Fix osmo-admin internal endpoint denial

[fallintoplace]

Summary

This restores the intended osmo-admin boundary for internal OSMO endpoints. The admin role still gets broad *:* access, but now has an explicit Deny internal:* policy so operator, logger, and router backend endpoints remain reserved for the service roles that own them.

Root Cause

The semantic default role kept the admin allow-all policy but replaced the old path-based internal deny rules with an empty policy. Because the authz sidecar only denies when a matching Deny policy exists, the empty policy did not block anything.

Validation

• go test ./service/authz_sidecar/server
• bazelisk test //src/utils/connectors/tests:test_default_roles //src/service/authz_sidecar/server:server_test //src/service/authz_sidecar/server:server_integration_test

Summary by CodeRabbit

• Bug Fixes

  • Updated admin role authorization to explicitly deny access to internal system endpoints

• Tests

  • Expanded test coverage for admin role access restrictions
  • Added validation tests for admin role policy structure and internal endpoint denial

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 64b5b897-2da1-407b-a731-2e3abebcb5e7

📥 Commits

Reviewing files that changed from the base of the PR and between c9844fd and df5f57d.

📒 Files selected for processing (5)

• src/service/authz_sidecar/server/authz_server_integration_test.go
• src/service/authz_sidecar/server/authz_server_test.go
• src/service/authz_sidecar/server/testdata/seed.sql
• src/utils/connectors/postgres.py
• src/utils/connectors/tests/test_default_roles.py

---

📝 Walkthrough

Walkthrough

This PR converts the osmo-admin role's internal action restriction from an implicit or comment-based denial into an explicit DENY policy statement. The change flows across the default role definitions, authorization test suite, test data, and integration tests to consistently enforce and validate that admin users cannot access internal:* endpoints.

Changes

Authorization admin role explicit denial

Layer / File(s)	Summary
Explicit osmo-admin role policy definition src/utils/connectors/postgres.py, src/utils/connectors/tests/test_default_roles.py	The osmo-admin default role now includes an explicit DENY policy for internal:* actions with wildcard resources. Unit tests validate the policy structure and confirm that role merging appends the deny entry correctly.
Authorization server test suite updates src/service/authz_sidecar/server/authz_server_test.go, src/service/authz_sidecar/server/testdata/seed.sql	The TestAdminRoleAccess unit test updates the role definition to explicit allow/deny policies and adjusts CheckPolicyAccess assertions to deny agent, logger, and router-backend endpoints while allowing workflow and router-client operations. Test data seed includes the new explicit deny policy for the osmo-admin role.
Authorization integration test coverage src/service/authz_sidecar/server/authz_server_integration_test.go	Three new AdminAccess table-driven test cases verify that admin users receive PermissionDenied when accessing operator listener status, logger workflow logs, and router backend connect endpoints.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 The admin guard now stands quite clear,
With explicit denials for internal frontier,
No hidden assumptions, just policies bright,
Internal:* blocked, and everything's right!
Tests validate each boundary with care,
Security transparent everywhere. 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix osmo-admin internal endpoint denial' directly and clearly describes the main change: restoring the osmo-admin boundary by adding explicit denial of internal endpoints, which aligns with all file modifications across test, configuration, and utility files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}