[PLAT-18841][PLAT-18818] Add stricter RBAC to continuous backup actions

Jethro-M · avoidik · commit 1b959dd48723 · 2025-11-06T09:27:30.000Z
Summary: Prior to this diff, all continuous/isolated YBA backup API requests only required `READ` access on `OTHER` resource. We want to be stricter here. In particular, restoring from a YBA backup is an extremely destructive operation that can overwrite existing data. To prevent accidental or unauthorized use, this change restricts all create/edit backup & restore actions to users with SUPER_ADMIN_ACTION permissions only. On the UI side, this diff adds logic to read and verify that the user has sufficient permissions for performing continuous/isolated backup actions. Test Plan: Test continuous/isolated backup workflow with users who have different access levels. Users who don't have SUPER_ADMIN_ACTION permission should not be allowed to restore YBA backups. Verify the restrictions put in place by our RBAC implementation are as expected. {F409070} {F409071} Read-only User {F409072} {F409073} Reviewers: muthu, rmadhavan Reviewed By: muthu Subscribers: yugaware Differential Revision: https://phorge.dev.yugabyte.com/D47813
diff --git a/managed/src/main/resources/openapi/paths/_index.yaml b/managed/src/main/resources/openapi/paths/_index.yaml
@@ -203,7 +203,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
@@ -244,7 +244,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
@@ -295,7 +295,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
@@ -324,7 +324,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
@@ -365,7 +365,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
@@ -406,7 +406,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
diff --git a/managed/src/main/resources/openapi/paths/continuousbackups.yaml b/managed/src/main/resources/openapi/paths/continuousbackups.yaml
@@ -61,7 +61,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
@@ -102,7 +102,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
@@ -153,7 +153,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
@@ -182,7 +182,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
diff --git a/managed/src/main/resources/openapi/paths/isolatedbackups.yaml b/managed/src/main/resources/openapi/paths/isolatedbackups.yaml
@@ -33,7 +33,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
@@ -74,7 +74,7 @@
     x-yba-api-authz:
       - requiredPermission:
           resourceType: other
-          action: read
+          action: SUPER_ADMIN_ACTIONS
         resourceLocation:
           path: customers
           sourceType: endpoint
diff --git a/managed/ui/src/components/panels/UniverseDisplayPanel/OnboardingPanel.tsx b/managed/ui/src/components/panels/UniverseDisplayPanel/OnboardingPanel.tsx
@@ -3,10 +3,16 @@ import { makeStyles } from '@material-ui/core/styles';
 import { Typography } from '@material-ui/core';
 import { useTranslation } from 'react-i18next';
 import { Link } from 'react-router';
+
 import { YBButton } from '../../../redesign/components/YBButton/YBButton';
-import { RestoreYbaBackupFormModal } from '../../../redesign/features/continuous-backup/RestoreYbaBackupFormModal';
 import { ReactComponent as BriefcaseIcon } from '@app/redesign/assets/briefcase.svg';
 import { ReactComponent as BulbIcon } from '@app/redesign/assets/bulb2.svg';
+import { RestoreYbaBackupModal } from '@app/redesign/features/continuous-backup/RestoreYbaBackupModal';
+import {
+  hasNecessaryPerm,
+  RbacValidator
+} from '@app/redesign/features/rbac/common/RbacApiPermValidator';
+import { ApiPermissionMap } from '@app/redesign/features/rbac/ApiAndUserPermMapping';
 
 const useStyles = makeStyles((theme) => ({
   container: {
@@ -97,14 +103,22 @@ export const OnboardingPanel = () => {
         <div className={classes.card}>
           <BriefcaseIcon width={62} height={62} />
           <Typography className={classes.cardText}>{t('restoreBackupCard.title')}</Typography>
-          <YBButton variant="primary" onClick={openRestoreYbaBackupModal}>
-            {t('restoreBackupCard.buttonText')}
-          </YBButton>
+          <RbacValidator
+            customValidateFunction={() =>
+              hasNecessaryPerm(ApiPermissionMap.RESTORE_CONTINUOUS_YBA_BACKUP) ||
+              hasNecessaryPerm(ApiPermissionMap.RESTORE_ISOLATED_YBA_BACKUP)
+            }
+            isControl
+          >
+            <YBButton variant="primary" onClick={openRestoreYbaBackupModal}>
+              {t('restoreBackupCard.buttonText')}
+            </YBButton>
+          </RbacValidator>
         </div>
       </div>
 
       {isRestoreYbaBackupModalOpen && (
-        <RestoreYbaBackupFormModal
+        <RestoreYbaBackupModal
           modalProps={{ open: isRestoreYbaBackupModalOpen, onClose: closeRestoreYbaBackupModal }}
         />
       )}
diff --git a/managed/ui/src/redesign/features/continuous-backup/ContinuousBackupActionBar.tsx b/managed/ui/src/redesign/features/continuous-backup/ContinuousBackupActionBar.tsx
@@ -1,9 +1,11 @@
 import { Box, useTheme } from '@material-ui/core';
 import { useState } from 'react';
 import { useTranslation } from 'react-i18next';
+
 import { YBButton } from '../../components';
+import { ApiPermissionMap } from '../rbac/ApiAndUserPermMapping';
+import { hasNecessaryPerm, RbacValidator } from '../rbac/common/RbacApiPermValidator';
 import { CreateYbaBackupModal } from './CreateYbaBackupModal';
-import { RestoreYbaBackupFormModal } from './RestoreYbaBackupFormModal';
 import { RestoreYbaBackupModal } from './RestoreYbaBackupModal';
 
 const TRANSLATION_KEY_PREFIX = 'continuousBackup.actionBar';
@@ -21,20 +23,30 @@ export const ContinuousBackupActionBar = () => {
 
   return (
     <Box display="flex" gridGap={theme.spacing(1)}>
-      <YBButton
-        variant="secondary"
-        onClick={openCreateYbaBackupModal}
-        data-testid="ContinuousBackupActionBar-OneTimeExportButton"
-      >
-        {t('oneTimeBackup')}
-      </YBButton>
-      <YBButton
-        variant="secondary"
-        onClick={openRestoreYbaBackupModal}
-        data-testid="ContinuousBackupActionBar-AdvancedRestoreButton"
+      <RbacValidator accessRequiredOn={ApiPermissionMap.CREATE_ISOLATED_YBA_BACKUP} isControl>
+        <YBButton
+          variant="secondary"
+          onClick={openCreateYbaBackupModal}
+          data-testid="ContinuousBackupActionBar-OneTimeExportButton"
+        >
+          {t('oneTimeBackup')}
+        </YBButton>
+      </RbacValidator>
+      <RbacValidator
+        customValidateFunction={() =>
+          hasNecessaryPerm(ApiPermissionMap.RESTORE_CONTINUOUS_YBA_BACKUP) ||
+          hasNecessaryPerm(ApiPermissionMap.RESTORE_ISOLATED_YBA_BACKUP)
+        }
+        isControl
       >
-        {t('advancedRestore')}
-      </YBButton>
+        <YBButton
+          variant="secondary"
+          onClick={openRestoreYbaBackupModal}
+          data-testid="ContinuousBackupActionBar-AdvancedRestoreButton"
+        >
+          {t('advancedRestore')}
+        </YBButton>
+      </RbacValidator>
       {isCreateYbaBackupModalOpen && (
         <CreateYbaBackupModal
           modalProps={{ open: isCreateYbaBackupModalOpen, onClose: closeCreateYbaBackupModal }}
diff --git a/managed/ui/src/redesign/features/continuous-backup/ContinuousBackupCard.tsx b/managed/ui/src/redesign/features/continuous-backup/ContinuousBackupCard.tsx
@@ -17,6 +17,8 @@ import {
 import { useFormatDatetime } from '../../helpers/DateUtils';
 import { DeleteContinuousBackupConfigModal } from './DeleteContinuousBackupConfigModal';
 import { getIsLastPlatformBackupOld } from './utils';
+import { ApiPermissionMap } from '../rbac/ApiAndUserPermMapping';
+import { RbacValidator } from '../rbac/common/RbacApiPermValidator';
 
 interface ContinuousBackupCardProps {
   continuousBackupConfig: ContinuousBackup;
@@ -127,14 +129,18 @@ export const ContinuousBackupCard = ({ continuousBackupConfig }: ContinuousBacku
       <div className={classes.cardHeader}>
         <Typography variant="h5">{t('title')}</Typography>
         <div className={classes.cardActionsContainer}>
-          <YBButton variant="secondary" onClick={openConfigureContinuousBackupModal}>
-            <PenIcon className={classes.icon} />
-            <Typography variant="body2">{t('edit', { keyPrefix: 'common' })}</Typography>
-          </YBButton>
-          <YBButton variant="secondary" onClick={openDeleteContinuousBackupModal}>
-            <TrashIcon className={classes.icon} />
-            <Typography variant="body2">{t('button.remove')}</Typography>
-          </YBButton>
+          <RbacValidator accessRequiredOn={ApiPermissionMap.EDIT_CONTINUOUS_YBA_BACKUP} isControl>
+            <YBButton variant="secondary" onClick={openConfigureContinuousBackupModal}>
+              <PenIcon className={classes.icon} />
+              <Typography variant="body2">{t('edit', { keyPrefix: 'common' })}</Typography>
+            </YBButton>
+          </RbacValidator>
+          <RbacValidator accessRequiredOn={ApiPermissionMap.DELETE_CONTINUOUS_YBA_BACKUP} isControl>
+            <YBButton variant="secondary" onClick={openDeleteContinuousBackupModal}>
+              <TrashIcon className={classes.icon} />
+              <Typography variant="body2">{t('button.remove')}</Typography>
+            </YBButton>
+          </RbacValidator>
         </div>
       </div>
       <div className={classes.cardBody}>
diff --git a/managed/ui/src/redesign/features/continuous-backup/EnableContinuousBackupPrompt.tsx b/managed/ui/src/redesign/features/continuous-backup/EnableContinuousBackupPrompt.tsx
@@ -79,7 +79,7 @@ export const EnableContinuousBackupPrompt = ({
         <Typography className={classes.promptPrimaryText} variant="body2">
           {t('featureDescription')}
         </Typography>
-        <RbacValidator accessRequiredOn={ApiPermissionMap.CREATE_CONTINUOUS_BACKUP} isControl>
+        <RbacValidator accessRequiredOn={ApiPermissionMap.CREATE_CONTINUOUS_YBA_BACKUP} isControl>
           <YBButton
             style={{ minWidth: '200px' }}
             variant="primary"
diff --git a/managed/ui/src/redesign/features/continuous-backup/RestoreYbaBackupFormModal.tsx b/managed/ui/src/redesign/features/continuous-backup/RestoreYbaBackupFormModal.tsx
@@ -20,6 +20,8 @@ import { api, CUSTOMER_CONFIG_QUERY_KEY } from '@app/redesign/helpers/api';
 import { ReactComponent as SelectedIcon } from '@app/redesign/assets/circle-selected.svg';
 import { ReactComponent as UnselectedIcon } from '@app/redesign/assets/circle-empty.svg';
 import { ReactComponent as WarningIcon } from '@app/redesign/assets/alert.svg';
+import { RbacValidator } from '../rbac/common/RbacApiPermValidator';
+import { ApiPermissionMap } from '../rbac/ApiAndUserPermMapping';
 
 import toastStyles from '../../../redesign/styles/toastStyles.module.scss';
 
@@ -278,32 +280,44 @@ export const RestoreYbaBackupFormModal = ({ modalProps }: RestoreYbaBackupFormMo
             render={({ field: { onChange } }) => (
               <Box display="flex" gridGap={theme.spacing(1)}>
                 <Box width="50%">
-                  <div
-                    className={clsx(
-                      classes.optionCard,
-                      backupType === BackupType.CLOUD && classes.selected
-                    )}
-                    onClick={() => handleOptionCardClick(BackupType.CLOUD, onChange)}
+                  <RbacValidator
+                    accessRequiredOn={ApiPermissionMap.RESTORE_CONTINUOUS_YBA_BACKUP}
+                    isControl
+                    overrideStyle={{ display: 'unset' }}
                   >
-                    <Typography variant="body1">{t('option.cloudBackup')}</Typography>
-                    <Box display="flex" alignItems="center" marginLeft="auto">
-                      {backupType === BackupType.CLOUD ? <SelectedIcon /> : <UnselectedIcon />}
-                    </Box>
-                  </div>
+                    <div
+                      className={clsx(
+                        classes.optionCard,
+                        backupType === BackupType.CLOUD && classes.selected
+                      )}
+                      onClick={() => handleOptionCardClick(BackupType.CLOUD, onChange)}
+                    >
+                      <Typography variant="body1">{t('option.cloudBackup')}</Typography>
+                      <Box display="flex" alignItems="center" marginLeft="auto">
+                        {backupType === BackupType.CLOUD ? <SelectedIcon /> : <UnselectedIcon />}
+                      </Box>
+                    </div>
+                  </RbacValidator>
                 </Box>
                 <Box width="50%">
-                  <div
-                    className={clsx(
-                      classes.optionCard,
-                      backupType === BackupType.LOCAL && classes.selected
-                    )}
-                    onClick={() => handleOptionCardClick(BackupType.LOCAL, onChange)}
+                  <RbacValidator
+                    accessRequiredOn={ApiPermissionMap.RESTORE_ISOLATED_YBA_BACKUP}
+                    isControl
+                    overrideStyle={{ display: 'unset' }}
                   >
-                    <Typography variant="body1">{t('option.localBackup')}</Typography>
-                    <Box display="flex" alignItems="center" marginLeft="auto">
-                      {backupType === BackupType.LOCAL ? <SelectedIcon /> : <UnselectedIcon />}
-                    </Box>
-                  </div>
+                    <div
+                      className={clsx(
+                        classes.optionCard,
+                        backupType === BackupType.LOCAL && classes.selected
+                      )}
+                      onClick={() => handleOptionCardClick(BackupType.LOCAL, onChange)}
+                    >
+                      <Typography variant="body1">{t('option.localBackup')}</Typography>
+                      <Box display="flex" alignItems="center" marginLeft="auto">
+                        {backupType === BackupType.LOCAL ? <SelectedIcon /> : <UnselectedIcon />}
+                      </Box>
+                    </div>
+                  </RbacValidator>
                 </Box>
               </Box>
             )}
diff --git a/managed/ui/src/redesign/features/rbac/ApiAndUserPermMapping.ts b/managed/ui/src/redesign/features/rbac/ApiAndUserPermMapping.ts
@@ -1085,18 +1085,30 @@ export const ApiPermissionMap = {
         requestType: ApiRequestType.POST,
         endpoint: '/settings/ha/internal/upload'
     },
-    CREATE_CONTINUOUS_BACKUP: {
+    CREATE_CONTINUOUS_YBA_BACKUP: {
         requestType: ApiRequestType.POST,
         endpoint: '/auto-yba-backups'
     },
-    DELETE_CONTINUOUS_BACKUP: {
+    DELETE_CONTINUOUS_YBA_BACKUP: {
         requestType: ApiRequestType.DELETE,
         endpoint: '/auto-yba-backups/$bUUID<[^/]+>'
     },
-    EDIT_CONTINUOUS_BACKUP: {
+    EDIT_CONTINUOUS_YBA_BACKUP: {
         requestType: ApiRequestType.DELETE,
         endpoint: '/auto-yba-backups/$bUUID<[^/]+>'
     },
+    RESTORE_CONTINUOUS_YBA_BACKUP: {
+        requestType: ApiRequestType.POST,
+        endpoint: '/auto-yba-backups/restore'
+    },
+    CREATE_ISOLATED_YBA_BACKUP: {
+        requestType: ApiRequestType.POST,
+        endpoint: '/yba-backups'
+    },
+    RESTORE_ISOLATED_YBA_BACKUP: {
+        requestType: ApiRequestType.POST,
+        endpoint: '/yba-backups/restore'
+    },
     GET_UNIVERSE_PROXY: {
         requestType: ApiRequestType.GET,
         endpoint: '/universes/$uniUUID<[^/]+>/proxy/[^/]+'
diff --git a/managed/ui/src/redesign/features/rbac/common/RbacUtils.tsx b/managed/ui/src/redesign/features/rbac/common/RbacUtils.tsx
@@ -50,11 +50,25 @@ export const setIsRbacEnabled = (flag: boolean) => {
 };
 
 export const isRbacEnabled = () => {
-  return localStorage.getItem(rbac_identifier) === 'true';
+  try {
+    if (typeof localStorage === 'undefined' || localStorage === null) {
+      return false;
+    }
+    return localStorage.getItem(rbac_identifier) === 'true';
+  } catch {
+    return false;
+  }
 };
 
 export const getRbacEnabledVal = () => {
-  return localStorage.getItem(rbac_identifier);
+  try {
+    if (typeof localStorage === 'undefined' || localStorage === null) {
+      return null;
+    }
+    return localStorage.getItem(rbac_identifier);
+  } catch {
+    return null;
+  }
 };
 
 export const clearRbacCreds = () => {
