Module: Legion::LLM::Pipeline::Steps::Rbac

Includes:
Legion::Logging::Helper
Included in:
Executor
Defined in:
lib/legion/llm/pipeline/steps/rbac.rb

Instance Method Summary collapse

Instance Method Details

#step_rbacObject 



12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/legion/llm/pipeline/steps/rbac.rb', line 12

def step_rbac
  start_time = Time.now

  unless defined?(::Legion::Rbac)
    if fleet_caller?
      msg = 'RBAC unavailable: fleet callers require RBAC enforcement (fail-closed)'
      log.error("[llm][rbac] fleet_blocked request_id=#{@request.id} reason=rbac_unavailable")
      record_rbac_audit(:failure, msg, start_time)
      record_rbac_timeline("denied: #{msg}")
      raise Legion::LLM::PipelineError.new("403 Forbidden: #{msg}", step: :rbac)
    end

    @warnings << 'RBAC unavailable, permitting request without enforcement'
    log.info("[llm][rbac] unavailable request_id=#{@request.id} action=permit_without_enforcement")
    record_rbac_audit(:success, 'permitted (rbac unavailable)', start_time)
    record_rbac_timeline('permitted (rbac unavailable)')
    return
  end

  begin
    principal = build_rbac_principal
    caller_id = extract_rbac_caller_id
    log.info("[llm][rbac] authorize request_id=#{@request.id} caller=#{caller_id}")
    ::Legion::Rbac.authorize!(principal: principal, action: :use, resource: 'llm/pipeline')

    log.info("[llm][rbac] permitted request_id=#{@request.id} caller=#{caller_id}")
    record_rbac_audit(:success, "permitted caller=#{caller_id}", start_time)
    record_rbac_timeline("permitted caller=#{caller_id}")
  rescue ::Legion::Rbac::AccessDenied => e
    log.warn("[llm][rbac] denied request_id=#{@request.id} error=#{e.message}")
    record_rbac_audit(:failure, e.message, start_time)
    record_rbac_timeline("denied: #{e.message}")
    handle_exception(e, level: :warn, operation: 'llm.pipeline.steps.rbac.denied', request_id: @request.id)
    raise Legion::LLM::PipelineError.new("403 Forbidden: #{e.message}", step: :rbac)
  rescue StandardError => e
    log.error("[llm][rbac] failed request_id=#{@request.id} error=#{e.message}")
    record_rbac_audit(:failure, "error: #{e.message}", start_time)
    record_rbac_timeline("error: #{e.message}")
    handle_exception(e, level: :error, operation: 'llm.pipeline.steps.rbac', request_id: @request.id)
    raise Legion::LLM::PipelineError.new("rbac error: #{e.message}", step: :rbac)
  end
end