Because of #5298, oxql queries to the main endpoint require fleet viewer permissions. But we want to be able to do things like show instance CPU metrics to people with view perms on the instance (technically, the instance's project). Short of the fully general authz solution, the easiest way to hack in access is to make a one-off endpoint for this analogous to the ones we already (reluctantly) have for disk metrics and silo metrics, where we call the timeseries_query function but do a different authz check.
Currently that function includes the fleet viewer check, so we'd probably have to move that up a level.
bnaecker
commented
1 month ago
Because of #5298, oxql queries to the main endpoint require fleet viewer permissions. But we want to be able to do things like show instance CPU metrics to people with view perms on the instance (technically, the instance's project). Short of the fully general authz solution, the easiest way to hack in access is to make a one-off endpoint for this analogous to the ones we already (reluctantly) have for disk metrics and silo metrics, where we call the
timeseries_queryfunction but do a different authz check.Currently that function includes the fleet viewer check, so we'd probably have to move that up a level.
https://github.com/oxidecomputer/omicron/blob/836d3a294f3f18b86fc2c88ded6d5c9001d259f5/nexus/src/app/metrics.rs?plain=1#L136-L147