FLPATH-3319: wire 23 cost_management permissions through role_binding, tenant, workspace

[jordigilh]

Summary

The production schema.zed already declares 23 cost_management_* permissions on rbac/role (each with a t_cost_management_* relation typed rbac/principal:*), but these permissions are not propagated through rbac/role_binding, rbac/tenant, or rbac/workspace.

Without this wiring, CheckPermission() and LookupResources() calls cannot resolve cost management permissions through the standard authorization chain:

rbac/principal → rbac/role_binding → rbac/role → rbac/tenant → rbac/workspace

Every other service in the schema (inventory, notifications, content_sources, remediations, playbook_dispatcher, config_manager, staleness, ros) already has its permissions wired through all three definitions. Cost Management is the only service with permissions declared on rbac/role but missing from the rest of the chain.

What this PR adds

69 new lines in configs/prod/schemas/schema.zed — 23 permissions propagated through each of the three definitions:

rbac/role_binding (23 permissions)

permission cost_management_X = (subject & t_role->cost_management_X)

This is the exact same pattern used by inventory_host_view, notifications_events_view, content_sources_repository_edit, etc. The subject & intersection ensures the permission only resolves when the principal is both the subject of the binding AND the role grants the permission.

rbac/tenant (23 permissions)

permission cost_management_X = t_binding->cost_management_X + t_platform->cost_management_X

Same pattern as all existing services. Permissions are resolved from either direct role bindings on the tenant or inherited from the platform.

rbac/workspace (23 permissions)

permission cost_management_X = t_binding->cost_management_X + t_parent->cost_management_X

Same pattern as all existing services. Permissions are resolved from either direct role bindings on the workspace or inherited from the parent (workspace or tenant).

Permission breakdown (23 total)

OCP-scoped (13)

Permission	Maps to RBAC
cost_management_all_all	cost-management:*:*
cost_management_openshift_cluster_all	cost-management:openshift.cluster:*
cost_management_openshift_cluster_read	cost-management:openshift.cluster:read
cost_management_openshift_node_all	cost-management:openshift.node:*
cost_management_openshift_node_read	cost-management:openshift.node:read
cost_management_openshift_project_all	cost-management:openshift.project:*
cost_management_openshift_project_read	cost-management:openshift.project:read
cost_management_cost_model_all	cost-management:cost_model:*
cost_management_cost_model_read	cost-management:cost_model:read
cost_management_cost_model_write	cost-management:cost_model:write
cost_management_settings_all	cost-management:settings:*
cost_management_settings_read	cost-management:settings:read
cost_management_settings_write	cost-management:settings:write

Cloud-scoped (10)

Permission	Maps to RBAC
cost_management_aws_account_all	cost-management:aws.account:*
cost_management_aws_account_read	cost-management:aws.account:read
cost_management_aws_organizational_unit_all	cost-management:aws.organizational_unit:*
cost_management_aws_organizational_unit_read	cost-management:aws.organizational_unit:read
cost_management_azure_subscription_guid_all	cost-management:azure.subscription_guid:*
cost_management_azure_subscription_guid_read	cost-management:azure.subscription_guid:read
cost_management_gcp_account_all	cost-management:gcp.account:*
cost_management_gcp_account_read	cost-management:gcp.account:read
cost_management_gcp_project_all	cost-management:gcp.project:*
cost_management_gcp_project_read	cost-management:gcp.project:read

Cloud permissions are wired now so that Koku and the SaaS schema are ready when SaaS onboards Kessel for cost management.

Why this is needed

Cost Management (Koku) is integrating with Kessel for on-prem authorization. The Kessel Relations API issues CheckPermission() and LookupResources() calls against SpiceDB using these permission names. The authorization resolution path requires permissions to be declared on every definition in the chain — not just rbac/role. Without this wiring:

• CheckPermission(rbac/workspace:<id>, cost_management_openshift_cluster_read, rbac/principal:<user>) → fails (permission not found on workspace)
• LookupResources(rbac/workspace, cost_management_openshift_cluster_read, rbac/principal:<user>) → returns empty (permission not traversable)

After this PR, both calls resolve correctly through the full chain, matching the behavior of every other service.

Validation

These permissions have been validated end-to-end on an on-prem deployment using local copies of the schema bundled in the Helm chart. Koku and ros-ocp-backend both successfully resolve permissions through CheckPermission() and LookupResources() for all 23 cost management permission types, covering admin, viewer, and no-access user roles. This PR upstreams them so they are available in the canonical schema definitions.

Related PRs

• Koku (Kessel integration): project-koku/koku#5933
• ros-ocp-backend (Kessel integration): RedHatInsights/ros-ocp-backend#590
• Helm chart (on-prem deployment + E2E tests): insights-onprem/cost-onprem-chart#121
• Inventory API schemas (companion PR): project-kessel/inventory-api#1243 — registers cost_management resource types
• Delta tracking doc: zed-schema-upstream-delta.md

JIRA

FLPATH-3319

Made with Cursor