Skip to content

fix(rbac): grant frontend read access to PurchaseRequest + RegistrationRequest#540

Closed
bussyjd wants to merge 1 commit into
feat/marketplace-bundlefrom
fix/frontend-rbac-purchase-registration
Closed

fix(rbac): grant frontend read access to PurchaseRequest + RegistrationRequest#540
bussyjd wants to merge 1 commit into
feat/marketplace-bundlefrom
fix/frontend-rbac-purchase-registration

Conversation

@bussyjd
Copy link
Copy Markdown
Collaborator

@bussyjd bussyjd commented May 24, 2026

Summary

Adds two read-only RBAC rules to the frontend ClusterRole so /api/marketplace/purchases and registration-status badges work without 403s.

Bug discovered during validation

Running the bundle (#536) deployment + visiting /marketplace/purchases produced:

Failed to list PurchaseRequests

Frontend pod logs:

code: 403,
message: 'purchaserequests.obol.org is forbidden:
  User "system:serviceaccount:obol-frontend:obol-frontend" cannot list
  resource "purchaserequests" in API group "obol.org" at the cluster scope'

The existing ClusterRole (obol-frontend-openclaw-discovery) granted CRUD on ServiceOffers but nothing for PurchaseRequests or RegistrationRequests — both of which the marketplace UI lists cluster-wide for the "purchases paying to this wallet" and "ERC-8004 registered" badges.

Fix

- apiGroups: ["obol.org"]
  resources: ["purchaserequests", "purchaserequests/status"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["obol.org"]
  resources: ["registrationrequests", "registrationrequests/status"]
  verbs: ["get", "list", "watch"]

Read-only is sufficient: the agent owns PurchaseRequest writes via the buy-x402 skill; the controller owns RegistrationRequest writes.

Stack

Stacked on feat/marketplace-bundle (#536) where internal/embed/infrastructure/base/templates/obol-frontend.yaml lives. Merge after #536.

Test plan

  • go build clean
  • go test ./internal/embed/... green
  • Verified on a live cluster: applied an out-of-band ClusterRole with the same rules → /api/marketplace/purchases returns 200, My Purchases page renders rows with chevron drawer expansion (validated via Chrome MCP).
  • Reviewer: after merge, redeploy and confirm 'kubectl auth can-i list purchaserequests --as=system:serviceaccount:obol-frontend:obol-frontend' returns yes

@bussyjd
fix(rbac): grant frontend read access to PurchaseRequest + Registrati…
0a76cfe 
…onRequest

Without these rules, the frontend ServiceAccount got 403 from the
Kubernetes API when /api/marketplace/purchases tried to list
PurchaseRequests cluster-wide, surfacing as 'Failed to list
PurchaseRequests' on the My Purchases page and an empty rows count
even when the agent had signed authorizations.

Adds read-only (get/list/watch) on:
  - purchaserequests + status (agent owns writes via x402 skill)
  - registrationrequests + status (controller owns writes)

Stacked on feat/marketplace-bundle (#536) where this template lives.
@bussyjd bussyjd mentioned this pull request May 24, 2026
Merged
@bussyjd
Copy link
Copy Markdown
Collaborator Author

bussyjd commented May 24, 2026

Closing as superseded by #541, which has now been merged into feat/marketplace-bundle. #541 includes the frontend PurchaseRequest/RegistrationRequest read permissions and also removes the duplicate frontend RBAC template, so merging this older stacked patch would be redundant.

@bussyjd bussyjd closed this May 24, 2026
@bussyjd bussyjd mentioned this pull request May 24, 2026
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bussyjd