Skip to content

fix: add PERMISSION_AUDIT_ENABLED toggle for RBAC auditing#2716

Merged
crivetimihai merged 3 commits intomainfrom
fix/permission-audit-enabled
Feb 5, 2026
Merged

fix: add PERMISSION_AUDIT_ENABLED toggle for RBAC auditing#2716
crivetimihai merged 3 commits intomainfrom
fix/permission-audit-enabled

Conversation

@crivetimihai
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai commented Feb 5, 2026

Summary

  • Add PERMISSION_AUDIT_ENABLED environment variable (default false) to control whether RBAC permission checks are written to the permission_audit_log table
  • Make PermissionService.__init__ default to settings.permission_audit_enabled instead of always-on auditing, preventing unnecessary DB writes under load
  • Cache roles in _roles_cache during get_user_permissions() so _get_roles_for_audit() reuses them synchronously instead of issuing a duplicate DB query
  • Use contains_eager + result.unique() in _get_user_roles to avoid N+1 queries when eager-loading the Role relationship
  • Update .env.example, Helm values.yaml/values.schema.json, and configuration docs

Test plan

  • Verify PERMISSION_AUDIT_ENABLED=false (default) produces no rows in permission_audit_log
  • Verify PERMISSION_AUDIT_ENABLED=true writes audit rows for each permission check
  • Run tests/unit/mcpgateway/services/test_permission_service_comprehensive.py

@crivetimihai
fix: add PERMISSION_AUDIT_ENABLED toggle for RBAC auditing
04426a7 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
chore: clarify permission audit settings docstring
1709d92 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
chore: remove unrelated CHANGELOG.md changes
191ae00 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai merged commit 11f1e04 into main Feb 5, 2026
51 checks passed
@crivetimihai crivetimihai deleted the fix/permission-audit-enabled branch February 5, 2026 21:14
kcostell06 pushed a commit to kcostell06/mcp-context-forge that referenced this pull request Feb 24, 2026
@crivetimihai
fix: add PERMISSION_AUDIT_ENABLED toggle for RBAC auditing (IBM#2716)
902d6ab 
* fix: add PERMISSION_AUDIT_ENABLED toggle for RBAC auditing

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* chore: clarify permission audit settings docstring

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* chore: remove unrelated CHANGELOG.md changes

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@crivetimihai