feat: Add RBAC support for /expr endpoint

[shaoting-huang]

related: #46442

This commit adds proper RBAC (Role-Based Access Control) support for the /expr HTTP endpoint, replacing the previous root-only authentication.

Changes:

• Add new rbac.go with CheckPrivilege function for HTTP endpoints
• Support HTTP Basic Auth only (removed non-standard Bearer token format)
• Integrate with existing Casbin RBAC framework
• Add PrivilegeExpr to GlobalLevelPrivileges and ClusterAdminPrivileges
• Register GetUserRoleFunc callback in meta_cache.go
• Update tests for new RBAC behavior

Security features:

• Authentication required when authorization is enabled
• Root user bypass when RootShouldBindRole is false
• Proper 401/403 status code differentiation
• Integration with privilege result cache

[sre-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: shaoting-huang
To complete the pull request process, please assign congqixia after the PR has been reviewed.
You can assign the PR to them by writing /assign @congqixia in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Summary of Changes

Hello @shaoting-huang, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly upgrades the security posture of the /expr HTTP endpoint by transitioning it from a simple root-only authentication to a comprehensive Role-Based Access Control (RBAC) system. By integrating with the existing Casbin framework and introducing a dedicated RBAC module, it enables fine-grained control over endpoint access based on user roles and privileges. This change ensures that only properly authenticated and authorized users can interact with the /expr endpoint, improving overall system security and manageability.

Highlights

• RBAC Implementation for /expr Endpoint: The /expr HTTP endpoint now supports full Role-Based Access Control (RBAC), replacing the previous root-only authentication mechanism. This enhances security by allowing granular control over who can access this endpoint.
• New RBAC Module: A new internal/http/rbac.go file has been introduced, containing the core logic for HTTP endpoint privilege checking, including CheckPrivilege function and custom error types for authentication and permission.
• Standardized Authentication: Authentication for HTTP endpoints has been standardized to support only HTTP Basic Auth, removing support for non-standard Bearer token formats previously used for the /expr endpoint.
• Casbin Integration: The new RBAC system integrates with the existing Casbin framework for privilege enforcement, leveraging its capabilities for role and permission management.
• Privilege Definition: A new PrivilegeExpr has been defined and added to GlobalLevelPrivileges and ClusterAdminPrivileges, formally recognizing the /expr endpoint access as a distinct privilege.
• Enhanced Error Handling: The /expr endpoint now differentiates between authentication failures (HTTP 401 Unauthorized) and permission denied errors (HTTP 403 Forbidden), providing clearer feedback to clients.
• Root User Bypass: A root user bypass mechanism is included, allowing the root user to access the /expr endpoint without explicit role binding, provided the RootShouldBindRole configuration is false.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sre-ci-robot]

[ci-v2-notice]
Notice: New ci-v2 system is enabled for this PR.

To rerun ci-v2 checks, comment with:

• /ci-rerun-code-check // for ci-v2/code-check
• /ci-rerun-build // for ci-v2/build
• /ci-rerun-ut-integration // for ci-v2/ut-integration, will rerun ci-v2/build
• /ci-rerun-ut-go // for ci-v2/ut-go, will rerun ci-v2/build
• /ci-rerun-ut-cpp // for ci-v2/ut-cpp
• /ci-rerun-ut // for all ci-v2/ut-integration, ci-v2/ut-go, ci-v2/ut-cpp, will rerun ci-v2/build
• /ci-rerun-e2e-arm // for ci-v2/e2e-arm
• /ci-rerun-e2e-default // for ci-v2/e2e-default

If you have any questions or requests, please contact @zhikunyao.

[gemini-code-assist]

Code Review

This pull request introduces RBAC support for the /expr HTTP endpoint, which is a significant security improvement over the previous root-only access. The implementation correctly leverages the existing Casbin framework and introduces a new http/rbac.go module for handling HTTP-specific privilege checks. The changes are well-structured, and the removal of the non-standard Bearer token format is a good cleanup.

My review focuses on improving error handling, context propagation, and test coverage. I've identified a potential issue where internal server errors during privilege checks could be incorrectly reported as permission denied errors. I've also pointed out the need for more comprehensive unit and integration tests to ensure the new RBAC logic is robust and covers all scenarios.

[mergify]

@shaoting-huang go-sdk check failed, comment rerun go-sdk can trigger the job again.

[mergify]

@shaoting-huang go-sdk check failed, comment rerun go-sdk can trigger the job again.