Sub Access Graph entitlement

[emargetis]

Summary

This PR substitutes the now deprecated Policy entitlement for the new Access Graph entitlement. It also swaps out all usages in Teleport of Policy for Access Graph.

Note: The Access Graph entitlement has a structure of {Enabled: bool, Limit: num} while Policy only had {Enabled: bool}. While this PR is a 1:1 swap that only passes through the Enabled flag, the Limit value may want to be used in the future, 0 indicating a dedicated instance and 1 indicating a shared instance.

https://github.com/gravitational/teleport.e/pull/7898 will be similar to this PR

---

Merge order of PRs:

1. https://github.com/gravitational/teleport.e/pull/7929
2. Add access graph entitlement #64340
3. (current) Sub Access Graph entitlement #63117
4. https://github.com/gravitational/teleport.e/pull/7898

Supports https://github.com/gravitational/cloud/issues/16130

---

Manual Test Plan

Test Environment

I deployed a dev build with these changes alone to cloud staging (erik-ag-partial) and verified that toggling Access Graph from the SC UI provides and removes access in the product. Though you still need to roll the pods to see the expected UI.

Test Cases

• Toggling on and rolling pods enables access graph
• Toggling off and rolling pods disables access graph

Local Entitlement Testing

Prep

1. Check out this branch and the corresponding e branch
2. Create and run a local enterprise cloud tenant against a local salescenter instance
3. Add this print statement on the Teleport side in feature.go to verify entitlements received by Teleport:

fmt.Printf("DEBUG GetCloudFeatures: entitlements=%v\n", resp.Entitlements)

Test AccessGraph entitlement independently

Enabled

1. Add this code snippet just before the response from the handler and rebuild SC

// test AccessGraph entitlement works independently
e["Policy"] = &v1.EntitlementInfo{Enabled: false}

2. Toggle on the Access Graph feature for the tenant in the SC UI
3. Restart local tenant, visit the access graph page (/web/accessgraph), and verify you see the following error:

5. Verify in the Teleport logs that Policy was not enabled and AccessGraph was set to enabled:true in the response

Disabled

1. Toggle off Access Graph in the SC UI
2. Restart the tenant to make sure it has the latest license updates, visit the access graph page, and verify you see a trial ad instead of the error above:

3. Verify in the Teleport logs that Policy was not enabled and AccessGraph entitlement was not enabled in the response

Test Policy entitlement independently for backward compatibility (simulating old licenses)

Enabled

1. Replace the code snippet from the previous test in the handlerwith the following and rebuild SC:

// test Policy entitlement still works independently
e["AccessGraph"] = &v1.EntitlementInfo{Enabled: false}  

2. Toggle on Access Graph in the SC UI
3. Restart local tenant, visit the access graph page (/web/accessgraph), and verify you see the same connection error again
4. Verify in the Teleport logs that AccessGraph was not enabled and Policy was set to enabled:true in the response

Disabled

1. Toggle off Access Graph in the SC UI
2. Restart the tenant to make sure it has the latest license updates, visit the access graph page, and verify you see the trial ad instead of the error above
3. Verify in the Teleport logs that AccessGraph was not enabled and Policy was not enabled in the response

[zmb3]

I didn't get all the way through the review, but I've noticed that there are some things that make this PR hard to understand.

It looks like we used to have a "feature" for TAG/Policy/AccessGraph, and then we switched to entitlements, but we also kept the feature for compatibility.

This means there are a bunch of places where we're checking both the feature and the entitlement.

Now we're adding a third thing to check (an additional entitlement). That's a lot of combinations to test and verify that everything is working correctly.

Entitlements have been out for long enough now that we should be able to simplify this by removing the features so the entitlement becomes a single source of truth.

What do you think?

[zmb3]

• I would update the comment here since it talks about the [deprecated] policy feature.
• This if statement is also pretty hard to follow. I wonder if we can make it so that we can only check the AccessGraph entitlement here, and have the code that sets features handle the compatibility.

[emargetis]

Unfortunately, right now the entitlement and feature serve somewhat unique purposes. The AccessGraph entitlement ensures the customer has access to the feature while the AccessGraph feature ensures the same AND that the TAG resource was connected (see code). I had a draft branch to decouple that feature but it's a bit more involved and not on the critical path for this PR.

[emargetis]

Moving to draft while PR is rebased

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0d28b8d6f7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Keep Policy fallback in Access Graph authz gates

This gate now ignores the legacy Policy entitlement, so a cluster with Policy=true, AccessGraph=false, and Features.AccessGraph=false will be treated as unlicensed and denied (GetClusterAccessGraphConfig returns disabled, and update/upsert/reset paths now return AccessDenied). That is a regression during the deprecation window because Policy is still carried in entitlements and other paths still treat it as valid compatibility input.

Useful? React with 👍 / 👎.

[emargetis]

Features.AccessGraph will be updated to be enabled if either AccessGraph or Policy entitlement is enabled in e.#7898.

AccessGraph entitlementsis also enabled if either AccessGraph or Policy is enabled for self-hosted licenses (GetSelfHostedLicenseFeatures) and legacy licenses (setLegacyLogic) in the same file.

For cloud, no fallback is needed as it always sets AccessGraph and Policy to the same value here

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 115ab82766

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".