fix: set SqlRecord owner to None when owner_principal is empty (#4284)

Changes SqlRecord creation in AuthorizedSqlStore.fetch_all to use owner=None when owner_principal is empty/missing, matching the ResourceWithOwner pattern used in routing tables. This fixes an inconsistency where SQL store was creating User(principal="") while routing tables use owner=None for public resources. Changes: o Update ProtectedResource Protocol to allow owner: User | None o Update SqlRecord.__init__ to accept owner: User | None o Update fetch_all to create owner=None for records without owner_principal Signed-off-by: Derek Higgins <derekh@redhat.com>
2025-12-06 10:37:22 +00:00 · 2025-12-03 18:28:33 +00:00 · 2025-12-03 18:28:33 +00:00 · fcd6370b34
commit fcd6370b34
parent aa3898f486
4 changed files with 64 additions and 11 deletions
--- a/src/llama_stack/core/access_control/conditions.py
+++ b/src/llama_stack/core/access_control/conditions.py
@ -15,7 +15,7 @@ class User(Protocol):
 class ProtectedResource(Protocol):
    type: str
    identifier: str
-    owner: User
+    owner: User | None


 class Condition(Protocol):
--- a/src/llama_stack/core/storage/sqlstore/authorized_sqlstore.py
+++ b/src/llama_stack/core/storage/sqlstore/authorized_sqlstore.py
@ -56,7 +56,7 @@ def _enhance_item_with_access_control(item: Mapping[str, Any], current_user: Use


 class SqlRecord(ProtectedResource):
-    def __init__(self, record_id: str, table_name: str, owner: User):
+    def __init__(self, record_id: str, table_name: str, owner: User | None):
        self.type = f"sql_record::{table_name}"
        self.identifier = record_id
        self.owner = owner
@ -171,12 +171,16 @@ class AuthorizedSqlStore:

        for row in rows.data:
            stored_access_attrs = row.get("access_attributes")
-            stored_owner_principal = row.get("owner_principal") or ""
+            stored_owner_principal = row.get("owner_principal")

            record_id = row.get("id", "unknown")
-            sql_record = SqlRecord(
-                str(record_id), table, User(principal=stored_owner_principal, attributes=stored_access_attrs)
+            # Create owner as None if owner_principal is empty/missing, matching ResourceWithOwner behavior
+            owner = (
+                User(principal=stored_owner_principal, attributes=stored_access_attrs)
+                if stored_owner_principal
+                else None
            )
+            sql_record = SqlRecord(str(record_id), table, owner)

            if is_action_allowed(self.policy, action, sql_record, current_user):
                filtered_rows.append(row)