Skip to content

Add MCP permission #2010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tsmith023 merged 5 commits into from
Apr 20, 2026
Merged

Add MCP permission #2010

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6a1b0bc
Add MCP permission
g-despot Apr 14, 2026
a241d8c
Fix formatting
g-despot Apr 14, 2026
66a2fb2
Refactor RBAC permissions
g-despot Apr 17, 2026
c116257
Merge branch 'dev/1.37' into mcp-rbac
g-despot Apr 17, 2026
0955364
Bump Weaviate version
g-despot Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ env:
WEAVIATE_134: 1.34.19
WEAVIATE_135: 1.35.16-efdedfa
WEAVIATE_136: 1.36.9-d905e6c
WEAVIATE_137: 1.37.0-rc.1-bc3891e
WEAVIATE_137: 1.37.1

jobs:
lint-and-format:
Expand Down
59 changes: 59 additions & 0 deletions integration/test_rbac.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
CollectionsPermissionOutput,
DataPermissionOutput,
GroupsPermissionOutput,
MCPPermissionOutput,
NodesPermissionOutput,
Role,
ReplicatePermissionOutput,
Expand Down Expand Up @@ -44,6 +45,7 @@
backups_permissions=[
BackupsPermissionOutput(collection="Test", actions={Actions.Backups.MANAGE})
],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand All @@ -62,6 +64,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand All @@ -84,6 +87,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand All @@ -104,6 +108,7 @@
DataPermissionOutput(collection="*", tenant="*", actions={Actions.Data.CREATE})
],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand Down Expand Up @@ -137,6 +142,7 @@
),
],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand All @@ -155,6 +161,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[
NodesPermissionOutput(
verbosity="verbose", actions={Actions.Nodes.READ}, collection="Test"
Expand All @@ -177,6 +184,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[
NodesPermissionOutput(
verbosity="minimal", actions={Actions.Nodes.READ}, collection="*"
Expand All @@ -203,6 +211,7 @@
],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand All @@ -221,6 +230,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[
TenantsPermissionOutput(
Expand All @@ -247,6 +257,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[
TenantsPermissionOutput(
Expand Down Expand Up @@ -290,6 +301,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand All @@ -310,6 +322,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[
Expand Down Expand Up @@ -355,6 +368,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand All @@ -379,6 +393,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand All @@ -403,13 +418,56 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
groups_permissions=[],
),
32, # Minimum version for alias permissions
),
(
Permissions.mcp(create=True, read=True, update=True),
Role(
name="MCPAll",
alias_permissions=[],
cluster_permissions=[],
users_permissions=[],
collections_permissions=[],
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[
MCPPermissionOutput(
actions={Actions.MCP.CREATE, Actions.MCP.READ, Actions.MCP.UPDATE}
)
],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
groups_permissions=[],
),
37, # Minimum version for MCP permissions
),
(
Permissions.mcp(read=True),
Role(
name="MCPRead",
alias_permissions=[],
cluster_permissions=[],
users_permissions=[],
collections_permissions=[],
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[MCPPermissionOutput(actions={Actions.MCP.READ})],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
groups_permissions=[],
),
37, # Minimum version for MCP permissions
),
(
Permissions.Groups.oidc(group="MyGroup", read=True),
Role(
Expand All @@ -421,6 +479,7 @@
roles_permissions=[],
data_permissions=[],
backups_permissions=[],
mcp_permissions=[],
nodes_permissions=[],
tenants_permissions=[],
replicate_permissions=[],
Expand Down
49 changes: 49 additions & 0 deletions weaviate/rbac/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,16 @@ def values() -> List[str]:
return [action.value for action in BackupsAction]


class MCPAction(str, _Action, Enum):
CREATE = "create_mcp"
READ = "read_mcp"
UPDATE = "update_mcp"

@staticmethod
def values() -> List[str]:
return [action.value for action in MCPAction]


class ReplicateAction(str, _Action, Enum):
CREATE = "create_replicate"
READ = "read_replicate"
Expand Down Expand Up @@ -407,6 +417,16 @@ def _to_weaviate(self) -> List[WeaviatePermission]:
]


class _MCPPermission(_Permission[MCPAction]):
def _to_weaviate(self) -> List[WeaviatePermission]:
return [
{
"action": action,
}
for action in self.actions
]


class _ClusterPermission(_Permission[ClusterAction]):
def _to_weaviate(self) -> List[WeaviatePermission]:
return [
Expand Down Expand Up @@ -470,6 +490,10 @@ class BackupsPermissionOutput(_BackupsPermission):
pass


class MCPPermissionOutput(_MCPPermission):
pass


class NodesPermissionOutput(_NodesPermission):
pass

Expand All @@ -486,6 +510,7 @@ class TenantsPermissionOutput(_TenantsPermission):
RolesPermissionOutput,
UsersPermissionOutput,
BackupsPermissionOutput,
MCPPermissionOutput,
NodesPermissionOutput,
TenantsPermissionOutput,
ReplicatePermissionOutput,
Expand All @@ -507,6 +532,7 @@ class Role(RoleBase):
roles_permissions: List[RolesPermissionOutput]
users_permissions: List[UsersPermissionOutput]
backups_permissions: List[BackupsPermissionOutput]
mcp_permissions: List[MCPPermissionOutput]
nodes_permissions: List[NodesPermissionOutput]
tenants_permissions: List[TenantsPermissionOutput]
replicate_permissions: List[ReplicatePermissionOutput]
Expand All @@ -522,6 +548,7 @@ def permissions(self) -> List[PermissionsOutputType]:
permissions.extend(self.roles_permissions)
permissions.extend(self.users_permissions)
permissions.extend(self.backups_permissions)
permissions.extend(self.mcp_permissions)
permissions.extend(self.nodes_permissions)
permissions.extend(self.tenants_permissions)
permissions.extend(self.replicate_permissions)
Expand All @@ -537,6 +564,7 @@ def _from_weaviate_role(cls, role: WeaviateRole) -> "Role":
roles_permissions: List[RolesPermissionOutput] = []
data_permissions: List[DataPermissionOutput] = []
backups_permissions: List[BackupsPermissionOutput] = []
mcp_permissions: List[MCPPermissionOutput] = []
nodes_permissions: List[NodesPermissionOutput] = []
tenants_permissions: List[TenantsPermissionOutput] = []
replicate_permissions: List[ReplicatePermissionOutput] = []
Expand Down Expand Up @@ -605,6 +633,10 @@ def _from_weaviate_role(cls, role: WeaviateRole) -> "Role":
actions={BackupsAction(permission["action"])},
)
)
elif permission["action"] in MCPAction.values():
mcp_permissions.append(
MCPPermissionOutput(actions={MCPAction(permission["action"])})
)
elif permission["action"] in NodesAction.values():
nodes = permission.get("nodes")
if nodes is not None:
Expand Down Expand Up @@ -658,6 +690,7 @@ def _from_weaviate_role(cls, role: WeaviateRole) -> "Role":
groups_permissions=_join_permissions(groups_permissions),
data_permissions=_join_permissions(data_permissions),
backups_permissions=_join_permissions(backups_permissions),
mcp_permissions=_join_permissions(mcp_permissions),
nodes_permissions=_join_permissions(nodes_permissions),
tenants_permissions=_join_permissions(tenants_permissions),
replicate_permissions=_join_permissions(replicate_permissions),
Expand Down Expand Up @@ -710,6 +743,7 @@ class Actions:
Cluster = ClusterAction
Nodes = NodesAction
Backups = BackupsAction
MCP = MCPAction
Tenants = TenantsAction
Users = UsersAction
Replicate = ReplicateAction
Expand Down Expand Up @@ -1020,6 +1054,21 @@ def backup(
permissions.append(permission)
return permissions

@staticmethod
def mcp(
*, create: bool = False, read: bool = False, update: bool = False
) -> PermissionsCreateType:
actions: Set[MCPAction] = set()
if create:
actions.add(MCPAction.CREATE)
if read:
actions.add(MCPAction.READ)
if update:
actions.add(MCPAction.UPDATE)
if len(actions) > 0:
return [_MCPPermission(actions=actions)]
return []

@staticmethod
def cluster(*, read: bool = False) -> PermissionsCreateType:
if read:
Expand Down
Loading