fix: RBAC issue for internal datasets (#1375)

Author: parmesant

src/rbac/map.rs

@@ -239,7 +239,16 @@ impl Sessions {
                             | ParseableResourceType::Llm(resource_id) => {
                                 let ok_resource =
                                     if let Some(context_resource_id) = context_resource {
-                                        resource_id == context_resource_id || resource_id == "*"
+                                        let is_internal = PARSEABLE
+                                            .get_stream(context_resource_id)
+                                            .is_ok_and(|stream| {
+                                                stream
+                                                    .get_stream_type()
+                                                    .eq(&crate::storage::StreamType::Internal)
+                                            });
+                                        resource_id == context_resource_id
+                                            || resource_id == "*"
+                                            || is_internal
                                     } else {
                                         // if no resource to match then resource check is not needed
                                         // WHEN IS THIS VALID??

src/utils/mod.rs

@@ -26,9 +26,10 @@ pub mod uid;
 pub mod update;
 
 use crate::handlers::http::rbac::RBACError;
+use crate::parseable::PARSEABLE;
 use crate::query::{TableScanVisitor, QUERY_SESSION};
 use crate::rbac::map::SessionKey;
-use crate::rbac::role::{Action, Permission};
+use crate::rbac::role::{Action, ParseableResourceType, Permission};
 use crate::rbac::Users;
 use actix::extract_session_key_from_req;
 use actix_web::HttpRequest;
@@ -113,14 +114,33 @@ pub fn user_auth_for_datasets(
                     authorized = true;
                     break;
                 }
-                Permission::Resource(
-                    Action::Query,
-                    crate::rbac::role::ParseableResourceType::Stream(stream),
-                ) => {
-                    if stream == table_name || stream == "*" {
+                Permission::Resource(Action::Query, ParseableResourceType::Stream(stream)) => {
+                    let is_internal = PARSEABLE.get_stream(table_name).is_ok_and(|stream| {
+                        stream
+                            .get_stream_type()
+                            .eq(&crate::storage::StreamType::Internal)
+                    });
+
+                    if stream == table_name || stream == "*" || is_internal {
                         authorized = true;
                     }
                 }
+                Permission::Resource(action, ParseableResourceType::All)
+                    if ![
+                        Action::All,
+                        Action::PutUser,
+                        Action::PutRole,
+                        Action::DeleteUser,
+                        Action::DeleteRole,
+                        Action::ModifyUserGroup,
+                        Action::CreateUserGroup,
+                        Action::DeleteUserGroup,
+                        Action::DeleteNode,
+                    ]
+                    .contains(action) =>
+                {
+                    authorized = true;
+                }
                 _ => (),
             }
         }