WIP: CNV-72446: use RBAC for VM bulk actions

[adamviktora]

📝 Description

• uses accessReview in actions of BulkVirtualMachineActionFactory
• refactor isSameNamespace to a general function to compare any prop on a list of objects

🎥 Demo

TODO

Summary by CodeRabbit

• Refactor
  • Enhanced bulk virtual machine actions with permission validation for delete, edit labels, pause, restart, start, stop, unpause, migrate storage, and move to folder operations.
  • Improved permission validation logic with more precise and reusable helper utilities.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci-robot]

@adamviktora: This pull request references CNV-72446 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.21.0" version, but no target version was set.

Details

In response to this:

📝 Description

• uses accessReview in actions of BulkVirtualMachineActionFactory
• refactor isSameNamespace to a general function to compare any prop on a list of objects

🎥 Demo

TODO

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adamviktora

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [adamviktora]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

This PR introduces bulk RBAC access review functionality by adding helper utilities to aggregate resources and compute bulk access reviews, then applies these to multiple bulk virtual machine actions including delete, pause, restart, start, stop, and unpause operations.

Changes

Cohort / File(s)	Summary
Bulk access review utilities src/utils/resources/shared.ts	Added asBulkAccessReview() to build bulk access review metadata by aggregating multiple resources. Added helper functions haveSamePropValue(), haveSameNamespace(), and haveSameCluster() to compare derived property values across resources.
VM bulk action RBAC integration src/views/virtualmachines/actions/BulkVirtualMachineActionFactory.tsx	Added accessReview property to bulk actions (delete, editLabels, migrateStorage, moveToFolder, pause, restart, start, stop, unpause) using asBulkAccessReview() with appropriate models and verbs. Replaced isSameNamespace() with haveSameNamespace() for Move to folder action. Imported new subresource models for precise access reviews.
Utility cleanup src/views/virtualmachines/actions/utils.ts	Removed exported isSameNamespace() function and its unused import dependency.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review new utility functions in shared.ts for correctness in resource aggregation logic and null-handling
• Verify each accessReview property in bulk actions uses the correct model (VM vs. subresource variants) and verb/subresource combination
• Confirm haveSameNamespace() provides equivalent functionality to removed isSameNamespace()
• Ensure no unintended side effects from the function removal in utils.ts

Possibly related PRs

• CNV-71253: Check subresource permissions for VM start/stop/restart actions #3161: Modifies VM action RBAC checks to use subresource models (VirtualMachineSubresourcesModel/VirtualMachineInstanceSubresourcesModel) with verb 'update' and specific subresources, aligning with similar access review targeting in this PR
• CNV-72450: fixing vm inconsistency in delete and cross cluster migration actions #3201: Also modifies BulkVirtualMachineActionFactory to add accessReview metadata and adjust namespace checking logic for bulk actions

Suggested labels

lgtm, approved

Suggested reviewers

• metalice
• upalatucci
• rszwajko

Poem

🐰 A multitude of VMs, now checked with care,
Bulk actions granted through an access review affair,
Helpers compare and aggregate with grace,
Each verb and model finds its proper place,
RBAC gates the way, no shortcuts there! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description covers the main changes (accessReview in bulk actions and refactoring isSameNamespace), but the Demo section is incomplete with only 'TODO' listed instead of actual content.	Replace 'TODO' in the Demo section with an actual video, screenshot, or description of the behavior changes for reviewers to understand the user-facing impact.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly describes the main objective: adding RBAC (access review) support to VM bulk actions, which is reflected throughout the changes.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@adamviktora: This pull request references CNV-72446 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.21.0" version, but no target version was set.

Details

In response to this:

📝 Description

• uses accessReview in actions of BulkVirtualMachineActionFactory
• refactor isSameNamespace to a general function to compare any prop on a list of objects

🎥 Demo

TODO

Summary by CodeRabbit

• Refactor
• Enhanced bulk virtual machine actions with permission validation for delete, edit labels, pause, restart, start, stop, unpause, migrate storage, and move to folder operations.
• Improved permission validation logic with more precise and reusable helper utilities.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/views/virtualmachines/actions/BulkVirtualMachineActionFactory.tsx (1)

146-167: Update BulkVirtualMachineActionFactory pause action accessReview to use 'update' verb with 'pause' subresource

The review comment is correct. The pause action in BulkVirtualMachineActionFactory.tsx (line 151) uses an inconsistent RBAC configuration:

• Current (line 151): asBulkAccessReview(VirtualMachineInstanceSubresourcesModel, vms, 'patch')
• Expected: asBulkAccessReview(VirtualMachineInstanceSubresourcesModel, vms, 'update', 'pause')

The single VM pause action in VirtualMachineActionFactory.tsx (line 305) already uses the correct pattern: asAccessReview(VirtualMachineInstanceSubresourcesModel, vm, 'update', 'pause'). The bulk pause action should mirror this, and it should be aligned with the unpause pattern in the same file (lines 221-226), which correctly uses 'update' with 'unpause' subresource.

This mismatch will cause RBAC permission checks to fail or pass incorrectly since the pause operation will be checked against the wrong permission verb.

🧹 Nitpick comments (2)

src/utils/resources/shared.ts (1)

219-236: Clarify multi‑cluster / multi‑namespace semantics in asBulkAccessReview

The overall shape of asBulkAccessReview looks good and matches how bulk actions are used, but there is a subtle multi‑cluster edge case:

• cluster is only set when haveSameCluster(resources) is true.
• namespace is set whenever haveSameNamespace(resources) is true, even if the resources span different clusters but share the same namespace name.

Depending on how FleetAccessReviewResourceAttributes is interpreted, having namespace set while cluster is undefined for a multi‑cluster selection might be ambiguous or looser than intended. You may want to require both same cluster and same namespace before setting namespace:

   return {
-    cluster: haveSameCluster(resources) ? getCluster(resources?.[0]) : undefined,
+    cluster: haveSameCluster(resources) ? getCluster(resources?.[0]) : undefined,
     group: model.apiGroup,
-    namespace: haveSameNamespace(resources) ? getNamespace(resources?.[0]) : undefined,
+    namespace:
+      haveSameCluster(resources) && haveSameNamespace(resources)
+        ? getNamespace(resources?.[0])
+        : undefined,
     resource: model.plural,
     subresource,
     verb,
   };

This keeps mixed‑cluster selections at pure cluster/collection scope and avoids coupling a single namespace to an unspecified cluster.

src/views/virtualmachines/actions/BulkVirtualMachineActionFactory.tsx (1)

10-16: Bulk RBAC wiring via asBulkAccessReview is a good consolidation

Using asBulkAccessReview across the bulk VM actions (delete, editLabels, moveToFolder, pause, restart, start, stop, unpause) is a nice cleanup: it centralizes how cluster/namespace are derived and removes a lot of ad‑hoc accessReview objects. The editLabels integration with getCommonLabels and getLabelsDiffPatch is also consistent with the labels patching logic in utils.ts.

One follow‑up you might consider for consistency is updating migrateStorage to use the same helper instead of a hand‑rolled accessReview:

-  migrateStorage: (
-    vms: V1VirtualMachine[],
-    createModal: (modal: ModalComponent) => void,
-  ): ActionDropdownItemType => ({
-    accessReview: {
-      group: VirtualMachineModel.apiGroup,
-      namespace: getNamespace(vms?.[0]),
-      resource: VirtualMachineModel.plural,
-      verb: 'patch',
-    },
+  migrateStorage: (
+    vms: V1VirtualMachine[],
+    createModal: (modal: ModalComponent) => void,
+  ): ActionDropdownItemType => ({
+    accessReview: asBulkAccessReview(VirtualMachineModel, vms, 'patch'),

This keeps all bulk actions using the same access‑review construction path and automatically benefits from any future tweaks in asBulkAccessReview.

Also applies to: 26-27, 47-47, 66-67, 114-115, 151-152, 173-174, 191-192, 202-203, 221-226

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b931fac and f270a06.

📒 Files selected for processing (3)

• src/utils/resources/shared.ts (2 hunks)
• src/views/virtualmachines/actions/BulkVirtualMachineActionFactory.tsx (11 hunks)
• src/views/virtualmachines/actions/utils.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

src/views/virtualmachines/actions/BulkVirtualMachineActionFactory.tsx (3)

src/utils/resources/shared.ts (2)

• asBulkAccessReview (219-236)
• haveSameNamespace (518-519)

src/utils/utils/utils.ts (1)

• isEmpty (32-33)

src/utils/models/index.ts (2)

• VirtualMachineInstanceSubresourcesModel (79-87)
• VirtualMachineSubresourcesModel (69-77)

src/utils/resources/shared.ts (3)

src/utils/utils/utils.ts (1)

• isEmpty (32-33)

src/multicluster/helpers/selectors.ts (1)

• getCluster (6-7)

src/views/cdi-upload-provider/utils/selectors.ts (1)

• getNamespace (108-109)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: unit-test
• GitHub Check: i18n
• GitHub Check: build

🔇 Additional comments (2)

src/views/virtualmachines/actions/utils.ts (1)

4-4: Shared selectors import looks correct

Importing getAnnotation, getLabels, and getName from the shared utilities matches their usages in this file and centralizes selector logic; no behavior change introduced here.

src/utils/resources/shared.ts (1)

518-534: Generic haveSame* helpers look solid

The haveSamePropValue abstraction with the 0/1‑item fast path keeps the intent of haveSameNamespace/haveSameCluster clear and efficient. No functional issues spotted here.

[adamviktora]

/retest

[upalatucci]

I don't think this is correct. For non-admin users that select multiple vms in different namespaces, this means that they have to have permissions to delete patch and update in all namespaces to perform the action. Non admin users can have permissions in the selected namespaces but not in all namespaces. So the bulk actions will not be available. This is why the access review was not implemented for the bulk actions. The only solution that i see is to notify the user with a toaster when some requests are not performed for some reasons

[adamviktora]

You are right.

• is it possible to do accessReview on multiple specific namespaces?

If not, can we do this instead:

• if they select multiple namespaces, can we randomly pick one to perform the access check and block the action because of that?

But then if the user has access in 9 of 10 namespaces, it is not very good to block all because of just one, so the toast alerts seem like the best option.

[upalatucci]

Yes we can run the checkAccess function for all the namespaces (@stolostron/multicluster-sdk have an internal function to do that in multicluster but i think we can use it). This means to fire a fetch request per namespace

[upalatucci]

WE could adapt the useMultipleAccessReviews hook that we have in the repo
https://github.com/upalatucci/kubevirt-plugin/blob/5c9a4131711ee885c01e297fd91bef19caa4b772/src/views/cdi-upload-provider/hooks/useMultipleAccessReviews.ts

[upalatucci]

But please make sure to fire that when the user open the action dropdown ( i don't know if that make sense ). We don't want to fire hundreds of accessreview requests when the user land on the vm list. Keep in mind that its per cluster per namespace so its N_CLUSTERS X N_NAMESPACES requests.

If we select vms in the same namespace but different clusters, those are separate requests.

[upalatucci]

I think that toaster is the best approach

[rszwajko]

@upalatucci @adamviktora
I will touch this area as part of bulk-actions-from-plugins story CNV-73282

[openshift-merge-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rszwajko]

@adamviktora @upalatucci
Created #3253 to support actions from plugins.
LazyActionMenu component there is under our control - in particular we may support an array of access checks i.e.

 accessReview?: AccessReviewResourceAttributes |  AccessReviewResourceAttributes[];

Pre-fetching the checks is already in place but we may need to limit the number of requests (or distribute them over time). Some bulk API on the server side would also help.