feat: [UIE-9141] - IAM RBAC: add perm check for nodebalancer landing (linode#12780)

* feat: [UIE-9141] - IAM RBAC: add perm check for nodebalancer

* Added changeset: IAM RBAC: This PR implements IAM RBAC permissions for NodeBalancer

* fix test and add changeset

Author: aaleksee-akamai

packages/api-v4/.changeset/pr-12780-added-1756715574168.md

@@ -0,0 +1,5 @@
+---
+"@linode/api-v4": Added
+---
+
+NodeBalancers IAM RBAC permissions ([#12780](https://github.com/linode/manager/pull/12780))

packages/api-v4/src/iam/types.ts

@@ -102,6 +102,7 @@ export type AccountAdmin =
   | AccountBillingAdmin
   | AccountFirewallAdmin
   | AccountLinodeAdmin
+  | AccountNodeBalancerAdmin
   | AccountOauthClientAdmin
   | AccountVolumeAdmin;
 
@@ -142,6 +143,14 @@ export type AccountLinodeAdmin = AccountLinodeCreator | LinodeAdmin;
 /** Permissions associated with the "account_linode_creator" role. */
 export type AccountLinodeCreator = 'create_linode';
 
+/** Permissions associated with the "account_nodebalancer_admin" role. */
+export type AccountNodeBalancerAdmin =
+  | AccountNodeBalancerCreator
+  | NodeBalancerAdmin;
+
+/** Permissions associated with the "account_nodebalancer_creator" role. */
+export type AccountNodeBalancerCreator = 'create_nodebalancer';
+
 /** Permissions associated with the "account_volume_admin" role. */
 export type AccountVolumeAdmin = AccountVolumeCreator | VolumeAdmin;
 
@@ -295,6 +304,35 @@ export type LinodeViewer =
   | 'view_linode_network_transfer'
   | 'view_linode_stats';
 
+/** Permissions associated with the "nodebalancer_admin" role. */
+// TODO: UIE-9154 - verify mapping for Nodebalancer as this is not migrated yet
+export type NodeBalancerAdmin =
+  | 'delete_nodebalancer'
+  | 'delete_nodebalancer_config'
+  | 'delete_nodebalancer_config_node'
+  | NodeBalancerContributor;
+
+/** Permissions associated with the "nodebalancer_contributor" role. */
+export type NodeBalancerContributor =
+  | 'create_nodebalancer_config'
+  | 'create_nodebalancer_config_node'
+  | 'rebuild_nodebalancer_config'
+  | 'update_nodebalancer'
+  | 'update_nodebalancer_config'
+  | 'update_nodebalancer_config_node'
+  | 'update_nodebalancer_firewalls'
+  | NodeBalancerViewer;
+
+/** Permissions associated with the "nodebalancer_viewer" role. */
+export type NodeBalancerViewer =
+  | 'list_nodebalancer_config_nodes'
+  | 'list_nodebalancer_configs'
+  | 'list_nodebalancer_firewalls'
+  | 'view_nodebalancer'
+  | 'view_nodebalancer_config'
+  | 'view_nodebalancer_config_node'
+  | 'view_nodebalancer_statistics';
+
 /** Permissions associated with the "volume_admin" role. */
 export type VolumeAdmin = 'delete_volume' | VolumeContributor;
 
@@ -311,46 +349,6 @@ export type VolumeContributor =
 /** Permissions associated with the "volume_viewer" role. */
 export type VolumeViewer = 'view_volume';
 
-/** Facade roles represent the existing Grant model for entities that are not yet migrated to IAM */
-export type AccountRoleFacade =
-  | 'account_database_creator'
-  | 'account_domain_creator'
-  | 'account_image_creator'
-  | 'account_ip_admin'
-  | 'account_ip_viewer'
-  | 'account_lkecluster_creator'
-  | 'account_longview_creator'
-  | 'account_longview_subscription_admin'
-  | 'account_nodebalancer_creator'
-  | 'account_placement_group_creator'
-  | 'account_stackscript_creator'
-  | 'account_vlan_admin'
-  | 'account_vlan_viewer'
-  | 'account_volume_creator'
-  | 'account_vpc_creator';
-
-/** Facade roles represent the existing Grant model for entities that are not yet migrated to IAM */
-export type EntityRoleFacade =
-  | 'database_admin'
-  | 'database_viewer'
-  | 'domain_admin'
-  | 'domain_viewer'
-  | 'image_admin'
-  | 'image_viewer'
-  | 'lkecluster_admin'
-  | 'lkecluster_viewer'
-  | 'longview_admin'
-  | 'longview_viewer'
-  | 'nodebalancer_admin'
-  | 'nodebalancer_viewer'
-  | 'placement_group_admin'
-  | 'placement_group_viewer'
-  | 'stackscript_admin'
-  | 'stackscript_viewer'
-  | 'volume_admin'
-  | 'volume_viewer'
-  | 'vpc_admin';
-
 /** Union of all permissions */
 export type PermissionType = AccountAdmin;
 

packages/manager/.changeset/pr-12780-added-1756375762995.md

@@ -0,0 +1,5 @@
+---
+"@linode/manager": Added
+---
+
+IAM RBAC: Implements IAM RBAC permissions for NodeBalancer ([#12780](https://github.com/linode/manager/pull/12780))

packages/manager/src/features/IAM/hooks/adapters/accountGrantsToPermissions.ts

@@ -69,6 +69,8 @@ export const accountGrantsToPermissions = (
     create_linode: unrestricted || globalGrants?.add_linodes,
     // AccountVolumeAdmin
     create_volume: unrestricted || globalGrants?.add_volumes,
+    // AccountNodeBalancerAdmin
+    create_nodebalancer: unrestricted || globalGrants?.add_nodebalancers,
     // AccountOAuthClientAdmin
     create_oauth_client: true,
     update_oauth_client: true,

packages/manager/src/features/IAM/hooks/adapters/nodeBalancerGrantsToPermissions.ts

@@ -0,0 +1,31 @@
+import type { GrantLevel, NodeBalancerAdmin } from '@linode/api-v4';
+
+/** Map the existing Grant model to the new IAM RBAC model. */
+export const nodeBalancerGrantsToPermissions = (
+  grantLevel?: GrantLevel,
+  isRestricted?: boolean
+): Record<NodeBalancerAdmin, boolean> => {
+  const unrestricted = isRestricted === false; // explicit === false
+  return {
+    delete_nodebalancer: unrestricted || grantLevel === 'read_write',
+    delete_nodebalancer_config: unrestricted || grantLevel === 'read_write',
+    delete_nodebalancer_config_node:
+      unrestricted || grantLevel === 'read_write',
+    update_nodebalancer: unrestricted || grantLevel === 'read_write',
+    create_nodebalancer_config: unrestricted || grantLevel === 'read_write',
+    update_nodebalancer_config: unrestricted || grantLevel === 'read_write',
+    rebuild_nodebalancer_config: unrestricted || grantLevel === 'read_write',
+    create_nodebalancer_config_node:
+      unrestricted || grantLevel === 'read_write',
+    update_nodebalancer_config_node:
+      unrestricted || grantLevel === 'read_write',
+    update_nodebalancer_firewalls: unrestricted || grantLevel === 'read_write',
+    view_nodebalancer: unrestricted || grantLevel !== null,
+    list_nodebalancer_firewalls: unrestricted || grantLevel !== null,
+    view_nodebalancer_statistics: unrestricted || grantLevel !== null,
+    list_nodebalancer_configs: unrestricted || grantLevel !== null,
+    view_nodebalancer_config: unrestricted || grantLevel !== null,
+    list_nodebalancer_config_nodes: unrestricted || grantLevel !== null,
+    view_nodebalancer_config_node: unrestricted || grantLevel !== null,
+  };
+};

packages/manager/src/features/IAM/hooks/adapters/permissionAdapters.ts

@@ -1,6 +1,7 @@
 import { accountGrantsToPermissions } from './accountGrantsToPermissions';
 import { firewallGrantsToPermissions } from './firewallGrantsToPermissions';
 import { linodeGrantsToPermissions } from './linodeGrantsToPermissions';
+import { nodeBalancerGrantsToPermissions } from './nodeBalancerGrantsToPermissions';
 import { volumeGrantsToPermissions } from './volumeGrantsToPermissions';
 
 import type { EntityBase } from '../usePermissions';
@@ -38,6 +39,10 @@ export const entityPermissionMapFrom = (
         entity?.permissions,
         profile?.restricted
       ) as PermissionMap;
+      const nodebalancerPermissionsMap = nodeBalancerGrantsToPermissions(
+        entity?.permissions,
+        profile?.restricted
+      ) as PermissionMap;
 
       /** Add entity permissions to map */
       switch (grantType) {
@@ -47,6 +52,9 @@ export const entityPermissionMapFrom = (
         case 'linode':
           entityPermissionsMap[entity.id] = linodePermissionsMap;
           break;
+        case 'nodebalancer':
+          entityPermissionsMap[entity.id] = nodebalancerPermissionsMap;
+          break;
         case 'volume':
           entityPermissionsMap[entity.id] = volumePermissionsMap;
           break;
@@ -68,6 +76,7 @@ export const fromGrants = (
   const firewall = grants?.firewall.find((f) => f.id === entityId);
   const linode = grants?.linode.find((f) => f.id === entityId);
   const volume = grants?.volume.find((f) => f.id === entityId);
+  const nodebalancer = grants?.nodebalancer.find((f) => f.id === entityId);
 
   let usersPermissionsMap = {} as PermissionMap;
 
@@ -91,6 +100,12 @@ export const fromGrants = (
         isRestricted
       ) as PermissionMap;
       break;
+    case 'nodebalancer':
+      usersPermissionsMap = nodeBalancerGrantsToPermissions(
+        nodebalancer?.permissions,
+        isRestricted
+      ) as PermissionMap;
+      break;
     case 'volume':
       usersPermissionsMap = volumeGrantsToPermissions(
         volume?.permissions,

packages/manager/src/features/NodeBalancers/NodeBalancersLanding/NodeBalancerActionMenu.test.tsx

@@ -9,6 +9,15 @@ const navigate = vi.fn();
 const queryMocks = vi.hoisted(() => ({
   useNavigate: vi.fn(() => navigate),
   useRouter: vi.fn(() => vi.fn()),
+  userPermissions: vi.fn(() => ({
+    data: {
+      delete_nodebalancer: false,
+    },
+  })),
+}));
+
+vi.mock('src/features/IAM/hooks/usePermissions', () => ({
+  usePermissions: queryMocks.userPermissions,
 }));
 
 vi.mock('@tanstack/react-router', async () => {
@@ -41,7 +50,41 @@ describe('NodeBalancerActionMenu', () => {
     expect(getByText('Delete')).toBeVisible();
   });
 
+  it('should disable "Delete" if the user does not have permissions', async () => {
+    const { getAllByRole, getByText } = renderWithTheme(
+      <NodeBalancerActionMenu {...props} />
+    );
+    const actionBtn = getAllByRole('button')[0];
+    expect(actionBtn).toBeInTheDocument();
+    await userEvent.click(actionBtn);
+
+    const deleteBtn = getByText('Delete');
+    expect(deleteBtn).toHaveAttribute('aria-disabled', 'true');
+  });
+
+  it('should enable "Delete" if the user has permissions', async () => {
+    queryMocks.userPermissions.mockReturnValue({
+      data: {
+        delete_nodebalancer: true,
+      },
+    });
+    const { getAllByRole, getByText } = renderWithTheme(
+      <NodeBalancerActionMenu {...props} />
+    );
+    const actionBtn = getAllByRole('button')[0];
+    expect(actionBtn).toBeInTheDocument();
+    await userEvent.click(actionBtn);
+
+    const deleteBtn = getByText('Delete');
+    expect(deleteBtn).not.toHaveAttribute('aria-disabled', 'true');
+  });
+
   it('triggers the action to delete the NodeBalancer', async () => {
+    queryMocks.userPermissions.mockReturnValue({
+      data: {
+        delete_nodebalancer: true,
+      },
+    });
     const { getByText } = renderWithTheme(
       <NodeBalancerActionMenu {...props} />
     );

packages/manager/src/features/NodeBalancers/NodeBalancersLanding/NodeBalancerActionMenu.tsx

@@ -6,7 +6,7 @@ import * as React from 'react';
 import { ActionMenu } from 'src/components/ActionMenu/ActionMenu';
 import { InlineMenuAction } from 'src/components/InlineMenuAction/InlineMenuAction';
 import { getRestrictedResourceText } from 'src/features/Account/utils';
-import { useIsResourceRestricted } from 'src/hooks/useIsResourceRestricted';
+import { usePermissions } from 'src/features/IAM/hooks/usePermissions';
 
 import { useIsNodebalancerVPCEnabled } from '../utils';
 
@@ -24,11 +24,11 @@ export const NodeBalancerActionMenu = (props: Props) => {
 
   const { nodeBalancerId } = props;
 
-  const isNodeBalancerReadOnly = useIsResourceRestricted({
-    grantLevel: 'read_only',
-    grantType: 'nodebalancer',
-    id: nodeBalancerId,
-  });
+  const { data: permissions } = usePermissions(
+    'nodebalancer',
+    ['delete_nodebalancer'],
+    nodeBalancerId
+  );
 
   const { isNodebalancerVPCEnabled } = useIsNodebalancerVPCEnabled();
 
@@ -56,7 +56,7 @@ export const NodeBalancerActionMenu = (props: Props) => {
       title: 'Settings',
     },
     {
-      disabled: isNodeBalancerReadOnly,
+      disabled: !permissions.delete_nodebalancer,
       onClick: () => {
         navigate({
           params: {
@@ -66,7 +66,7 @@ export const NodeBalancerActionMenu = (props: Props) => {
         });
       },
       title: 'Delete',
-      tooltip: isNodeBalancerReadOnly
+      tooltip: !permissions.delete_nodebalancer
         ? getRestrictedResourceText({
             action: 'delete',
             resourceType: 'NodeBalancers',

packages/manager/src/features/NodeBalancers/NodeBalancersLanding/NodeBalancerTableRow.test.tsx

@@ -11,6 +11,15 @@ import { NodeBalancerTableRow } from './NodeBalancerTableRow';
 const navigate = vi.fn();
 const queryMocks = vi.hoisted(() => ({
   useNavigate: vi.fn(() => navigate),
+  userPermissions: vi.fn(() => ({
+    data: {
+      delete_nodebalancer: false,
+    },
+  })),
+}));
+
+vi.mock('src/features/IAM/hooks/usePermissions', () => ({
+  usePermissions: queryMocks.userPermissions,
 }));
 
 vi.mock('@tanstack/react-router', async () => {
@@ -56,6 +65,11 @@ describe('NodeBalancerTableRow', () => {
   });
 
   it('deletes the NodeBalancer', async () => {
+    queryMocks.userPermissions.mockReturnValue({
+      data: {
+        delete_nodebalancer: true,
+      },
+    });
     const { getByText } = renderWithTheme(<NodeBalancerTableRow {...props} />);
 
     const deleteButton = getByText('Delete');