feat(authz): Add support for additional RBAC configruation via YAML configuration (#3285)

grutt · web-flow · commit a9b5c634b33c · 2026-03-15T12:04:30.000-07:00
* feat(authz): Add support for additional RBAC permissions via YAML configuration

* feat: allowed operations
diff --git a/api/v1/server/authz/middleware.go b/api/v1/server/authz/middleware.go
@@ -24,6 +24,7 @@ func NewAuthZ(config *server.ServerConfig) (*AuthZ, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	return &AuthZ{
 		config: config,
 		l:      config.Logger,
@@ -163,6 +164,10 @@ func (a *AuthZ) ensureVerifiedEmail(c echo.Context, r *middleware.RouteInfo) err
 }
 
 func (a *AuthZ) authorizeTenantOperations(tenantMemberRole sqlcv1.TenantMemberRole, r *middleware.RouteInfo) error {
+	// if the operation is in the allowed operations, skip the RBAC check this is needed for extensions
+	if rbac.OperationIn(r.OperationID, a.config.Auth.AllowedOperations) {
+		return nil
+	}
 
 	// at the moment, tenant members are only restricted from creating other tenant users.
 	if !a.rbac.IsAuthorized(tenantMemberRole, r.OperationID) {
diff --git a/pkg/config/server/server.go b/pkg/config/server/server.go
@@ -561,6 +561,11 @@ type AuthConfig struct {
 	JWTManager token.JWTManager
 
 	CustomAuthenticator CustomAuthenticator
+
+	// Operations listed here bypass the tenant RBAC check. Use this for
+	// extension operations (e.g. cloud) that handle their own authorization
+	// in handlers. OSS operations in rbac.yaml are still fully checked.
+	AllowedOperations []string
 }
 
 type PylonConfig struct {
