remove access review endpoints

Author: katieperry4

packages/maas/bff/internal/api/app.go

@@ -183,7 +183,6 @@ func (app *App) Routes() http.Handler {
 	attachMaaSModelRefHandlers(apiRouter, app)
 	apiRouter.GET(constants.ApiPathPrefix+"/models", handlerWithApp(app, ListModelsHandler))
 	apiRouter.GET(constants.IsMaasAdminPath, handlerWithApp(app, IsMaasAdminHandler))
-	apiRouter.POST(constants.AccessReviewPath, handlerWithApp(app, AccessReviewHandler))
 
 	// Minimal Kubernetes-backed starter endpoints TODO: Remove?
 	apiRouter.GET(UserPath, app.UserHandler)

packages/maas/bff/internal/constants/api_routes.go

@@ -15,8 +15,7 @@ const (
 	APIKeyByIDPath       = ApiPathPrefix + "/api-keys/:id"
 
 	// Access review
-	IsMaasAdminPath  = ApiPathPrefix + "/is-maas-admin"
-	AccessReviewPath = ApiPathPrefix + "/access-review"
+	IsMaasAdminPath = ApiPathPrefix + "/is-maas-admin"
 
 	// Subscription routes
 	SubscriptionListPath     = ApiPathPrefix + "/all-subscriptions"

packages/maas/bff/openapi.yaml

@@ -104,106 +104,6 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/ErrorResponse'
-
-  /api/v1/access-review:
-    post:
-      summary: Generic Self-Subject Access Review
-      operationId: accessReview
-      description: >
-        Performs a SelfSubjectAccessReview for the requesting user against the
-        specified Kubernetes resource, group, and verb. Returns `allowed: true`
-        if the user has the requested permission.
-
-        Use this endpoint when you need a custom permission check beyond the
-        fixed MaaS-admin check provided by `/api/v1/is-maas-admin`.
-
-        Token resolution priority:
-
-        1. `Authorization: Bearer <token>` — used by the ODH dashboard backend;
-           correctly substituted with the impersonated user's token when the ODH
-           dev impersonation feature (`DEV_IMPERSONATE_USER`) is active.
-
-        2. `x-forwarded-access-token` — fallback for standalone federated dev mode
-           where the webpack proxy injects the real user's token directly.
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - data
-              properties:
-                data:
-                  type: object
-                  required:
-                    - resource
-                    - verb
-                  properties:
-                    group:
-                      type: string
-                      description: API group of the resource
-                      example: maas.opendatahub.io
-                    resource:
-                      type: string
-                      description: Resource type to check access for
-                      example: maasauthpolicies
-                    verb:
-                      type: string
-                      description: Action to check (e.g. get, list, create, patch, delete, *)
-                      example: create
-                    namespace:
-                      type: string
-                      description: Namespace scope for the check
-                      example: models-as-a-service
-            examples:
-              wildcard_admin_check:
-                summary: Check if user can do anything
-                value:
-                  data:
-                    group: ""
-                    resource: "*"
-                    verb: "*"
-              maas_admin_check:
-                summary: Check MaaS admin access explicitly
-                value:
-                  data:
-                    group: maas.opendatahub.io
-                    resource: maasauthpolicies
-                    verb: create
-                    namespace: models-as-a-service
-      responses:
-        '200':
-          description: Access check result
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  data:
-                    type: object
-                    properties:
-                      allowed:
-                        type: boolean
-                        description: Whether the user has the requested access
-                    required:
-                      - allowed
-              example:
-                data:
-                  allowed: true
-        '400':
-          description: Bad Request (missing token or missing required fields)
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-        '500':
-          description: Internal Server Error
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-
   /api/v1/namespaces:
     get:
       summary: Get Namespaces