Rename UserRole, UserGroup -> AccountRole & AccountGroup

This is for consistency as the entity that logs in to the system is
called "account".

backend/infrahub/api/menu.py

@@ -203,14 +203,14 @@ async def get_menu(branch: Branch = Depends(get_branch_dep)) -> list[InterfaceMe
                 icon=_extract_node_icon(full_schema[InfrahubKind.GENERICACCOUNT]),
             ),
             InterfaceMenu(
-                title="User Groups",
-                path=f"/objects/{InfrahubKind.USERGROUP}",
-                icon=_extract_node_icon(full_schema[InfrahubKind.USERGROUP]),
+                title="Account Groups",
+                path=f"/objects/{InfrahubKind.ACCOUNTGROUP}",
+                icon=_extract_node_icon(full_schema[InfrahubKind.ACCOUNTGROUP]),
             ),
             InterfaceMenu(
-                title="User Roles",
-                path=f"/objects/{InfrahubKind.USERROLE}",
-                icon=_extract_node_icon(full_schema[InfrahubKind.USERROLE]),
+                title="Account Roles",
+                path=f"/objects/{InfrahubKind.ACCOUNTROLE}",
+                icon=_extract_node_icon(full_schema[InfrahubKind.ACCOUNTROLE]),
             ),
             InterfaceMenu(
                 title="Permissions",

backend/infrahub/core/account.py

@@ -3,6 +3,7 @@
 from dataclasses import dataclass
 from typing import TYPE_CHECKING, Any, Optional, Union
 
+from infrahub.core.constants import InfrahubKind
 from infrahub.core.query import Query
 from infrahub.core.registry import registry
 
@@ -57,7 +58,7 @@ async def query_init(self, db: InfrahubDatabase, **kwargs: Any) -> None:
 
         # ruff: noqa: E501
         query = """
-        MATCH (account:CoreGenericAccount)
+        MATCH (account:%(generic_account_node)s)
         WHERE account.uuid = $account_id
         CALL {
             WITH account
@@ -70,10 +71,16 @@ async def query_init(self, db: InfrahubDatabase, **kwargs: Any) -> None:
         WITH account, r1 as r
         WHERE r.status = "active"
         WITH account
-        MATCH (account)-[]->(:Relationship {name: "group_member"})<-[]-(:CoreUserGroup)-[]->(:Relationship {name: "role__usergroups"})<-[]-(:CoreUserRole)-[]->(:Relationship {name: "role__permissions"})<-[]-(global_permission:CoreGlobalPermission)-[:HAS_ATTRIBUTE]->(:Attribute {name: "name"})-[:HAS_VALUE]->(global_permission_name:AttributeValue)
+        MATCH (account)-[]->(:Relationship {name: "group_member"})<-[]-(:%(group_node)s)-[]->(:Relationship {name: "role__accountgroups"})<-[]-(:%(account_role_node)s)-[]->(:Relationship {name: "role__permissions"})<-[]-(global_permission:%(global_permission_node)s)-[:HAS_ATTRIBUTE]->(:Attribute {name: "name"})-[:HAS_VALUE]->(global_permission_name:AttributeValue)
         WITH global_permission, global_permission_name
         MATCH (global_permission)-[:HAS_ATTRIBUTE]->(:Attribute {name: "action"})-[:HAS_VALUE]->(global_permission_action:AttributeValue)
-        """ % {"branch_filter": branch_filter}
+        """ % {
+            "branch_filter": branch_filter,
+            "generic_account_node": InfrahubKind.GENERICACCOUNT,
+            "account_role_node": InfrahubKind.ACCOUNTROLE,
+            "group_node": InfrahubKind.ACCOUNTGROUP,
+            "global_permission_node": InfrahubKind.GLOBALPERMISSION,
+        }
 
         self.add_to_query(query)
 
@@ -110,7 +117,7 @@ async def query_init(self, db: InfrahubDatabase, **kwargs: Any) -> None:
         self.params.update(branch_params)
 
         query = """
-        MATCH (account:CoreGenericAccount)
+        MATCH (account:%(generic_account_node)s)
         WHERE account.uuid = $account_id
         CALL {
             WITH account
@@ -124,11 +131,11 @@ async def query_init(self, db: InfrahubDatabase, **kwargs: Any) -> None:
         WHERE r.status = "active"
         WITH account
         MATCH group_path = (account)-[]->(:Relationship {name: "group_member"})
-            <-[]-(:CoreUserGroup)
-            -[]->(:Relationship {name: "role__usergroups"})
-            <-[]-(:CoreUserRole)
+            <-[]-(:%(account_group_node)s)
+            -[]->(:Relationship {name: "role__accountgroups"})
+            <-[]-(:%(account_role_node)s)
             -[]->(:Relationship {name: "role__permissions"})
-            <-[]-(object_permission:CoreObjectPermission)
+            <-[]-(object_permission:%(object_permission_node)s)
             -[:HAS_ATTRIBUTE]->(:Attribute {name: "branch"})
             -[:HAS_VALUE]->(object_permission_branch:AttributeValue)
         WITH object_permission, object_permission_branch
@@ -142,7 +149,13 @@ async def query_init(self, db: InfrahubDatabase, **kwargs: Any) -> None:
         MATCH decision_path = (object_permission)-[:HAS_ATTRIBUTE]->(:Attribute {name: "decision"})-[:HAS_VALUE]->(object_permission_decision:AttributeValue)
             WHERE all(r IN relationships(decision_path) WHERE (%(branch_filter)s) AND r.status = "active")
 
-        """ % {"branch_filter": branch_filter}
+        """ % {
+            "branch_filter": branch_filter,
+            "account_group_node": InfrahubKind.ACCOUNTGROUP,
+            "account_role_node": InfrahubKind.ACCOUNTROLE,
+            "generic_account_node": InfrahubKind.GENERICACCOUNT,
+            "object_permission_node": InfrahubKind.OBJECTPERMISSION,
+        }
 
         self.add_to_query(query)
 

backend/infrahub/core/constants/infrahubkind.py

@@ -1,4 +1,6 @@
 ACCOUNT = "CoreAccount"
+ACCOUNTGROUP = "CoreAccountGroup"
+ACCOUNTROLE = "CoreAccountRole"
 ACCOUNTTOKEN = "InternalAccountToken"
 ARTIFACT = "CoreArtifact"
 ARTIFACTCHECK = "CoreArtifactCheck"
@@ -60,8 +62,6 @@
 TRANSFORM = "CoreTransformation"
 TRANSFORMJINJA2 = "CoreTransformJinja2"
 TRANSFORMPYTHON = "CoreTransformPython"
-USERGROUP = "CoreUserGroup"
-USERROLE = "CoreUserRole"
 USERVALIDATOR = "CoreUserValidator"
 VALIDATOR = "CoreValidator"
 WEBHOOK = "CoreWebhook"

backend/infrahub/core/initialization.py

@@ -330,7 +330,7 @@ async def create_initial_permissions(db: InfrahubDatabase) -> list[Node]:
 
 async def create_administrator_role(db: InfrahubDatabase, global_permissions: Optional[list[Node]] = None) -> Node:
     role_name = "Administrator"
-    obj = await Node.init(db=db, schema=InfrahubKind.USERROLE)
+    obj = await Node.init(db=db, schema=InfrahubKind.ACCOUNTROLE)
     await obj.new(db=db, name=role_name, permissions=global_permissions)
     await obj.save(db=db)
     log.info(f"Created User Role: {role_name}")
@@ -340,7 +340,7 @@ async def create_administrator_role(db: InfrahubDatabase, global_permissions: Op
 
 async def create_administrators_group(db: InfrahubDatabase, role: Node, admin_accounts: list[CoreAccount]) -> Node:
     group_name = "Administrators"
-    group = await Node.init(db=db, schema=InfrahubKind.USERGROUP)
+    group = await Node.init(db=db, schema=InfrahubKind.ACCOUNTGROUP)
     await group.new(db=db, name=group_name, roles=[role])
     await group.save(db=db)
     log.info(f"Created User Group: {group_name}")

backend/infrahub/core/protocols.py

@@ -198,6 +198,16 @@ class CoreAccount(LineageOwner, LineageSource, CoreGenericAccount):
     pass
 
 
+class CoreAccountGroup(CoreGroup):
+    roles: RelationshipManager
+
+
+class CoreAccountRole(CoreNode):
+    name: String
+    groups: RelationshipManager
+    permissions: RelationshipManager
+
+
 class CoreArtifact(CoreTaskTarget):
     name: String
     status: Enum
@@ -439,16 +449,6 @@ class CoreTransformPython(CoreTransformation):
     class_name: String
 
 
-class CoreUserGroup(CoreGroup):
-    roles: RelationshipManager
-
-
-class CoreUserRole(CoreNode):
-    name: String
-    groups: RelationshipManager
-    permissions: RelationshipManager
-
-
 class CoreUserValidator(CoreValidator):
     check_definition: RelationshipManager
     repository: RelationshipManager

backend/infrahub/core/schema/definitions/core.py

@@ -878,15 +878,15 @@
         {
             "name": "BasePermission",
             "namespace": "Core",
-            "description": "A permission grants right to a user",
+            "description": "A permission grants right to an account",
             "label": "Base permission",
             "icon": "mdi:user-key",
             "include_in_menu": False,
             "generate_profile": False,
             "relationships": [
                 {
                     "name": "roles",
-                    "peer": InfrahubKind.USERROLE,
+                    "peer": InfrahubKind.ACCOUNTROLE,
                     "optional": True,
                     "identifier": "role__permissions",
                     "cardinality": "many",
@@ -2140,10 +2140,10 @@
             ],
         },
         {
-            "name": "UserRole",
+            "name": "AccountRole",
             "namespace": "Core",
-            "description": "A role defines a set of permissions to grant to a group of users",
-            "label": "User role",
+            "description": "A role defines a set of permissions to grant to a group of accounts",
+            "label": "Account role",
             "icon": "mdi:user-badge",
             "include_in_menu": False,
             "order_by": ["name__value"],
@@ -2153,9 +2153,9 @@
             "relationships": [
                 {
                     "name": "groups",
-                    "peer": InfrahubKind.USERGROUP,
+                    "peer": InfrahubKind.ACCOUNTGROUP,
                     "optional": True,
-                    "identifier": "role__usergroups",
+                    "identifier": "role__accountgroups",
                     "cardinality": "many",
                     "kind": "Attribute",
                 },
@@ -2170,10 +2170,10 @@
             ],
         },
         {
-            "name": "UserGroup",
+            "name": "AccountGroup",
             "namespace": "Core",
             "description": "A group of users to manage common permissions",
-            "label": "User group",
+            "label": "Account group",
             "icon": "mdi:account-group",
             "include_in_menu": False,
             "order_by": ["name__value"],
@@ -2184,9 +2184,9 @@
             "relationships": [
                 {
                     "name": "roles",
-                    "peer": InfrahubKind.USERROLE,
+                    "peer": InfrahubKind.ACCOUNTROLE,
                     "optional": True,
-                    "identifier": "role__usergroups",
+                    "identifier": "role__accountgroups",
                     "cardinality": "many",
                     "kind": "Attribute",
                 }

backend/tests/unit/conftest.py

@@ -2426,8 +2426,8 @@ async def register_core_schema_db(db: InfrahubDatabase, default_branch: Branch,
 @pytest.fixture
 async def register_account_schema(db: InfrahubDatabase) -> None:
     SCHEMAS_TO_REGISTER = [
-        InfrahubKind.USERGROUP,
-        InfrahubKind.USERROLE,
+        InfrahubKind.ACCOUNTGROUP,
+        InfrahubKind.ACCOUNTROLE,
         InfrahubKind.GENERICACCOUNT,
         InfrahubKind.ACCOUNT,
         InfrahubKind.ACCOUNTTOKEN,
@@ -2528,11 +2528,11 @@ async def create_test_admin(db: InfrahubDatabase, register_core_models_schema, d
         await obj.save(db=db)
         permissions.append(obj)
 
-    role = await Node.init(db=db, schema=InfrahubKind.USERROLE)
+    role = await Node.init(db=db, schema=InfrahubKind.ACCOUNTROLE)
     await role.new(db=db, name="admin", permissions=permissions)
     await role.save(db=db)
 
-    group = await Node.init(db=db, schema=InfrahubKind.USERGROUP)
+    group = await Node.init(db=db, schema=InfrahubKind.ACCOUNTGROUP)
     await group.new(db=db, name="admin", roles=[role])
     await group.save(db=db)
 

backend/tests/unit/graphql/auth/query_permission_checker/test_object_permission_checker.py

@@ -109,11 +109,11 @@ async def test_setup(
             await obj.save(db=db)
             permissions.append(obj)
 
-        role = await Node.init(db=db, schema=InfrahubKind.USERROLE)
+        role = await Node.init(db=db, schema=InfrahubKind.ACCOUNTROLE)
         await role.new(db=db, name="admin", permissions=permissions)
         await role.save(db=db)
 
-        group = await Node.init(db=db, schema=InfrahubKind.USERGROUP)
+        group = await Node.init(db=db, schema=InfrahubKind.ACCOUNTGROUP)
         await group.new(db=db, name="admin", roles=[role])
         await group.save(db=db)
 

backend/tests/unit/graphql/test_graphql_utils.py

@@ -38,7 +38,7 @@ async def test_schema_models_generics(
         InfrahubKind.GRAPHQLQUERYGROUP,
         InfrahubKind.GENERICGROUP,
         InfrahubKind.STANDARDGROUP,
-        InfrahubKind.USERGROUP,
+        InfrahubKind.ACCOUNTGROUP,
         "EdgedTestPerson",
         "NestedEdgedCoreGroup",
         "NestedEdgedTestCar",

backend/tests/unit/graphql/test_query_analyzer.py

@@ -98,7 +98,7 @@ async def test_get_models_in_use(
         InfrahubKind.GRAPHQLQUERYGROUP,
         InfrahubKind.GENERICGROUP,
         InfrahubKind.STANDARDGROUP,
-        InfrahubKind.USERGROUP,
+        InfrahubKind.ACCOUNTGROUP,
         "TestCar",
         "TestElectricCar",
         "TestGazCar",

models/infrastructure_edge.py

@@ -6,7 +6,14 @@
 
 from infrahub_sdk import UUIDT, InfrahubClient, NodeStore
 from infrahub_sdk.batch import InfrahubBatch
-from infrahub_sdk.protocols import CoreAccount, CoreIPAddressPool, CoreIPPrefixPool, CoreStandardGroup, IpamNamespace
+from infrahub_sdk.protocols import (
+    CoreAccount,
+    CoreAccountGroup,
+    CoreIPAddressPool,
+    CoreIPPrefixPool,
+    CoreStandardGroup,
+    IpamNamespace,
+)
 from infrahub_sdk.protocols_base import CoreNode
 from protocols import (
     InfraAutonomousSystem,
@@ -1554,7 +1561,7 @@ async def generate_continents_countries(client: InfrahubClient, log: logging.Log
 
 
 async def prepare_accounts(client: InfrahubClient, log: logging.Logger, branch: str, batch: InfrahubBatch) -> None:
-    groups = await client.filters(branch=branch, kind="CoreUserGroup", name__value="Administrators")
+    groups = await client.filters(branch=branch, kind=CoreAccountGroup, name__value="Administrators")
     store.set(key=groups[0].name, node=groups[0])
 
     for account in ACCOUNTS:

python_sdk/infrahub_sdk/protocols.py

@@ -204,6 +204,16 @@ class CoreAccount(LineageOwner, LineageSource, CoreGenericAccount):
     pass
 
 
+class CoreAccountGroup(CoreGroup):
+    roles: RelationshipManager
+
+
+class CoreAccountRole(CoreNode):
+    name: String
+    groups: RelationshipManager
+    permissions: RelationshipManager
+
+
 class CoreArtifact(CoreTaskTarget):
     name: String
     status: Enum
@@ -445,16 +455,6 @@ class CoreTransformPython(CoreTransformation):
     class_name: String
 
 
-class CoreUserGroup(CoreGroup):
-    roles: RelationshipManager
-
-
-class CoreUserRole(CoreNode):
-    name: String
-    groups: RelationshipManager
-    permissions: RelationshipManager
-
-
 class CoreUserValidator(CoreValidator):
     check_definition: RelatedNode
     repository: RelatedNode
@@ -649,6 +649,16 @@ class CoreAccountSync(LineageOwnerSync, LineageSourceSync, CoreGenericAccountSyn
     pass
 
 
+class CoreAccountGroupSync(CoreGroupSync):
+    roles: RelationshipManagerSync
+
+
+class CoreAccountRoleSync(CoreNodeSync):
+    name: String
+    groups: RelationshipManagerSync
+    permissions: RelationshipManagerSync
+
+
 class CoreArtifactSync(CoreTaskTargetSync):
     name: String
     status: Enum
@@ -890,16 +900,6 @@ class CoreTransformPythonSync(CoreTransformationSync):
     class_name: String
 
 
-class CoreUserGroupSync(CoreGroupSync):
-    roles: RelationshipManagerSync
-
-
-class CoreUserRoleSync(CoreNodeSync):
-    name: String
-    groups: RelationshipManagerSync
-    permissions: RelationshipManagerSync
-
-
 class CoreUserValidatorSync(CoreValidatorSync):
     check_definition: RelatedNodeSync
     repository: RelatedNodeSync