feat: [UIE-8872] - IAM RBAC - Firewalls / Nodebalancers permissions

[rodonnel-akamai]

Description 📝

This PR adds the new IAM permissions feature to the Firewall details / Node Balancers UI. The only needed update was to the Add drawer.

Changes 🔄

• The Add NodeBalancer to Firewall drawer now abides by the IAM permissions - users without the proper permissions should not be able to add Node Balancers to a firewall.

Scope 🚢

Upon production release, changes in this PR will be visible to:

• All customers
• Some customers (e.g. in Beta or Limited Availability)
• No customers / Not applicable

Target release date 🗓️

Aug 13

Preview 📷

Before	After
📷

How to test 🧪

Prerequisites

• In an IAM account, have users with both create_firewall_device values

Reproduction steps

(How to reproduce the issue, if applicable)

• Test that a user with create_firewall_device capability can add Node Balancers via this drawer
• Test that a user without create_firewall_device capability cannot add Node Balancers via this drawer

Verification steps

(How to verify changes)

• Using an IAM account, and user with create_firewall_device, verify you can add Node Balancers to a firewall
• Using an IAM account, and user without create_firewall_device, verify you can NOT add Node Balancers

Author Checklists

As an Author, to speed up the review process, I considered 🤔

👀 Doing a self review
❔ Our contribution guidelines
🤏 Splitting feature into small PRs
➕ Adding a changeset
🧪 Providing/improving test coverage
🔐 Removing all sensitive information from the code and PR description
🚩 Using a feature flag to protect the release
👣 Providing comprehensive reproduction steps
📑 Providing or updating our documentation
🕛 Scheduling a pair reviewing session
📱 Providing mobile support
♿ Providing accessibility support

• I have read and considered all applicable items listed above.

As an Author, before moving this PR from Draft to Open, I confirmed ✅

• All tests and CI checks are passing
• TypeScript compilation succeeded without errors
• Code passes all linting rules

[kwojtowiakamai]

Permission listing: https://collaborate.akamai.com/confluence/spaces/PORTALENG/pages/1147087703/Phase+I+FGA+model
Both of the behaviors described below are currently present in production, and I'm not sure if we want to change them. I'm just pointing them out.

1. I noticed that the permission checks to add a NodeBalancer to a Firewall in the UI are stricter than the permission checks done via the API. The user only needs the create_firewall_device permission for the firewall and the read grant (RBAC equivalent is the nodebalancer_viewer role) for the NodeBalancers. However, in the "Add NodeBalancer to Firewall" drawer, the dropdown only lists NodeBalancers with the read_write grant (RBAC equivalent is the nodebalancer_admin role).

2. The "Remove" button in the "Remove NodeBalancer" dialog is enabled only when the user is unrestricted (RBAC equivalent is the account_admin role). According to the permissions listing, the roles required to remove a NodeBalancer from a firewall are delete_firewall_device for the firewall and the read_write grant (RBAC equivalent is the nodebalancer_admin role) for NodeBalancers.

[linode-gh-bot]

Cloud Manager UI test results

🔺 3 failing tests on test run #3 ↗︎

❌ Failing	✅ Passing	↪️ Skipped	🕐 Duration
3 Failing	702 Passing	4 Skipped	138m 24s

Details

Failing Tests
	Spec	Test
❌	restricted-user-details-pages.spec.ts	Cloud Manager Cypress Tests→restricted user details pages » should disable action elements and buttons in the 'Linodes' details page
❌	qemu-reboot-upgrade-notice.spec.ts	Cloud Manager Cypress Tests→QEMU reboot upgrade notification » should display maintenance banner in 'Linode' landing page when one or more Linodes get impacted.
❌	linode-storage.spec.ts	Cloud Manager Cypress Tests→linode storage tab » delete disk

Troubleshooting

Use this command to re-run the failing tests:

pnpm cy:run -s "cypress/e2e/core/account/restricted-user-details-pages.spec.ts,cypress/e2e/core/notificationsAndEvents/qemu-reboot-upgrade-notice.spec.ts,cypress/e2e/core/linodes/linode-storage.spec.ts"

[jaalah-akamai]

suggestion(non-blocking): When role is firewall_viewer and nodebalancer_admin and you manually go to the route /firewalls/<id>/nodebalancers/add which opens the drawer, we may want to disable the Add button and add a restricted notice like we do in other drawers.

The adding of the firewall gets blocked by the API, but we probably want to prevent a user from thinking they can do this to begin with.

[jaalah-akamai]

Test Review
✅	restricted-user-details-pages.spec.ts	Unrelated, CM works as intended, but test needs to be looked at by SDETs
✅	qemu-reboot-upgrade-notice.spec.ts	Was recently fixed #12639
✅	linode-storage.spec.ts	SDETs aware of this one

[corya-akamai]

suggestion(non-blocking): When role is firewall_viewer and nodebalancer_admin and you manually go to the route /firewalls/<id>/nodebalancers/add which opens the drawer, we may want to disable the Add button and add a restricted notice like we do in other drawers.

The adding of the firewall gets blocked by the API, but we probably want to prevent a user from thinking they can do this to begin with.

Nice catch @jaalah-akamai, @rodonnel-akamai can you add a follow up ticket?

[rodonnel-akamai]

Nice catch @jaalah-akamai, @rodonnel-akamai can you add a follow up ticket?

Ticket is https://track.akamai.com/jira/browse/UIE-9068