From cc08f2fe8b2111652dd112d591a3a547c5eb1849 Mon Sep 17 00:00:00 2001 From: Ivan Despot <66276597+g-despot@users.noreply.github.com> Date: Tue, 14 Apr 2026 09:24:36 +0200 Subject: [PATCH 1/3] Add MCP RBAC permission --- .../java/io/weaviate/containers/Weaviate.java | 2 +- .../io/weaviate/integration/RbacITest.java | 4 ++ .../client6/v1/api/rbac/McpPermission.java | 40 +++++++++++++++++++ .../client6/v1/api/rbac/Permission.java | 14 ++++++- .../client6/v1/internal/json/JSONTest.java | 17 ++++++++ 5 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 src/main/java/io/weaviate/client6/v1/api/rbac/McpPermission.java diff --git a/src/it/java/io/weaviate/containers/Weaviate.java b/src/it/java/io/weaviate/containers/Weaviate.java index f0730fb4d..a4cc97734 100644 --- a/src/it/java/io/weaviate/containers/Weaviate.java +++ b/src/it/java/io/weaviate/containers/Weaviate.java @@ -45,7 +45,7 @@ public enum Version { V134(1, 34, 7), V135(1, 35, 2), V136(1, 36, 9), - V137(1, 37, "0-rc.0"); + V137(1, 37, "0-rc.1"); public final SemanticVersion semver; diff --git a/src/it/java/io/weaviate/integration/RbacITest.java b/src/it/java/io/weaviate/integration/RbacITest.java index 55a20ece7..d80e8e368 100644 --- a/src/it/java/io/weaviate/integration/RbacITest.java +++ b/src/it/java/io/weaviate/integration/RbacITest.java @@ -14,6 +14,7 @@ import io.weaviate.client6.v1.api.rbac.AliasesPermission; import io.weaviate.client6.v1.api.rbac.BackupsPermission; import io.weaviate.client6.v1.api.rbac.ClusterPermission; +import io.weaviate.client6.v1.api.rbac.McpPermission; import io.weaviate.client6.v1.api.rbac.CollectionsPermission; import io.weaviate.client6.v1.api.rbac.DataPermission; import io.weaviate.client6.v1.api.rbac.GroupsPermission; @@ -83,6 +84,9 @@ public void test_roles_Lifecycle() throws IOException { permissions.add( Permission.groups("my-group", GroupType.OIDC, GroupsPermission.Action.READ)); }); + requireAtLeast(Weaviate.Version.V137, () -> { + permissions.add(Permission.mcp(McpPermission.Action.MANAGE)); + }); // Act: create role client.roles.create(nsRole, permissions); diff --git a/src/main/java/io/weaviate/client6/v1/api/rbac/McpPermission.java b/src/main/java/io/weaviate/client6/v1/api/rbac/McpPermission.java new file mode 100644 index 000000000..adf5fec57 --- /dev/null +++ b/src/main/java/io/weaviate/client6/v1/api/rbac/McpPermission.java @@ -0,0 +1,40 @@ +package io.weaviate.client6.v1.api.rbac; + +import java.util.Arrays; +import java.util.List; + +import com.google.gson.annotations.SerializedName; + +public record McpPermission( + @SerializedName("actions") List actions) implements Permission { + + public McpPermission(Action... actions) { + this(Arrays.asList(actions)); + } + + @Override + public Permission.Kind _kind() { + return Permission.Kind.MCP; + } + + @Override + public Object self() { + return this; + } + + public enum Action implements RbacAction { + @SerializedName("manage_mcp") + MANAGE("manage_mcp"); + + private final String jsonValue; + + private Action(String jsonValue) { + this.jsonValue = jsonValue; + } + + @Override + public String jsonValue() { + return jsonValue; + } + } +} diff --git a/src/main/java/io/weaviate/client6/v1/api/rbac/Permission.java b/src/main/java/io/weaviate/client6/v1/api/rbac/Permission.java index 9374c4e35..573a2fed6 100644 --- a/src/main/java/io/weaviate/client6/v1/api/rbac/Permission.java +++ b/src/main/java/io/weaviate/client6/v1/api/rbac/Permission.java @@ -41,7 +41,8 @@ enum Kind implements JsonEnum { USERS("users"), // Fake permission kinds: Weaviate does not use those. - CLUSTER("cluster"); + CLUSTER("cluster"), + MCP("mcp"); private static final Map jsonValueMap = JsonEnum.collectNames(Kind.values()); private final String jsonValue; @@ -153,6 +154,14 @@ public static UsersPermission users(String userId, UsersPermission.Action... act return new UsersPermission(userId, actions); } + /** + * Create {@link McpPermission}. + */ + public static McpPermission mcp(McpPermission.Action... actions) { + checkDeprecation(actions); + return new McpPermission(actions); + } + /** * Create {@link ReplicatePermission}. * @@ -222,6 +231,7 @@ private final void init(Gson gson) { addAdapter(gson, Permission.Kind.ROLES, RolesPermission.class); addAdapter(gson, Permission.Kind.NODES, NodesPermission.class); addAdapter(gson, Permission.Kind.TENANTS, TenantsPermission.class); + addAdapter(gson, Permission.Kind.MCP, McpPermission.class); addAdapter(gson, Permission.Kind.REPLICATE, ReplicatePermission.class); addAdapter(gson, Permission.Kind.USERS, UsersPermission.class); addAdapter(gson, Permission.Kind.CLUSTER, ClusterPermission.class); @@ -283,6 +293,8 @@ public Permission read(JsonReader in) throws IOException { var actionString = action.getAsString(); if (actionString.endsWith("_cluster")) { kind = Permission.Kind.CLUSTER; + } else if (actionString.endsWith("_mcp")) { + kind = Permission.Kind.MCP; } else { throw new IllegalArgumentException("unknown RBAC action " + actionString); } diff --git a/src/test/java/io/weaviate/client6/v1/internal/json/JSONTest.java b/src/test/java/io/weaviate/client6/v1/internal/json/JSONTest.java index ffb39f6cd..81aa43868 100644 --- a/src/test/java/io/weaviate/client6/v1/internal/json/JSONTest.java +++ b/src/test/java/io/weaviate/client6/v1/internal/json/JSONTest.java @@ -66,6 +66,7 @@ import io.weaviate.client6.v1.api.rbac.AliasesPermission; import io.weaviate.client6.v1.api.rbac.BackupsPermission; import io.weaviate.client6.v1.api.rbac.ClusterPermission; +import io.weaviate.client6.v1.api.rbac.McpPermission; import io.weaviate.client6.v1.api.rbac.CollectionsPermission; import io.weaviate.client6.v1.api.rbac.DataPermission; import io.weaviate.client6.v1.api.rbac.GroupsPermission; @@ -1473,6 +1474,22 @@ public static Object[][] testCases() { } """ }, + { + Role.class, + new Role( + "rock-n-role", + List.of( + new McpPermission( + List.of(McpPermission.Action.MANAGE)))), + """ + { + "name": "rock-n-role", + "permissions": [ + { "action": "manage_mcp" } + ] + } + """ + }, { Role.class, new Role( From 8bb2bf8a9d2ca6415503b310c1e9f51d336abe8a Mon Sep 17 00:00:00 2001 From: Ivan Despot <66276597+g-despot@users.noreply.github.com> Date: Fri, 17 Apr 2026 10:27:12 +0200 Subject: [PATCH 2/3] Refactor MCP permissions --- .github/workflows/test.yaml | 2 +- src/it/java/io/weaviate/containers/Weaviate.java | 2 +- src/it/java/io/weaviate/integration/RbacITest.java | 4 +++- .../io/weaviate/client6/v1/api/rbac/McpPermission.java | 10 ++++++++-- .../io/weaviate/client6/v1/internal/json/JSONTest.java | 6 ++++-- 5 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 4bd1c5569..7808b5a7d 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -92,7 +92,7 @@ jobs: fail-fast: false matrix: WEAVIATE_VERSION: - ["1.32.24", "1.33.11", "1.34.7", "1.35.2", "1.36.9", "1.37.0-rc.0"] + ["1.32.24", "1.33.11", "1.34.7", "1.35.2", "1.36.9", "1.37.1"] steps: - uses: actions/checkout@v4 diff --git a/src/it/java/io/weaviate/containers/Weaviate.java b/src/it/java/io/weaviate/containers/Weaviate.java index a4cc97734..2e1305f90 100644 --- a/src/it/java/io/weaviate/containers/Weaviate.java +++ b/src/it/java/io/weaviate/containers/Weaviate.java @@ -45,7 +45,7 @@ public enum Version { V134(1, 34, 7), V135(1, 35, 2), V136(1, 36, 9), - V137(1, 37, "0-rc.1"); + V137(1, 37, 1); public final SemanticVersion semver; diff --git a/src/it/java/io/weaviate/integration/RbacITest.java b/src/it/java/io/weaviate/integration/RbacITest.java index d80e8e368..44abf0c4c 100644 --- a/src/it/java/io/weaviate/integration/RbacITest.java +++ b/src/it/java/io/weaviate/integration/RbacITest.java @@ -85,7 +85,9 @@ public void test_roles_Lifecycle() throws IOException { Permission.groups("my-group", GroupType.OIDC, GroupsPermission.Action.READ)); }); requireAtLeast(Weaviate.Version.V137, () -> { - permissions.add(Permission.mcp(McpPermission.Action.MANAGE)); + permissions.add(Permission.mcp(McpPermission.Action.CREATE)); + permissions.add(Permission.mcp(McpPermission.Action.READ)); + permissions.add(Permission.mcp(McpPermission.Action.UPDATE)); }); // Act: create role diff --git a/src/main/java/io/weaviate/client6/v1/api/rbac/McpPermission.java b/src/main/java/io/weaviate/client6/v1/api/rbac/McpPermission.java index adf5fec57..133c2b7ee 100644 --- a/src/main/java/io/weaviate/client6/v1/api/rbac/McpPermission.java +++ b/src/main/java/io/weaviate/client6/v1/api/rbac/McpPermission.java @@ -23,8 +23,14 @@ public Object self() { } public enum Action implements RbacAction { - @SerializedName("manage_mcp") - MANAGE("manage_mcp"); + @SerializedName("create_mcp") + CREATE("create_mcp"), + + @SerializedName("read_mcp") + READ("read_mcp"), + + @SerializedName("update_mcp") + UPDATE("update_mcp"); private final String jsonValue; diff --git a/src/test/java/io/weaviate/client6/v1/internal/json/JSONTest.java b/src/test/java/io/weaviate/client6/v1/internal/json/JSONTest.java index 81aa43868..23a5b4c5b 100644 --- a/src/test/java/io/weaviate/client6/v1/internal/json/JSONTest.java +++ b/src/test/java/io/weaviate/client6/v1/internal/json/JSONTest.java @@ -1480,12 +1480,14 @@ public static Object[][] testCases() { "rock-n-role", List.of( new McpPermission( - List.of(McpPermission.Action.MANAGE)))), + List.of(McpPermission.Action.CREATE, McpPermission.Action.READ, McpPermission.Action.UPDATE)))), """ { "name": "rock-n-role", "permissions": [ - { "action": "manage_mcp" } + { "action": "create_mcp" }, + { "action": "read_mcp" }, + { "action": "update_mcp" } ] } """ From 7c1cee9fee58cfb59374c7e24940052fca2bb8a6 Mon Sep 17 00:00:00 2001 From: Ivan Despot <66276597+g-despot@users.noreply.github.com> Date: Fri, 17 Apr 2026 13:29:19 +0200 Subject: [PATCH 3/3] Fix failing tests --- src/it/java/io/weaviate/containers/Weaviate.java | 1 + src/it/java/io/weaviate/integration/RbacITest.java | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/it/java/io/weaviate/containers/Weaviate.java b/src/it/java/io/weaviate/containers/Weaviate.java index 2e1305f90..d7c7fcd03 100644 --- a/src/it/java/io/weaviate/containers/Weaviate.java +++ b/src/it/java/io/weaviate/containers/Weaviate.java @@ -308,6 +308,7 @@ public Weaviate build() { // Required in v1.36.1, but we'll just set it by default. c.withEnv("OBJECTS_TTL_DELETE_SCHEDULE", "@hourly"); + c.withEnv("ENABLE_EXPERIMENTAL_ALTER_SCHEMA_DROP_VECTOR_INDEX_ENDPOINT", "true"); var apiKeyUsers = new HashSet(); apiKeyUsers.addAll(adminUsers); diff --git a/src/it/java/io/weaviate/integration/RbacITest.java b/src/it/java/io/weaviate/integration/RbacITest.java index 44abf0c4c..f3c183355 100644 --- a/src/it/java/io/weaviate/integration/RbacITest.java +++ b/src/it/java/io/weaviate/integration/RbacITest.java @@ -85,9 +85,10 @@ public void test_roles_Lifecycle() throws IOException { Permission.groups("my-group", GroupType.OIDC, GroupsPermission.Action.READ)); }); requireAtLeast(Weaviate.Version.V137, () -> { - permissions.add(Permission.mcp(McpPermission.Action.CREATE)); - permissions.add(Permission.mcp(McpPermission.Action.READ)); - permissions.add(Permission.mcp(McpPermission.Action.UPDATE)); + permissions.add(Permission.mcp( + McpPermission.Action.CREATE, + McpPermission.Action.READ, + McpPermission.Action.UPDATE)); }); // Act: create role