oxidecomputer · mergeconflict · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026 · Jan 20, 2026
diff --git a/nexus/auth/src/authz/api_resources.rs b/nexus/auth/src/authz/api_resources.rs
diff --git a/nexus/auth/src/authz/context.rs b/nexus/auth/src/authz/context.rs
@@ -11,13 +11,13 @@ use crate::authz::Action;
 use crate::authz::oso_generic;
 use crate::context::OpContext;
 use crate::storage::Storage;
-use futures::future::BoxFuture;
 use omicron_common::api::external::Error;
 use omicron_common::bail_unless;
 use oso::Oso;
 use oso::OsoError;
 use slog::debug;
 use std::collections::BTreeSet;
+use std::future::Future;
 use std::sync::Arc;
 
 /// Server-wide authorization context
@@ -164,12 +164,12 @@ pub trait AuthorizedResource: oso::ToPolar + Send + Sync + 'static {
     /// That's how this works for most resources.  There are other kinds of
     /// resources (like the Database itself) that aren't stored in the database
     /// and for which a different mechanism might be used.
-    fn load_roles<'fut>(
-        &'fut self,
-        opctx: &'fut OpContext,
-        authn: &'fut authn::Context,
-        roleset: &'fut mut RoleSet,
-    ) -> BoxFuture<'fut, Result<(), Error>>;
+    fn load_roles(
+        &self,
+        opctx: &OpContext,
+        authn: &authn::Context,
+        roleset: &mut RoleSet,
+    ) -> impl Future<Output = Result<(), Error>>;
 
     /// Invoked on authz failure to determine the final authz result
     ///
@@ -252,13 +252,12 @@ mod test {
         #[derive(Clone, PolarClass)]
         struct UnregisteredResource;
         impl AuthorizedResource for UnregisteredResource {
-            fn load_roles<'fut>(
-                &'fut self,
-                _: &'fut OpContext,
-                _: &'fut authn::Context,
-                _: &'fut mut RoleSet,
-            ) -> futures::future::BoxFuture<'fut, Result<(), Error>>
-            {
+            async fn load_roles(
+                &self,
+                _: &OpContext,
+                _: &authn::Context,
+                _: &mut RoleSet,
+            ) -> Result<(), Error> {
                 // authorize() shouldn't get far enough to call this.
                 unimplemented!();
             }

diff --git a/nexus/auth/src/authz/oso_generic.rs b/nexus/auth/src/authz/oso_generic.rs
@@ -14,8 +14,6 @@ use crate::authn;
 use crate::context::OpContext;
 use anyhow::Context;
 use anyhow::ensure;
-use futures::FutureExt;
-use futures::future::BoxFuture;
 use omicron_common::api::external::Error;
 use oso::Oso;
 use oso::PolarClass;
@@ -288,12 +286,12 @@ impl oso::PolarClass for Database {
 }
 
 impl AuthorizedResource for Database {
-    fn load_roles<'fut>(
-        &'fut self,
-        _: &'fut OpContext,
-        _: &'fut authn::Context,
-        _: &'fut mut RoleSet,
-    ) -> BoxFuture<'fut, Result<(), Error>> {
+    async fn load_roles(
+        &self,
+        _opctx: &OpContext,
+        _authn: &authn::Context,
+        _roleset: &mut RoleSet,
+    ) -> Result<(), Error> {
         // We don't use (database) roles to grant access to the database.  The
         // role assignment is hardcoded for all authenticated users.  See the
         // "has_role" Polar method above.
@@ -303,7 +301,7 @@ impl AuthorizedResource for Database {
         // the type signature of roles supported by RoleSet.  RoleSet is really
         // for roles on database objects -- it assumes they have a ResourceType
         // and id, neither of which is true for `Database`.
-        futures::future::ready(Ok(())).boxed()
+        Ok(())
     }
 
     fn on_unauthorized(

diff --git a/nexus/auth/src/authz/roles.rs b/nexus/auth/src/authz/roles.rs
@@ -34,7 +34,8 @@
 //! request, and we don't want that thread to block while we hit the database.
 //! Both of these issues could be addressed with considerably more work.
 
-use super::api_resources::ApiResource;
+use super::api_resources::ApiResourceWithParent;
+use super::context::AuthorizedResource;
 use crate::authn;
 use crate::context::OpContext;
 use omicron_common::api::external::Error;
@@ -91,7 +92,7 @@ pub async fn load_roles_for_resource_tree<R>(
     roleset: &mut RoleSet,
 ) -> Result<(), Error>
 where
-    R: ApiResource,
+    R: ApiResourceWithParent,
 {
     // If roles can be assigned directly on this resource, load them.
     if let Some(with_roles) = resource.as_resource_with_roles() {

diff --git a/nexus/authz-macros/outputs/instance.txt b/nexus/authz-macros/outputs/instance.txt
@@ -64,9 +64,6 @@ impl oso::PolarClass for Instance {
     }
 }
 impl ApiResource for Instance {
-    fn parent(&self) -> Option<&dyn AuthorizedResource> {
-        Some(&self.parent)
-    }
     fn resource_type(&self) -> ResourceType {
         ResourceType::Instance
     }
@@ -77,3 +74,9 @@ impl ApiResource for Instance {
         None
     }
 }
+impl ApiResourceWithParent for Instance {
+    type Parent = Project;
+    fn parent(&self) -> Option<&Project> {
+        Some(&self.parent)
+    }
+}
diff --git a/nexus/authz-macros/outputs/organization.txt b/nexus/authz-macros/outputs/organization.txt
@@ -60,9 +60,6 @@ impl oso::PolarClass for Organization {
     }
 }
 impl ApiResource for Organization {
-    fn parent(&self) -> Option<&dyn AuthorizedResource> {
-        Some(&self.parent)
-    }
     fn resource_type(&self) -> ResourceType {
         ResourceType::Organization
     }
@@ -73,3 +70,9 @@ impl ApiResource for Organization {
         None
     }
 }
+impl ApiResourceWithParent for Organization {
+    type Parent = Fleet;
+    fn parent(&self) -> Option<&Fleet> {
+        Some(&self.parent)
+    }
+}
diff --git a/nexus/authz-macros/outputs/rack.txt b/nexus/authz-macros/outputs/rack.txt
@@ -60,9 +60,6 @@ impl oso::PolarClass for Rack {
     }
 }
 impl ApiResource for Rack {
-    fn parent(&self) -> Option<&dyn AuthorizedResource> {
-        Some(&self.parent)
-    }
     fn resource_type(&self) -> ResourceType {
         ResourceType::Rack
     }
@@ -73,3 +70,9 @@ impl ApiResource for Rack {
         None
     }
 }
+impl ApiResourceWithParent for Rack {
+    type Parent = Fleet;
+    fn parent(&self) -> Option<&Fleet> {
+        Some(&self.parent)
+    }
+}
diff --git a/nexus/authz-macros/src/lib.rs b/nexus/authz-macros/src/lib.rs
@@ -606,10 +606,6 @@ fn do_authz_resource(
         }
 
         impl ApiResource for #resource_name {
-            fn parent(&self) -> Option<&dyn AuthorizedResource> {
-                Some(&self.parent)
-            }
-
             fn resource_type(&self) -> ResourceType {
                 ResourceType::#resource_name
             }
@@ -625,6 +621,14 @@ fn do_authz_resource(
             }
         }
 
+        impl ApiResourceWithParent for #resource_name {
+            type Parent = #parent_resource_name;
+
+            fn parent(&self) -> Option<&#parent_resource_name> {
+                Some(&self.parent)
+            }
+        }
+
         #api_resource_roles_trait
     })
 }

diff --git a/nexus/db-queries/src/policy_test/coverage.rs b/nexus/db-queries/src/policy_test/coverage.rs
@@ -28,7 +28,7 @@ impl Coverage {
 
     /// Record that the Polar class associated with `covered` is covered by the
     /// test
-    pub fn covered(&mut self, covered: &dyn AuthorizedResource) {
+    pub fn covered<R: AuthorizedResource>(&mut self, covered: &R) {
         self.covered_class(covered.polar_class())
     }
 

diff --git a/nexus/db-queries/src/policy_test/resource_builder.rs b/nexus/db-queries/src/policy_test/resource_builder.rs
@@ -8,10 +8,10 @@
 use super::coverage::Coverage;
 use crate::db;
 use crate::db::datastore::SiloUserApiOnly;
-use authz::ApiResource;
 use futures::FutureExt;
 use futures::future::BoxFuture;
 use nexus_auth::authz;
+use nexus_auth::authz::ApiResource;
 use nexus_auth::authz::ApiResourceWithRolesType;
 use nexus_auth::authz::AuthorizedResource;
 use nexus_auth::context::OpContext;
@@ -69,7 +69,10 @@ impl<'a> ResourceBuilder<'a> {
 
     /// Register a new resource for later testing, with no associated users or
     /// role assignments
-    pub fn new_resource<T: DynAuthorizedResource>(&mut self, resource: T) {
+    pub fn new_resource<T>(&mut self, resource: T)
+    where
+        T: DynAuthorizedResource + AuthorizedResource,
+    {
         self.coverage.covered(&resource);
         self.resources.push(Arc::new(resource));
     }
@@ -79,8 +82,8 @@ impl<'a> ResourceBuilder<'a> {
     pub async fn new_resource_with_users<T>(&mut self, resource: T)
     where
         T: DynAuthorizedResource
-            + ApiResourceWithRolesType
             + AuthorizedResource
+            + ApiResourceWithRolesType
             + Clone,
         T::AllowedRoles: IntoEnumIterator,
     {
@@ -179,7 +182,7 @@ impl ResourceSet {
 /// all of them.  (We could also change `authorize()` to be dynamically-
 /// dispatched.  This would be a much more sprawling change.  And it's not clear
 /// that our use case has much application outside of a test like this.)
-pub trait DynAuthorizedResource: AuthorizedResource + std::fmt::Debug {
+pub trait DynAuthorizedResource: std::fmt::Debug + Send + Sync {
     fn do_authorize<'a, 'b>(
         &'a self,
         opctx: &'b OpContext,