fix(cost-management): change permission name separator from dot to slash (#2620)

* fix(cost-management): change permission name separator from dot to slash

Cluster-specific and project-specific permissions now use / instead of .
as the separator (e.g. ros/my.cluster/project instead of
ros.my.cluster.project), resolving ambiguity when cluster names contain
dots. Generic permissions (ros.plugin, ros.apply, cost.plugin) are
unchanged. Includes migration guide in docs/rbac.md.

FLPATH-3489

Made-with: Cursor

* fix: return 403 instead of 500 for OpenShift tab when user lacks cost.plugin permission

resolveCostManagementAccess data fetcher did not handle errors from the
upstream cost-management API, causing unhandled exceptions to propagate
as 500 Internal Server Error. The ROS (optimizations) fetcher already
returned null on error, which resolveAccessForSection maps to DENY/403.

Apply the same pattern: wrap token fetch and API calls in try/catch,
check for error responses, and return null so the RBAC flow correctly
returns 403 Forbidden.

Made-with: Cursor

* fix: disable Apply Recommendation button when user lacks ros.apply permission

The button was only disabled when the workflow was unavailable, not when
the user lacked the ros.apply RBAC permission. Added usePermission hook
to check ros.apply on the frontend and disable the button with a tooltip
explaining the lack of permission.

Also surface backend 403 errors via ResponseErrorPanel instead of
silently swallowing them in the catch handler.

Made-with: Cursor

* fix(cost-management): update stale comments to use slash separator format

Update comments in costManagementAccess.ts and checkPermissions.ts that still
referenced the old dot-separator format (cost.{cluster}) to use the new slash
format (cost/{cluster}) matching the actual permission implementation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(cost-management): update yarn.lock for permission-react dependency

Made-with: Cursor

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: hardengl

workspaces/cost-management/.changeset/permission-name-separator.md

@@ -0,0 +1,17 @@
+---
+'@red-hat-developer-hub/plugin-cost-management-common': minor
+'@red-hat-developer-hub/plugin-cost-management-backend': minor
+---
+
+**BREAKING**: Changed permission name separator from `.` to `/` for cluster-specific and cluster-project-specific permissions.
+
+This resolves an ambiguity where dotted cluster names (e.g., `my.cluster`) could not be distinguished from the separator in permission names like `ros.my.cluster.project`.
+
+New format:
+
+- `ros/{clusterName}` and `ros/{clusterName}/{projectName}` (was `ros.{clusterName}` and `ros.{clusterName}.{projectName}`)
+- `cost/{clusterName}` and `cost/{clusterName}/{projectName}` (was `cost.{clusterName}` and `cost.{clusterName}.{projectName}`)
+
+Generic permissions (`ros.plugin`, `ros.apply`, `cost.plugin`) are unchanged.
+
+See `docs/rbac.md` for a migration guide.

workspaces/cost-management/docs/rbac.md

@@ -16,7 +16,7 @@ When a frontend request arrives at `/api/cost-management/proxy/*`, the backend:
 5. Injects the server-authorized filters before forwarding to the upstream API
 6. Returns only the data the user is permitted to see
 
-This means granting `ros.demolab` only allows seeing data for the `demolab` cluster — the user cannot modify query parameters to access other clusters.
+This means granting `ros/demolab` only allows seeing data for the `demolab` cluster — the user cannot modify query parameters to access other clusters.
 
 ### Apply Recommendation authorization
 
@@ -38,11 +38,11 @@ The Optimizations section allows users to view resource usage trends and optimiz
 | Name                              | Resource Type | Policy | Description                                                                                                                |
 | --------------------------------- | ------------- | ------ | -------------------------------------------------------------------------------------------------------------------------- |
 | ros.plugin                        | -             | read   | Allows the user to access all optimization data in the Cost Management plugin                                              |
-| ros.[CLUSTER_NAME]                | -             | read   | Allows the user to access optimization data for a specific Cluster in the Cost Management plugin                           |
-| ros.[CLUSTER_NAME].[PROJECT_NAME] | -             | read   | Allows the user to access optimization data for a specific Project within a specific Cluster in the Cost Management plugin |
+| ros/[CLUSTER_NAME]                | -             | read   | Allows the user to access optimization data for a specific Cluster in the Cost Management plugin                           |
+| ros/[CLUSTER_NAME]/[PROJECT_NAME] | -             | read   | Allows the user to access optimization data for a specific Project within a specific Cluster in the Cost Management plugin |
 | ros.apply                         | -             | update | Allows the user to apply optimization recommendations via workflow execution                                               |
 
-The user is permitted to do an action if either the generic permission or the specific one allows it. In other words, it is not possible to grant generic ros.plugin and then selectively disable it for a specific cluster via ros.[CLUSTER_NAME] with deny.
+The user is permitted to do an action if either the generic permission or the specific one allows it. In other words, it is not possible to grant generic ros.plugin and then selectively disable it for a specific cluster via ros/[CLUSTER_NAME] with deny.
 
 ## 2. OpenShift Section
 
@@ -53,10 +53,10 @@ The OpenShift section displays cost tracking for OpenShift clusters with flexibl
 | Name                               | Resource Type | Policy | Description                                                                                                                  |
 | ---------------------------------- | ------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------- |
 | cost.plugin                        | -             | read   | Allows the user to access all OpenShift cost data in the Cost Management plugin                                              |
-| cost.[CLUSTER_NAME]                | -             | read   | Allows the user to access OpenShift cost data for a specific Cluster in the Cost Management plugin                           |
-| cost.[CLUSTER_NAME].[PROJECT_NAME] | -             | read   | Allows the user to access OpenShift cost data for a specific Project within a specific Cluster in the Cost Management plugin |
+| cost/[CLUSTER_NAME]                | -             | read   | Allows the user to access OpenShift cost data for a specific Cluster in the Cost Management plugin                           |
+| cost/[CLUSTER_NAME]/[PROJECT_NAME] | -             | read   | Allows the user to access OpenShift cost data for a specific Project within a specific Cluster in the Cost Management plugin |
 
-The user is permitted to do an action if either the generic permission or the specific one allows it. In other words, it is not possible to grant generic cost.plugin and then selectively disable it for a specific cluster via cost.[CLUSTER_NAME] with deny.
+The user is permitted to do an action if either the generic permission or the specific one allows it. In other words, it is not possible to grant generic cost.plugin and then selectively disable it for a specific cluster via cost/[CLUSTER_NAME] with deny.
 
 ## Defining Policy File
 
@@ -73,14 +73,14 @@ p, role:default/rosUser, ros.plugin, read, deny
 ####
 # Optimizations Section (ros.) - Cluster RBAC permissions
 ####
-p, role:default/rosUser, ros.OpenShift on AWS, read, allow
-p, role:default/rosUser, ros.demolab, read, allow
+p, role:default/rosUser, ros/OpenShift on AWS, read, allow
+p, role:default/rosUser, ros/demolab, read, allow
 
 ####
 # Optimizations Section (ros.) - Cluster+Project RBAC permissions
 ####
-p, role:default/rosUser, ros.demolab.thanos, read, allow
-p, role:default/rosUser, ros.OpenShift on Azure.mobile, read, allow
+p, role:default/rosUser, ros/demolab/thanos, read, allow
+p, role:default/rosUser, ros/OpenShift on Azure/mobile, read, allow
 
 ####
 # Optimizations Section (ros.) - Apply Recommendation permission
@@ -95,14 +95,14 @@ p, role:default/costUser, cost.plugin, read, deny
 ####
 # OpenShift Section (cost.) - Cluster RBAC permissions
 ####
-p, role:default/costUser, cost.OpenShift on AWS, read, allow
-p, role:default/costUser, cost.demolab, read, allow
+p, role:default/costUser, cost/OpenShift on AWS, read, allow
+p, role:default/costUser, cost/demolab, read, allow
 
 ####
 # OpenShift Section (cost.) - Cluster+Project RBAC permissions
 ####
-p, role:default/costUser, cost.demolab.thanos, read, allow
-p, role:default/costUser, cost.OpenShift on Azure.mobile, read, allow
+p, role:default/costUser, cost/demolab/thanos, read, allow
+p, role:default/costUser, cost/OpenShift on Azure/mobile, read, allow
 
 g, user:default/preeti.exploring.life, role:default/rosUser
 g, user:default/preeti.exploring.life, role:default/costUser
@@ -124,26 +124,26 @@ p, role:default/rosUser, ros.plugin, read, allow
 g, user:default/test_user_1, role:default/rosUser
 ```
 
-#### ros.[CLUSTER_NAME]
+#### ros/[CLUSTER_NAME]
 
-Since the `test_user_2` user has the `default/rosClusterUser` role, which has `ros.OpenShift on AWS` permission, it can:
+Since the `test_user_2` user has the `default/rosClusterUser` role, which has `ros/OpenShift on AWS` permission, it can:
 
 - See the list of records for `OpenShift on AWS` cluster for the service account which is specified in the [app-config file](../app-config.yaml) file using `clientId` and `clientSecret` and optimization recommendations for the same.
 
 ```csv
-p, role:default/rosClusterUser, ros.OpenShift on AWS, read, allow
+p, role:default/rosClusterUser, ros/OpenShift on AWS, read, allow
 
 g, user:default/test_user_2, role:default/rosClusterUser
 ```
 
-#### ros.[CLUSTER_NAME].[PROJECT_NAME]
+#### ros/[CLUSTER_NAME]/[PROJECT_NAME]
 
-Since the `test_user_3` user has the `default/rosClusterProjectUser` role, which has `ros.demolab.thanos` permission, it can:
+Since the `test_user_3` user has the `default/rosClusterProjectUser` role, which has `ros/demolab/thanos` permission, it can:
 
 - See the list of records for `thanos` project under `demolab` cluster for the service account which is specified in the [app-config file](../app-config.yaml) file using `clientId` and `clientSecret` and optimization recommendations for the same.
 
 ```csv
-p, role:default/rosClusterProjectUser, ros.demolab.thanos, read, allow
+p, role:default/rosClusterProjectUser, ros/demolab/thanos, read, allow
 
 g, user:default/test_user_3, role:default/rosClusterProjectUser
 ```
@@ -176,32 +176,71 @@ p, role:default/costUser, cost.plugin, read, allow
 g, user:default/test_user_4, role:default/costUser
 ```
 
-#### cost.[CLUSTER_NAME]
+#### cost/[CLUSTER_NAME]
 
-Since the `test_user_5` user has the `default/costClusterUser` role, which has `cost.OpenShift on AWS` permission, it can:
+Since the `test_user_5` user has the `default/costClusterUser` role, which has `cost/OpenShift on AWS` permission, it can:
 
 - See the list of records for `OpenShift on AWS` cluster for the service account which is specified in the [app-config file](../app-config.yaml) file using `clientId` and `clientSecret` and cost data for the same.
 
 ```csv
-p, role:default/costClusterUser, cost.OpenShift on AWS, read, allow
+p, role:default/costClusterUser, cost/OpenShift on AWS, read, allow
 
 g, user:default/test_user_5, role:default/costClusterUser
 ```
 
-#### cost.[CLUSTER_NAME].[PROJECT_NAME]
+#### cost/[CLUSTER_NAME]/[PROJECT_NAME]
 
-Since the `test_user_6` user has the `default/costClusterProjectUser` role, which has `cost.demolab.thanos` permission, it can:
+Since the `test_user_6` user has the `default/costClusterProjectUser` role, which has `cost/demolab/thanos` permission, it can:
 
 - See the list of records for `thanos` project under `demolab` cluster for the service account which is specified in the [app-config file](../app-config.yaml) file using `clientId` and `clientSecret` and cost data for the same.
 
 ```csv
-p, role:default/costClusterProjectUser, cost.demolab.thanos, read, allow
+p, role:default/costClusterProjectUser, cost/demolab/thanos, read, allow
 
 g, user:default/test_user_6, role:default/costClusterProjectUser
 ```
 
 See https://casbin.org/docs/rbac for more information about casbin rules.
 
+## Migration Guide: Permission Name Separator Change
+
+> **Breaking change**: Cluster-specific and project-specific permission names now use `/` (slash) as the separator instead of `.` (dot).
+
+Previous versions used a dot separator (e.g., `ros.demolab.thanos`), which caused ambiguity when cluster names themselves contained dots (e.g., `ros.my.cluster.project` — is the cluster `my.cluster` and the project `project`, or the cluster `my` and the project `cluster.project`?).
+
+The `/` separator eliminates this ambiguity: `ros/my.cluster/project` is unambiguous.
+
+### What to update
+
+Replace all dot-separated cluster/project permission names in your RBAC policy CSV:
+
+| Old format (dot separator)       | New format (slash separator)     |
+| -------------------------------- | -------------------------------- |
+| `ros.CLUSTER_NAME`               | `ros/CLUSTER_NAME`               |
+| `ros.CLUSTER_NAME.PROJECT_NAME`  | `ros/CLUSTER_NAME/PROJECT_NAME`  |
+| `cost.CLUSTER_NAME`              | `cost/CLUSTER_NAME`              |
+| `cost.CLUSTER_NAME.PROJECT_NAME` | `cost/CLUSTER_NAME/PROJECT_NAME` |
+
+> **Note**: The generic `ros.plugin` and `cost.plugin` permissions are unchanged — only cluster/project-specific permissions use the new format.
+
+### Example migration
+
+**Before:**
+
+```csv
+p, role:default/rosUser, ros.demolab, read, allow
+p, role:default/rosUser, ros.demolab.thanos, read, allow
+p, role:default/costUser, cost.OpenShift on AWS, read, allow
+```
+
+**After:**
+
+```csv
+p, role:default/rosUser, ros/demolab, read, allow
+p, role:default/rosUser, ros/demolab/thanos, read, allow
+p, role:default/costUser, cost/OpenShift on AWS, read, allow
+```
+
 ## Enable permissions
 
 To enable permissions, you need to add the following in the [app-config file](../app-config.yaml):

workspaces/cost-management/plugins/cost-management-backend/src/routes/costManagementAccess.ts

@@ -66,7 +66,7 @@ export const getCostManagementAccess: (
     return response.json(body);
   }
 
-  // RBAC Filtering logic for Cluster & Project using cost.{clusterName} and cost.{clusterName}.{projectName} permissions
+  // RBAC Filtering logic for Cluster & Project using cost/{clusterName} and cost/{clusterName}/{projectName} permissions
   let clusterDataMap: Record<string, string> = {};
   let allProjects: string[] = [];
 

workspaces/cost-management/plugins/cost-management-backend/src/routes/secureProxy.ts

@@ -199,32 +199,51 @@ async function resolveCostManagementAccess(
     'cost',
     { clusterKey: 'cost_clusters', projectKey: 'cost_projects' },
     async opts => {
-      const token = await getTokenFromApi(opts);
-      const [clustersResp, projectsResp] = await Promise.all([
-        opts.costManagementApi.searchOpenShiftClusters('', {
-          token,
-          limit: 1000,
-        }),
-        opts.costManagementApi.searchOpenShiftProjects('', {
-          token,
-          limit: 1000,
-        }),
-      ]);
-
-      const clustersData = await clustersResp.json();
-      const projectsData = await projectsResp.json();
+      let token: string;
+      try {
+        token = await getTokenFromApi(opts);
+      } catch {
+        return null;
+      }
 
-      const clusters: Record<string, string> = {};
-      clustersData.data?.forEach(
-        (c: { value: string; cluster_alias: string }) => {
-          if (c.cluster_alias && c.value) clusters[c.cluster_alias] = c.value;
-        },
-      );
-      const projects = [
-        ...new Set(projectsData.data?.map((p: { value: string }) => p.value)),
-      ].filter((p): p is string => p !== undefined);
+      try {
+        const [clustersResp, projectsResp] = await Promise.all([
+          opts.costManagementApi.searchOpenShiftClusters('', {
+            token,
+            limit: 1000,
+          }),
+          opts.costManagementApi.searchOpenShiftProjects('', {
+            token,
+            limit: 1000,
+          }),
+        ]);
+
+        const clustersData = await clustersResp.json();
+        const projectsData = await projectsResp.json();
+
+        if (
+          (clustersData as any).errors ||
+          (projectsData as any).errors ||
+          !clustersData.data ||
+          !projectsData.data
+        ) {
+          return null;
+        }
 
-      return { clusters, projects };
+        const clusters: Record<string, string> = {};
+        clustersData.data.forEach(
+          (c: { value: string; cluster_alias: string }) => {
+            if (c.cluster_alias && c.value) clusters[c.cluster_alias] = c.value;
+          },
+        );
+        const projects = [
+          ...new Set(projectsData.data.map((p: { value: string }) => p.value)),
+        ].filter((p): p is string => p !== undefined);
+
+        return { clusters, projects };
+      } catch {
+        return null;
+      }
     },
   );
 }

workspaces/cost-management/plugins/cost-management-backend/src/util/checkPermissions.ts

@@ -87,8 +87,8 @@ export const authorize = async (
  * Uses permission hierarchy where project-level access also grants cluster access.
  *
  * Permission Hierarchy:
- * - cost.{cluster} → grants access to cluster + ALL projects in that cluster
- * - cost.{cluster}.{project} → grants access to cluster + that specific project
+ * - cost/{cluster} → grants access to cluster + ALL projects in that cluster
+ * - cost/{cluster}/{project} → grants access to cluster + that specific project
  *
  * @param request - The HTTP request
  * @param permissionsSvc - The permissions service