Change: [UIE-9059] - Volumes RBAC permissions (linode#12744)

* adapters + volumes landing

* Action menu

* remaining instances

* fix units

* oops the mapping!

* cleanup

* remove wrong check

* changesets

* feedback @bnussman-akamai

* first round of feedback

* feedback 2

* missing grant hooks

Author: abailly-akamai

packages/api-v4/.changeset/pr-12744-added-1756112277685.md

@@ -0,0 +1,5 @@
+---
+"@linode/api-v4": Added
+---
+
+Volumes IAM RBAC permissions ([#12744](https://github.com/linode/manager/pull/12744))

packages/api-v4/src/iam/types.ts

@@ -102,7 +102,8 @@ export type AccountAdmin =
   | AccountBillingAdmin
   | AccountFirewallAdmin
   | AccountLinodeAdmin
-  | AccountOauthClientAdmin;
+  | AccountOauthClientAdmin
+  | AccountVolumeAdmin;
 
 /** Permissions associated with the "account_billing_admin" role. */
 export type AccountBillingAdmin =
@@ -141,6 +142,12 @@ export type AccountLinodeAdmin = AccountLinodeCreator | LinodeAdmin;
 /** Permissions associated with the "account_linode_creator" role. */
 export type AccountLinodeCreator = 'create_linode';
 
+/** Permissions associated with the "account_volume_admin" role. */
+export type AccountVolumeAdmin = AccountVolumeCreator | VolumeAdmin;
+
+/** Permissions associated with the "account_volume_creator" role. */
+export type AccountVolumeCreator = 'create_volume';
+
 /** Permissions associated with the "account_maintenance_viewer" role. */
 export type AccountMaintenanceViewer = 'list_maintenances';
 
@@ -207,7 +214,8 @@ export type AccountViewer =
   | AccountOauthClientViewer
   | AccountProfileViewer
   | FirewallViewer
-  | LinodeViewer;
+  | LinodeViewer
+  | VolumeViewer;
 
 /** Permissions associated with the "firewall_admin role. */
 export type FirewallAdmin =
@@ -287,6 +295,22 @@ export type LinodeViewer =
   | 'view_linode_network_transfer'
   | 'view_linode_stats';
 
+/** Permissions associated with the "volume_admin" role. */
+export type VolumeAdmin = 'delete_volume' | VolumeContributor;
+
+/** Permissions associated with the "volume_contributor" role. */
+export type VolumeContributor =
+  | 'attach_volume'
+  | 'clone_volume'
+  | 'delete_volume'
+  | 'detach_volume'
+  | 'resize_volume'
+  | 'update_volume'
+  | VolumeViewer;
+
+/** Permissions associated with the "volume_viewer" role. */
+export type VolumeViewer = 'view_volume';
+
 /** Facade roles represent the existing Grant model for entities that are not yet migrated to IAM */
 export type AccountRoleFacade =
   | 'account_database_creator'

packages/manager/.changeset/pr-12744-added-1756112241644.md

@@ -0,0 +1,5 @@
+---
+"@linode/manager": Added
+---
+
+Volumes IAM RBAC permissions ([#12744](https://github.com/linode/manager/pull/12744))

packages/manager/src/features/IAM/hooks/adapters/accountGrantsToPermissions.ts

@@ -67,6 +67,8 @@ export const accountGrantsToPermissions = (
     create_firewall: unrestricted || globalGrants?.add_firewalls,
     // AccountLinodeAdmin
     create_linode: unrestricted || globalGrants?.add_linodes,
+    // AccountVolumeAdmin
+    create_volume: unrestricted || globalGrants?.add_volumes,
     // AccountOAuthClientAdmin
     create_oauth_client: true,
     update_oauth_client: true,

packages/manager/src/features/IAM/hooks/adapters/permissionAdapters.ts

@@ -1,6 +1,7 @@
 import { accountGrantsToPermissions } from './accountGrantsToPermissions';
 import { firewallGrantsToPermissions } from './firewallGrantsToPermissions';
 import { linodeGrantsToPermissions } from './linodeGrantsToPermissions';
+import { volumeGrantsToPermissions } from './volumeGrantsToPermissions';
 
 import type { EntityBase } from '../usePermissions';
 import type {
@@ -24,23 +25,31 @@ export const entityPermissionMapFrom = (
   const entityPermissionsMap: EntityPermissionMap = {};
   if (grants) {
     grants[grantType]?.forEach((entity) => {
+      /** Entity Permissions Maps */
+      const firewallPermissionsMap = firewallGrantsToPermissions(
+        entity?.permissions,
+        profile?.restricted
+      ) as PermissionMap;
+      const linodePermissionsMap = linodeGrantsToPermissions(
+        entity?.permissions,
+        profile?.restricted
+      ) as PermissionMap;
+      const volumePermissionsMap = volumeGrantsToPermissions(
+        entity?.permissions,
+        profile?.restricted
+      ) as PermissionMap;
+
+      /** Add entity permissions to map */
       switch (grantType) {
         case 'firewall':
-          // eslint-disable-next-line no-case-declarations
-          const firewallPermissionsMap = firewallGrantsToPermissions(
-            entity?.permissions,
-            profile?.restricted
-          ) as PermissionMap;
           entityPermissionsMap[entity.id] = firewallPermissionsMap;
           break;
         case 'linode':
-          // eslint-disable-next-line no-case-declarations
-          const linodePermissionsMap = linodeGrantsToPermissions(
-            entity?.permissions,
-            profile?.restricted
-          ) as PermissionMap;
           entityPermissionsMap[entity.id] = linodePermissionsMap;
           break;
+        case 'volume':
+          entityPermissionsMap[entity.id] = volumePermissionsMap;
+          break;
       }
     });
   }
@@ -55,8 +64,14 @@ export const fromGrants = (
   isRestricted?: boolean,
   entityId?: number
 ): PermissionMap => {
+  /** Find the entity in the grants */
+  const firewall = grants?.firewall.find((f) => f.id === entityId);
+  const linode = grants?.linode.find((f) => f.id === entityId);
+  const volume = grants?.volume.find((f) => f.id === entityId);
+
   let usersPermissionsMap = {} as PermissionMap;
 
+  /** Convert the entity permissions to the new IAM RBAC model */
   switch (accessType) {
     case 'account':
       usersPermissionsMap = accountGrantsToPermissions(
@@ -65,21 +80,23 @@ export const fromGrants = (
       ) as PermissionMap;
       break;
     case 'firewall':
-      // eslint-disable-next-line no-case-declarations
-      const firewall = grants?.firewall.find((f) => f.id === entityId);
       usersPermissionsMap = firewallGrantsToPermissions(
         firewall?.permissions,
         isRestricted
       ) as PermissionMap;
       break;
     case 'linode':
-      // eslint-disable-next-line no-case-declarations
-      const linode = grants?.linode.find((f) => f.id === entityId);
       usersPermissionsMap = linodeGrantsToPermissions(
         linode?.permissions,
         isRestricted
       ) as PermissionMap;
       break;
+    case 'volume':
+      usersPermissionsMap = volumeGrantsToPermissions(
+        volume?.permissions,
+        isRestricted
+      ) as PermissionMap;
+      break;
     default:
       throw new Error(`Unknown access type: ${accessType}`);
   }

packages/manager/src/features/IAM/hooks/adapters/volumeGrantsToPermissions.ts

@@ -0,0 +1,18 @@
+import type { GrantLevel, VolumeAdmin } from '@linode/api-v4';
+
+/** Map the existing Grant model to the new IAM RBAC model. */
+export const volumeGrantsToPermissions = (
+  grantLevel?: GrantLevel,
+  isRestricted?: boolean
+): Record<VolumeAdmin, boolean> => {
+  const unrestricted = isRestricted === false; // explicit === false since the profile can be undefined
+  return {
+    attach_volume: unrestricted || grantLevel === 'read_write',
+    clone_volume: unrestricted || grantLevel === 'read_write',
+    delete_volume: unrestricted || grantLevel === 'read_write',
+    detach_volume: unrestricted || grantLevel === 'read_write',
+    resize_volume: unrestricted || grantLevel === 'read_write',
+    update_volume: unrestricted || grantLevel === 'read_write',
+    view_volume: unrestricted || grantLevel !== null,
+  };
+};

packages/manager/src/features/Linodes/LinodesDetail/LinodeStorage/LinodeVolumes.test.tsx

@@ -16,6 +16,7 @@ const queryMocks = vi.hoisted(() => ({
   useNavigate: vi.fn(),
   useParams: vi.fn(),
   useSearch: vi.fn(),
+  usePermissions: vi.fn(),
 }));
 
 vi.mock('@tanstack/react-router', async () => {
@@ -28,11 +29,20 @@ vi.mock('@tanstack/react-router', async () => {
   };
 });
 
+vi.mock('src/features/IAM/hooks/usePermissions', async () => {
+  const actual = await vi.importActual('src/features/IAM/hooks/usePermissions');
+  return {
+    ...actual,
+    usePermissions: queryMocks.usePermissions,
+  };
+});
+
 describe('LinodeVolumes', async () => {
   beforeEach(() => {
     queryMocks.useNavigate.mockReturnValue(vi.fn());
     queryMocks.useSearch.mockReturnValue({});
     queryMocks.useParams.mockReturnValue({});
+    queryMocks.usePermissions.mockReturnValue({});
   });
 
   const volumes = volumeFactory.buildList(3);

packages/manager/src/features/Linodes/LinodesDetail/LinodeStorage/LinodeVolumes.tsx

@@ -19,6 +19,7 @@ import { TableRowEmpty } from 'src/components/TableRowEmpty/TableRowEmpty';
 import { TableRowError } from 'src/components/TableRowError/TableRowError';
 import { TableRowLoading } from 'src/components/TableRowLoading/TableRowLoading';
 import { TableSortCell } from 'src/components/TableSortCell';
+import { usePermissions } from 'src/features/IAM/hooks/usePermissions';
 import { DeleteVolumeDialog } from 'src/features/Volumes/Dialogs/DeleteVolumeDialog';
 import { DetachVolumeDialog } from 'src/features/Volumes/Dialogs/DetachVolumeDialog';
 import { CloneVolumeDrawer } from 'src/features/Volumes/Drawers/CloneVolumeDrawer';
@@ -28,7 +29,6 @@ import { ResizeVolumeDrawer } from 'src/features/Volumes/Drawers/ResizeVolumeDra
 import { VolumeDetailsDrawer } from 'src/features/Volumes/Drawers/VolumeDetailsDrawer';
 import { LinodeVolumeAddDrawer } from 'src/features/Volumes/Drawers/VolumeDrawer/LinodeVolumeAddDrawer';
 import { VolumeTableRow } from 'src/features/Volumes/VolumeTableRow';
-import { useIsResourceRestricted } from 'src/hooks/useIsResourceRestricted';
 import { useOrderV2 } from 'src/hooks/useOrderV2';
 import { usePaginationV2 } from 'src/hooks/usePaginationV2';
 
@@ -41,12 +41,11 @@ export const LinodeVolumes = () => {
   const id = Number(linodeId);
 
   const { data: linode } = useLinodeQuery(id);
-
-  const isLinodesGrantReadOnly = useIsResourceRestricted({
-    grantLevel: 'read_only',
-    grantType: 'linode',
-    id,
-  });
+  const { data: linodePermissions } = usePermissions(
+    'linode',
+    ['update_linode'],
+    linode?.id
+  );
 
   const { handleOrderChange, order, orderBy } = useOrderV2({
     initialRoute: {
@@ -207,8 +206,13 @@ export const LinodeVolumes = () => {
         <Typography variant="h3">Volumes</Typography>
         <Button
           buttonType="primary"
-          disabled={isLinodesGrantReadOnly}
+          disabled={!linodePermissions?.update_linode}
           onClick={handleCreateVolume}
+          tooltipText={
+            !linodePermissions?.update_linode
+              ? 'You do not have permission to create or attach a volume to this Linode.'
+              : undefined
+          }
         >
           Add Volume
         </Button>

packages/manager/src/features/Linodes/LinodesDetail/VolumesUpgradeBanner.test.tsx

@@ -7,7 +7,25 @@ import { renderWithTheme } from 'src/utilities/testHelpers';
 
 import { VolumesUpgradeBanner } from './VolumesUpgradeBanner';
 
+const queryMocks = vi.hoisted(() => ({
+  usePermissions: vi.fn(),
+}));
+
+vi.mock('src/features/IAM/hooks/usePermissions', async () => {
+  const actual = await vi.importActual('src/features/IAM/hooks/usePermissions');
+  return {
+    ...actual,
+    usePermissions: queryMocks.usePermissions,
+  };
+});
+
 describe('VolumesUpgradeBanner', () => {
+  beforeEach(() => {
+    queryMocks.usePermissions.mockReturnValue({
+      update_volume: true,
+    });
+  });
+
   it('should render if there is an upgradable volume', async () => {
     const volume = volumeFactory.build();
     const notification = notificationFactory.build({

packages/manager/src/features/Volumes/Drawers/AttachVolumeDrawer.tsx

@@ -1,4 +1,4 @@
-import { useAttachVolumeMutation, useGrants } from '@linode/queries';
+import { useAttachVolumeMutation } from '@linode/queries';
 import { LinodeSelect } from '@linode/shared';
 import {
   ActionsPanel,
@@ -16,6 +16,7 @@ import { number, object } from 'yup';
 
 import { BLOCK_STORAGE_ENCRYPTION_SETTING_IMMUTABLE_COPY } from 'src/components/Encryption/constants';
 import { useIsBlockStorageEncryptionFeatureEnabled } from 'src/components/Encryption/utils';
+import { usePermissions } from 'src/features/IAM/hooks/usePermissions';
 import { useEventsPollingActions } from 'src/queries/events/events';
 import { getAPIErrorFor } from 'src/utilities/getAPIErrorFor';
 
@@ -46,7 +47,13 @@ export const AttachVolumeDrawer = React.memo((props: Props) => {
 
   const { checkForNewEvents } = useEventsPollingActions();
 
-  const { data: grants } = useGrants();
+  const { data: permissions } = usePermissions(
+    'volume',
+    ['attach_volume'],
+    volume?.id
+  );
+
+  const canAttachVolume = permissions?.attach_volume;
 
   const { error, mutateAsync: attachVolume } = useAttachVolumeMutation();
 
@@ -86,11 +93,6 @@ export const AttachVolumeDrawer = React.memo((props: Props) => {
     overwrite: 'Overwrite',
   };
 
-  const isReadOnly =
-    grants !== undefined &&
-    grants.volume.find((grant) => grant.id === volume?.id)?.permissions ===
-      'read_only';
-
   const hasErrorFor = getAPIErrorFor(
     errorResources,
     error === null ? undefined : error
@@ -107,7 +109,7 @@ export const AttachVolumeDrawer = React.memo((props: Props) => {
       title={`Attach Volume ${volume?.label}`}
     >
       <form onSubmit={formik.handleSubmit}>
-        {isReadOnly && (
+        {!canAttachVolume && (
           <Notice
             text="You don't have permission to attach this volume."
             variant="error"
@@ -116,7 +118,7 @@ export const AttachVolumeDrawer = React.memo((props: Props) => {
         {generalError && <Notice text={generalError} variant="error" />}
         <LinodeSelect
           clearable={false}
-          disabled={isReadOnly}
+          disabled={!canAttachVolume}
           errorText={
             formik.touched.linode_id && formik.errors.linode_id
               ? formik.errors.linode_id
@@ -137,7 +139,7 @@ export const AttachVolumeDrawer = React.memo((props: Props) => {
           </FormHelperText>
         )}
         <StyledConfigSelect
-          disabled={isReadOnly || formik.values.linode_id === -1}
+          disabled={!canAttachVolume || formik.values.linode_id === -1}
           error={
             formik.touched.config_id && formik.errors.config_id
               ? formik.errors.config_id
@@ -171,7 +173,7 @@ export const AttachVolumeDrawer = React.memo((props: Props) => {
         <ActionsPanel
           primaryButtonProps={{
             'data-testid': 'submit',
-            disabled: isReadOnly,
+            disabled: !canAttachVolume,
             label: 'Attach',
             loading: formik.isSubmitting,
             type: 'submit',