6 +2161,21 @@ input UserInput {
   totp_activated: Boolean = false
   resource_policy: String = "default"
   sudo_session_enabled: Boolean = false
+
+  """
+  Added in 25.2.0. The user ID (UID) assigned to processes running inside the container.
+  """
+  container_uid: Int
+
+  """
+  Added in 25.2.0. The primary group ID (GID) assigned to processes running inside the container.
+  """
+  container_main_gid: Int
+
+  """
+  Added in 25.2.0. Supplementary group IDs assigned to processes running inside the container.
+  """
+  container_gids: [Int]
 }
 
 type ModifyUser {
@@ -2155,6 +2200,21 @@ input ModifyUserInput {
   resource_policy: String
   sudo_session_enabled: Boolean
   main_access_key: String
+
+  """
+  Added in 25.2.0. The user ID (UID) assigned to processes running inside the container.
+  """
+  container_uid: Int
+
+  """
+  Added in 25.2.0. The primary group ID (GID) assigned to processes running inside the container.
+  """
+  container_main_gid: Int
+
+  """
+  Added in 25.2.0. Supplementary group IDs assigned to processes running inside the container.
+  """
+  container_gids: [Int]
 }
 
 """
diff --git a/src/ai/backend/manager/models/gql_models/user.py b/src/ai/backend/manager/models/gql_models/user.py
@@ -52,6 +52,16 @@ class Meta:
     totp_activated = graphene.Boolean()
     totp_activated_at = GQLDateTime()
     sudo_session_enabled = graphene.Boolean()
+    container_uid = graphene.Int(
+        description="Added in 25.2.0. The user ID (UID) assigned to processes running inside the container."
+    )
+    container_main_gid = graphene.Int(
+        description="Added in 25.2.0. The primary group ID (GID) assigned to processes running inside the container."
+    )
+    container_gids = graphene.List(
+        lambda: graphene.Int,
+        description="Added in 25.2.0. Supplementary group IDs assigned to processes running inside the container.",
+    )
 
     @classmethod
     def from_row(cls, ctx: GraphQueryContext, row: UserRow) -> Self:
@@ -74,6 +84,9 @@ def from_row(cls, ctx: GraphQueryContext, row: UserRow) -> Self:
             totp_activated=row.totp_activated,
             totp_activated_at=row.totp_activated_at,
             sudo_session_enabled=row.sudo_session_enabled,
+            container_uid=row.container_uid,
+            container_main_gid=row.container_main_gid,
+            container_gids=row.container_gids,
         )
 
     @classmethod
diff --git a/src/ai/backend/manager/models/user.py b/src/ai/backend/manager/models/user.py
@@ -256,6 +256,16 @@ class Meta:
             " be deleted, and only super-admin can replace main_access_key."
         )
     )
+    container_uid = graphene.Int(
+        description="Added in 25.2.0. The user ID (UID) assigned to processes running inside the container."
+    )
+    container_main_gid = graphene.Int(
+        description="Added in 25.2.0. The primary group ID (GID) assigned to processes running inside the container."
+    )
+    container_gids = graphene.List(
+        lambda: graphene.Int,
+        description="Added in 25.2.0. Supplementary group IDs assigned to processes running inside the container.",
+    )
 
     groups = graphene.List(lambda: UserGroup)
 
@@ -295,6 +305,9 @@ def from_row(
             totp_activated_at=row["totp_activated_at"],
             sudo_session_enabled=row["sudo_session_enabled"],
             main_access_key=row["main_access_key"],
+            container_uid=row["container_uid"],
+            container_main_gid=row["container_main_gid"],
+            container_gids=row["container_gids"],
         )
 
     @classmethod
@@ -557,6 +570,19 @@ class UserInput(graphene.InputObjectType):
     totp_activated = graphene.Boolean(required=False, default_value=False)
     resource_policy = graphene.String(required=False, default_value="default")
     sudo_session_enabled = graphene.Boolean(required=False, default_value=False)
+    container_uid = graphene.Int(
+        required=False,
+        description="Added in 25.2.0. The user ID (UID) assigned to processes running inside the container.",
+    )
+    container_main_gid = graphene.Int(
+        required=False,
+        description="Added in 25.2.0. The primary group ID (GID) assigned to processes running inside the container.",
+    )
+    container_gids = graphene.List(
+        lambda: graphene.Int,
+        required=False,
+        description="Added in 25.2.0. Supplementary group IDs assigned to processes running inside the container.",
+    )
     # When creating, you MUST set all fields.
     # When modifying, set the field to "None" to skip setting the value.
 
@@ -577,6 +603,19 @@ class ModifyUserInput(graphene.InputObjectType):
     resource_policy = graphene.String(required=False)
     sudo_session_enabled = graphene.Boolean(required=False, default=False)
     main_access_key = graphene.String(required=False)
+    container_uid = graphene.Int(
+        required=False,
+        description="Added in 25.2.0. The user ID (UID) assigned to processes running inside the container.",
+    )
+    container_main_gid = graphene.Int(
+        required=False,
+        description="Added in 25.2.0. The primary group ID (GID) assigned to processes running inside the container.",
+    )
+    container_gids = graphene.List(
+        lambda: graphene.Int,
+        required=False,
+        description="Added in 25.2.0. Supplementary group IDs assigned to processes running inside the container.",
+    )
 
 
 class PurgeUserInput(graphene.InputObjectType):
@@ -626,6 +665,9 @@ async def mutate(
             "resource_policy": props.resource_policy,
             "sudo_session_enabled": props.sudo_session_enabled,
         }
+        set_if_set(props, user_data, "container_uid")
+        set_if_set(props, user_data, "container_main_gid")
+        set_if_set(props, user_data, "container_gids")
         user_insert_query = sa.insert(users).values(user_data)
 
         async def _post_func(conn: SAConnection, result: Result) -> Row:
@@ -737,6 +779,9 @@ async def mutate(
         set_if_set(props, data, "sudo_session_enabled")
         set_if_set(props, data, "main_access_key")
         set_if_set(props, data, "is_active")
+        set_if_set(props, data, "container_uid")
+        set_if_set(props, data, "container_main_gid")
+        set_if_set(props, data, "container_gids")
         if data.get("password") is None:
             data.pop("password", None)
         if not data and not props.group_ids:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Enable per-user UID/GID set for containers via user creation and update GraphQL APIs`