Add rbac api docs

[aantn]

No description provided.

[coderabbitai]

Walkthrough

Adds a new RBAC Configuration API documentation page, updates Robusta Pro features to reference it, and includes the page in the main docs index. Changes are documentation-only: new page content, a feature bullet addition, and toctree navigation updates.

Changes

Cohort / File(s)	Change Summary
RBAC API Documentation docs/configuration/exporting/rbac-api.rst	Adds a comprehensive RBAC Configuration API doc describing GET/POST/DELETE on /api/rbac?account_id=..., request/response examples, configuration schema (scopes, groups, role_permission_groups), available permissions, authentication, prerequisites, notes, and error payloads.
Pro Features Reference docs/configuration/exporting/robusta-pro-features.rst	Adds a bullet to the "Features include" list documenting the RBAC Configuration API for programmatic RBAC management.
Docs Index Update docs/index.rst	Inserts configuration/exporting/rbac-api into the Robusta Pro Features toctree for navigation.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant Client
  participant RBAC_API as RBAC API
  participant Auth as AuthN/AuthZ
  participant ConfigStore as Config Store

  User->>Client: Initiate RBAC operation (GET/POST/DELETE)
  Client->>RBAC_API: /api/rbac?account_id=...
  RBAC_API->>Auth: Verify API key & permissions
  Auth-->>RBAC_API: Allow / Deny

  alt GET
    RBAC_API->>ConfigStore: Read RBAC config
    ConfigStore-->>RBAC_API: Return config
    RBAC_API-->>Client: 200 JSON config
  else POST (replace)
    RBAC_API->>RBAC_API: Validate full payload
    RBAC_API->>ConfigStore: Replace persisted configuration
    ConfigStore-->>RBAC_API: Persisted
    RBAC_API-->>Client: 200/201 saved config
  else DELETE
    RBAC_API->>ConfigStore: Delete all RBAC config
    ConfigStore-->>RBAC_API: Deleted
    RBAC_API-->>Client: 200 confirmation
  end

  note right of RBAC_API: Errors returned with uniform payload (400/401/403/500)

Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Improve documentation content and organization #1883 — Overlaps on documentation edits and Robusta Pro features entries.
• API Doc tweaks #1905 — Similar documentation updates to API entries and Pro features.
• Update docs #1874 — Modifies the same docs files (robusta-pro-features.rst, index.rst) and likely part of the same docs workstream.

Suggested reviewers

• pavangudiwada
• RoiGlinik

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	No pull request description was provided, so there is no contextual information describing the changes or their intent, leaving the description completely unrelated to the actual documentation updates.	Please add a concise description that outlines the addition of the RBAC Configuration API documentation, including its endpoint, supported HTTP methods, and example usage to help reviewers understand the changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “Add rbac api docs” succinctly captures the primary change in this pull request, which is the addition of documentation for the RBAC Configuration API, and does so without extraneous detail or file lists.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-rbac-api-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (9)

docs/configuration/exporting/robusta-pro-features.rst (1)

45-45: New bullet LGTM; ensure naming consistency.

The index uses “RBAC API” while this page says “RBAC Configuration API”. Consider standardizing the phrasing across docs.

docs/configuration/exporting/rbac-api.rst (8)

195-197: Fix DELETE success message (plurality mismatch).

The operation deletes all configurations, but the message says “RBAC role deleted successfully”.

Apply:

-        "msg": "RBAC role deleted successfully"
+        "msg": "RBAC configurations deleted successfully"

---

172-177: Include count for role_permission_groups in POST response (or drop counts for consistency).

Response lists scopes_count and groups_count but omits role_permission_groups_count.

Apply one of:

         "scopes_count": 2,
-        "groups_count": 2
+        "groups_count": 2,
+        "role_permission_groups_count": 1

or

-        "scopes_count": 2,
-        "groups_count": 2
+        "counts": { "scopes": 2, "groups": 2, "role_permission_groups": 1 }

---

56-60: Use env var for Authorization header to avoid secret scanners’ false-positives.

Gitleaks flags literal “Authorization: Bearer …” strings in examples. Prefer an env var.

Apply:

-    curl -X GET 'https://api.robusta.dev/api/rbac?account_id=YOUR_ACCOUNT_ID' \
-      -H 'Authorization: Bearer YOUR_API_KEY'
+    export ROBUSTA_API_KEY='<YOUR_API_KEY>'
+    curl -X GET 'https://api.robusta.dev/api/rbac?account_id=YOUR_ACCOUNT_ID' \
+      -H "Authorization: Bearer ${ROBUSTA_API_KEY}"

And similarly update all POST/DELETE examples to use -H "Authorization: Bearer ${ROBUSTA_API_KEY}".

Also applies to: 111-114, 188-189, 321-324, 351-354, 369-372, 431-433, 438-439

---

207-215: JSON blocks contain comments — switch lexer to avoid confusing copy/paste.

These are labeled json but include // comments. Either remove comments or mark as javascript (or jsonc if supported) for correct highlighting.

Apply:

-.. code-block:: json
+.. code-block:: javascript

(repeat for the schema blocks with inline comments)

Also applies to: 227-235, 242-248

---

444-446: Add example for “*” cluster-name wildcard.

You mention using “*” as the cluster name but no example shows it.

Proposed snippet:

 1. **Cluster Scope Auto-Population**: When creating configurations, the API automatically populates cluster scopes based on your account's active clusters. Use ``"*"``
-as the cluster name to apply to all clusters.
+as the cluster name to apply to all clusters. Example:
+
+.. code-block:: json
+
+    {
+      "name": "all-clusters",
+      "type": "cluster",
+      "clusters": { "*": ["*"] }
+    }

---

452-453: Clarify status code for “No Active Clusters”.

State the exact code returned (likely 400) to set expectations.

Apply:

-5. **No Active Clusters**: The API will return an error if no active clusters are found for your account.
+5. **No Active Clusters**: The API returns **400 Bad Request** if no active clusters are found for your account.

---

217-221: Echo cluster-scope namespace constraint in the schema section.

You note it later, but it’s easy to miss. Add a one-line note here for cluster scopes requiring ["*"].

Apply:

 * ``cluster`` - Permissions apply to entire clusters
+  (namespaces must be ``["*"]`` for cluster-type scopes)

---

152-156: Tiny formatting nit in JSON example.

There’s a trailing space after the comma on Line 153.

-                "provider_group_id": "devops-team-id", 
+                "provider_group_id": "devops-team-id",

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 43d2409 and d9a2583.

📒 Files selected for processing (3)

• docs/configuration/exporting/rbac-api.rst (1 hunks)
• docs/configuration/exporting/robusta-pro-features.rst (1 hunks)
• docs/index.rst (1 hunks)

🧰 Additional context used

🪛 Gitleaks (8.27.2)

docs/configuration/exporting/rbac-api.rst

[high] 58-59: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 111-112: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 188-189: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 321-322: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 351-352: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 369-370: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 431-432: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 438-439: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run_tests
• GitHub Check: run_tests
• GitHub Check: Deploy docs

🔇 Additional comments (2)

docs/configuration/exporting/rbac-api.rst (1)

454-456: Document the exact “minimal permissions” added automatically.

Without listing the exact permissions, users can’t reason about resulting access.

Would you add the concrete set names for each group type, or confirm and I’ll update the doc accordingly?

docs/index.rst (1)

91-91: Approve — RBAC API toctree entry validated.
docs/configuration/exporting/rbac-api.rst exists and index.rst references configuration/exporting/rbac-api (line 91).

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (5)

docs/configuration/exporting/rbac-api.rst (5)

36-41: Use env var in curl examples to avoid leaking tokens and silence secret scanners.

Replace YOUR_API_KEY with $ROBUSTA_API_KEY and show an export once in Authentication.

 .. code-block:: bash
 
-    Authorization: Bearer YOUR_API_KEY
+    export ROBUSTA_API_KEY='<your-api-key>'
+    # then include in requests:
+    Authorization: Bearer $ROBUSTA_API_KEY

-  -H 'Authorization: Bearer YOUR_API_KEY'
+  -H "Authorization: Bearer $ROBUSTA_API_KEY"

(Apply the header change to all request examples in this page.)

Also applies to: 61-63, 114-117, 191-193, 324-327, 354-357, 372-375, 434-435, 441-442

---

175-181: Include role_permission_groups_count in POST 201 response example.

Helps users verify end‑to‑end effects.

     {
         "msg": "RBAC definitions processed successfully",
         "account_id": "YOUR_ACCOUNT_ID",
         "scopes_count": 2,
-        "groups_count": 2
+        "groups_count": 2,
+        "role_permission_groups_count": 1
     }

---

103-110: Add a “safe update” workflow note for destructive POST.

Explicitly recommend GET→modify→POST to prevent accidental deletes.

     If you omit any of these fields (scopes, groups, or role_permission_groups), those configurations will be deleted and not replaced. To preserve existing configurations, you must include them in your request.
+
+    Recommended workflow:
+
+    #. GET the current configuration
+    #. Modify locally (add/remove as needed)
+    #. POST the full, updated configuration

---

211-218: Avoid “//” comments in JSON blocks to prevent copy‑paste errors.

Either switch code-block to a comment‑tolerant lexer (e.g., javascript) or remove inline comments and explain fields in text.

Also applies to: 231-238, 246-251

---

447-449: Clarify “*” cluster semantics.

State that “*” is a cluster key that expands to all active clusters at processing time.

-1. **Cluster Scope Auto-Population**: When creating configurations, the API automatically populates cluster scopes based on your account's active clusters. Use ``"*"`` as the cluster name to apply to all clusters.
+1. **Cluster Scope Auto‑Population**: When creating configurations, the API auto‑expands cluster scopes based on your account’s active clusters. Use ``"*"`` as the cluster key to target all active clusters at request processing time.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d9a2583 and f96c7bd.

📒 Files selected for processing (1)

• docs/configuration/exporting/rbac-api.rst (1 hunks)

🧰 Additional context used

🪛 Gitleaks (8.28.0)

docs/configuration/exporting/rbac-api.rst

[high] 61-62: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 114-115: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 191-192: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 324-325: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 354-355: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 372-373: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 434-435: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 441-442: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run_tests
• GitHub Check: run_tests
• GitHub Check: Deploy docs

🔇 Additional comments (1)

docs/configuration/exporting/rbac-api.rst (1)

455-456: Specify the exact status code and example payload for “No Active Clusters”.

Please document whether this is 400, 409, or 422, and add a short example in Error Responses for consistency with other cases.