Support for Groups as Principal (#1574)

* Add principal kind for GROUP

* Add group members table

* Add pluggable group membership service

* Add API endpoints to support groups

* Add groups-related models

* Fix database migration

Author: shangyian

datajunction-server/datajunction_server/alembic/versions/2025_11_25_1500-a1b2c3d4e5f6_add_groups_support.py

@@ -0,0 +1,81 @@
+"""
+Add groups support
+
+Revision ID: a1b2c3d4e5f6
+Revises: be76e22dd71a
+Create Date: 2025-11-25 15:00:00.000000+00:00
+"""
+# pylint: disable=no-member, invalid-name, missing-function-docstring, unused-import, no-name-in-module
+
+import sqlalchemy as sa
+from alembic import op
+
+
+# revision identifiers, used by Alembic.
+revision = "a1b2c3d4e5f6"
+down_revision = "95732205ad12"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.execute("ALTER TYPE principalkind ADD VALUE 'GROUP'")
+
+    op.create_table(
+        "group_members",
+        sa.Column(
+            "group_id",
+            sa.BigInteger().with_variant(sa.Integer(), "sqlite"),
+            nullable=False,
+        ),
+        sa.Column(
+            "member_id",
+            sa.BigInteger().with_variant(sa.Integer(), "sqlite"),
+            nullable=False,
+        ),
+        sa.Column(
+            "added_at",
+            sa.DateTime(timezone=True),
+            nullable=False,
+            server_default=sa.text("NOW()"),
+        ),
+        sa.ForeignKeyConstraint(
+            ["group_id"],
+            ["users.id"],
+            name="fk_group_members_group_id",
+            ondelete="CASCADE",
+        ),
+        sa.ForeignKeyConstraint(
+            ["member_id"],
+            ["users.id"],
+            name="fk_group_members_member_id",
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("group_id", "member_id"),
+        sa.CheckConstraint(
+            "group_id != member_id",
+            name="chk_no_self_membership",
+        ),
+    )
+
+    op.create_index(
+        "idx_group_members_group_id",
+        "group_members",
+        ["group_id"],
+    )
+    op.create_index(
+        "idx_group_members_member_id",
+        "group_members",
+        ["member_id"],
+    )
+
+
+def downgrade():
+    op.drop_index("idx_group_members_member_id", table_name="group_members")
+    op.drop_index("idx_group_members_group_id", table_name="group_members")
+
+    op.drop_table("group_members")
+
+    # Postgres doesn't support removing enum values easily
+    # Users will need to manually handle enum cleanup if needed
+    # Or recreate the enum without GROUP value

datajunction-server/datajunction_server/api/groups.py

@@ -0,0 +1,217 @@
+"""
+Group management APIs.
+"""
+
+from typing import List
+
+from fastapi import Depends, HTTPException
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from datajunction_server.database.group_member import GroupMember
+from datajunction_server.database.user import OAuthProvider, PrincipalKind, User
+from datajunction_server.errors import DJAlreadyExistsException, DJDoesNotExistException
+from datajunction_server.internal.access.authentication.http import SecureAPIRouter
+from datajunction_server.models.group import GroupOutput
+from datajunction_server.models.user import UserOutput
+from datajunction_server.utils import get_session, get_settings
+
+settings = get_settings()
+router = SecureAPIRouter(tags=["groups"])
+
+
+@router.post("/groups/", response_model=GroupOutput, status_code=201)
+async def register_group(
+    username: str,
+    email: str | None = None,
+    name: str | None = None,
+    *,
+    session: AsyncSession = Depends(get_session),
+) -> User:
+    """
+    Register a group in DJ.
+
+    This makes the group available for assignment as a node owner.
+    Group membership can be managed via the membership endpoints (Postgres provider)
+    or resolved externally (LDAP, etc.).
+
+    Args:
+        username: Unique identifier for the group (e.g., 'eng-team')
+        email: Optional email for the group
+        name: Display name (defaults to username)
+    """
+    existing = await User.get_by_username(session, username)
+    if existing:
+        raise DJAlreadyExistsException(message=f"Group {username} already exists")
+
+    # Create group
+    group = User(
+        username=username,
+        email=email,
+        name=name or username,
+        kind=PrincipalKind.GROUP,
+        oauth_provider=OAuthProvider.BASIC,
+    )
+    session.add(group)
+    await session.commit()
+    await session.refresh(group)
+    return group
+
+
+@router.get("/groups/", response_model=List[GroupOutput])
+async def list_groups(
+    *,
+    session: AsyncSession = Depends(get_session),
+) -> List[User]:
+    """
+    List all registered groups.
+    """
+    statement = (
+        select(User).where(User.kind == PrincipalKind.GROUP).order_by(User.username)
+    )
+    result = await session.execute(statement)
+    return list(result.scalars().all())
+
+
+@router.get("/groups/{group_name}", response_model=GroupOutput)
+async def get_group(
+    group_name: str,
+    *,
+    session: AsyncSession = Depends(get_session),
+) -> User:
+    """
+    Get a group by name.
+    """
+    group = await User.get_by_username(session, group_name)
+    if not group or group.kind != PrincipalKind.GROUP:
+        raise HTTPException(status_code=404, detail=f"Group {group_name} not found")
+
+    return group
+
+
+@router.post("/groups/{group_name}/members/", status_code=201)
+async def add_group_member(
+    group_name: str,
+    member_username: str,
+    *,
+    session: AsyncSession = Depends(get_session),
+) -> dict:
+    """
+    Add a member to a group (Postgres provider only).
+
+    For external providers, membership is managed externally and this endpoint is disabled.
+    """
+    if settings.group_membership_provider != "postgres":
+        raise HTTPException(
+            status_code=400,
+            detail=f"Membership management not supported for provider: {settings.group_membership_provider}",
+        )
+
+    # Verify group exists
+    group = await User.get_by_username(session, group_name)
+    if not group or group.kind != PrincipalKind.GROUP:
+        raise DJDoesNotExistException(message=f"Group {group_name} not found")
+
+    # Verify member exists
+    member = await User.get_by_username(session, member_username)
+    if not member:
+        raise DJDoesNotExistException(message=f"User {member_username} not found")
+
+    # Check if already a member
+    existing = await session.execute(
+        select(GroupMember).where(
+            GroupMember.group_id == group.id,
+            GroupMember.member_id == member.id,
+        ),
+    )
+    if existing.scalar_one_or_none():
+        raise HTTPException(
+            status_code=409,
+            detail=f"{member_username} is already a member of {group_name}",
+        )
+
+    # Add membership
+    membership = GroupMember(
+        group_id=group.id,
+        member_id=member.id,
+    )
+    session.add(membership)
+    await session.commit()
+
+    return {"message": f"Added {member_username} to {group_name}"}
+
+
+@router.delete("/groups/{group_name}/members/{member_username}", status_code=204)
+async def remove_group_member(
+    group_name: str,
+    member_username: str,
+    *,
+    session: AsyncSession = Depends(get_session),
+) -> None:
+    """
+    Remove a member from a group (Postgres provider only).
+    """
+    if settings.group_membership_provider != "postgres":
+        raise HTTPException(
+            status_code=400,
+            detail=f"Membership management not supported for provider: {settings.group_membership_provider}",
+        )
+
+    # Verify group and member exist
+    group = await User.get_by_username(session, group_name)
+    if not group or group.kind != PrincipalKind.GROUP:
+        raise DJDoesNotExistException(message=f"Group {group_name} not found")
+
+    member = await User.get_by_username(session, member_username)
+    if not member:
+        raise DJDoesNotExistException(message=f"User {member_username} not found")
+
+    # Remove membership
+    result = await session.execute(
+        select(GroupMember).where(
+            GroupMember.group_id == group.id,
+            GroupMember.member_id == member.id,
+        ),
+    )
+    membership = result.scalar_one_or_none()
+
+    if not membership:
+        raise HTTPException(
+            status_code=404,
+            detail=f"{member_username} is not a member of {group_name}",
+        )
+
+    await session.delete(membership)
+    await session.commit()
+
+
+@router.get("/groups/{group_name}/members/", response_model=List[UserOutput])
+async def list_group_members(
+    group_name: str,
+    *,
+    session: AsyncSession = Depends(get_session),
+) -> List[User]:
+    """
+    List members of a group.
+
+    For Postgres provider: queries group_members table.
+    For external providers: returns empty (membership resolved externally).
+    """
+    # Verify group exists
+    group = await User.get_by_username(session, group_name)
+    if not group or group.kind != PrincipalKind.GROUP:
+        raise HTTPException(status_code=404, detail=f"Group {group_name} not found")
+
+    # Only return members for postgres provider
+    if settings.group_membership_provider != "postgres":
+        return []
+
+    # Query members
+    statement = (
+        select(User)
+        .join(GroupMember, GroupMember.member_id == User.id)
+        .where(GroupMember.group_id == group.id)
+        .order_by(User.username)
+    )
+    result = await session.execute(statement)
+    return list(result.scalars().all())

datajunction-server/datajunction_server/api/main.py

@@ -28,6 +28,7 @@
     dimensions,
     djsql,
     engines,
+    groups,
     health,
     hierarchies,
     history,
@@ -121,6 +122,7 @@ def configure_app(app: FastAPI) -> None:
     app.include_router(graphql_app, prefix="/graphql")
     app.include_router(whoami.router)
     app.include_router(users.router)
+    app.include_router(groups.router)
     app.include_router(basic.router)
     app.include_router(notifications.router)
     app.include_router(service_account.secure_router)

datajunction-server/datajunction_server/config.py

@@ -133,6 +133,11 @@ class Settings(BaseSettings):  # pragma: no cover
     # Interval in seconds for which to expire service account tokens
     service_account_token_expire: int = 3600 * 24 * 30
 
+    # Group membership provider
+    # Options: "postgres" (uses group_members table), "static" (no membership),
+    # or a custom implementation of the GroupMembershipProvider interface
+    group_membership_provider: str = "postgres"
+
     # Interval in seconds with which to expire caching of any indexes
     index_cache_expire: int = 60
 

datajunction-server/datajunction_server/database/__init__.py

@@ -9,6 +9,7 @@
     "Deployment",
     "DimensionLink",
     "Engine",
+    "GroupMember",
     "History",
     "Node",
     "NodeNamespace",
@@ -28,6 +29,7 @@
 from datajunction_server.database.database import Database, Table
 from datajunction_server.database.dimensionlink import DimensionLink
 from datajunction_server.database.engine import Engine
+from datajunction_server.database.group_member import GroupMember
 from datajunction_server.database.measure import Measure
 from datajunction_server.database.namespace import NodeNamespace
 from datajunction_server.database.node import Node, NodeRevision