From da3aace53aad5f9f3a60675e8458d381ad6e3db7 Mon Sep 17 00:00:00 2001
From: Murad Biashimov <murad.biashimov@aiven.io>
Date: Mon, 8 Jun 2026 12:02:10 +0200
Subject: [PATCH] feat: update permissions

Resolves NEX-2588.
---
 handler/clickhouse/clickhouse.go              |  8 ++---
 handler/cmk/cmk.go                            |  6 ++++
 handler/organization/organization.go          |  1 +
 .../organizationbilling.go                    |  1 +
 handler/project/project.go                    |  2 +-
 handler/service/service.go                    |  6 ++--
 handler/staticip/staticip.go                  |  1 +
 permissions.yaml                              | 35 ++++++++++++-------
 8 files changed, 40 insertions(+), 20 deletions(-)

diff --git a/handler/clickhouse/clickhouse.go b/handler/clickhouse/clickhouse.go
index bd57592..68c4cb6 100644
--- a/handler/clickhouse/clickhouse.go
+++ b/handler/clickhouse/clickhouse.go
@@ -37,7 +37,7 @@ type Handler interface {
 	// ServiceClickHousePasswordReset reset a user's password
 	// PUT /v1/project/{project}/service/{service_name}/clickhouse/user/{user_uuid}/password
 	// https://api.aiven.io/doc/#tag/Service:_ClickHouse/operation/ServiceClickHousePasswordReset
-	// Required roles or permissions: service:data:write, service:users:write
+	// Required roles or permissions: service:users:write
 	ServiceClickHousePasswordReset(ctx context.Context, project string, serviceName string, userUuid string, in *ServiceClickHousePasswordResetIn) (string, error)
 
 	// ServiceClickHouseQuery execute an SQL query
@@ -61,19 +61,19 @@ type Handler interface {
 	// ServiceClickHouseUserCreate create a ClickHouse user
 	// POST /v1/project/{project}/service/{service_name}/clickhouse/user
 	// https://api.aiven.io/doc/#tag/Service:_ClickHouse/operation/ServiceClickHouseUserCreate
-	// Required roles or permissions: service:data:write, service:users:write
+	// Required roles or permissions: service:users:write
 	ServiceClickHouseUserCreate(ctx context.Context, project string, serviceName string, in *ServiceClickHouseUserCreateIn) (*ServiceClickHouseUserCreateOut, error)
 
 	// ServiceClickHouseUserDelete delete a user
 	// DELETE /v1/project/{project}/service/{service_name}/clickhouse/user/{user_uuid}
 	// https://api.aiven.io/doc/#tag/Service:_ClickHouse/operation/ServiceClickHouseUserDelete
-	// Required roles or permissions: service:data:write, service:users:write
+	// Required roles or permissions: service:users:write
 	ServiceClickHouseUserDelete(ctx context.Context, project string, serviceName string, userUuid string) error
 
 	// ServiceClickHouseUserList list all users
 	// GET /v1/project/{project}/service/{service_name}/clickhouse/user
 	// https://api.aiven.io/doc/#tag/Service:_ClickHouse/operation/ServiceClickHouseUserList
-	// Required roles or permissions: service:data:write, service:users:write
+	// Required roles or permissions: service:users:write
 	ServiceClickHouseUserList(ctx context.Context, project string, serviceName string) ([]UserOut, error)
 }
 
diff --git a/handler/cmk/cmk.go b/handler/cmk/cmk.go
index 079f5ef..19e7e0c 100644
--- a/handler/cmk/cmk.go
+++ b/handler/cmk/cmk.go
@@ -14,31 +14,37 @@ type Handler interface {
 	// CMKAccessCheckTrigger trigger an access check on CMK
 	// POST /v1/project/{project}/secrets/cmks/{cmk_id}/access_check
 	// https://api.aiven.io/doc/#tag/Secrets/operation/CMKAccessCheckTrigger
+	// Required roles or permissions: operator
 	CMKAccessCheckTrigger(ctx context.Context, project string, cmkid string) (*CMKAccessCheckTriggerOut, error)
 
 	// CMKAccessorsList list CMK accessors
 	// GET /v1/project/{project}/secrets/cmks/accessors
 	// https://api.aiven.io/doc/#tag/Secrets/operation/CMKAccessorsList
+	// Required roles or permissions: operator
 	CMKAccessorsList(ctx context.Context, project string) (*CMKAccessorsListOut, error)
 
 	// CMKCreate create new CMK
 	// POST /v1/project/{project}/secrets/cmks
 	// https://api.aiven.io/doc/#tag/Secrets/operation/CMKCreate
+	// Required roles or permissions: operator
 	CMKCreate(ctx context.Context, project string, in *CMKCreateIn) (*CMKCreateOut, error)
 
 	// CMKDelete delete CMK
 	// DELETE /v1/project/{project}/secrets/cmks/{cmk_id}
 	// https://api.aiven.io/doc/#tag/Secrets/operation/CMKDelete
+	// Required roles or permissions: operator
 	CMKDelete(ctx context.Context, project string, cmkid string) (*CMKDeleteOut, error)
 
 	// CMKGet get CMK details
 	// GET /v1/project/{project}/secrets/cmks/{cmk_id}
 	// https://api.aiven.io/doc/#tag/Secrets/operation/CMKGet
+	// Required roles or permissions: operator
 	CMKGet(ctx context.Context, project string, cmkid string) (*CMKGetOut, error)
 
 	// CMKUpdate update CMK
 	// POST /v1/project/{project}/secrets/cmks/{cmk_id}
 	// https://api.aiven.io/doc/#tag/Secrets/operation/CMKUpdate
+	// Required roles or permissions: operator
 	CMKUpdate(ctx context.Context, project string, cmkid string, in *CMKUpdateIn) (*CMKUpdateOut, error)
 }
 
diff --git a/handler/organization/organization.go b/handler/organization/organization.go
index 7dc965d..c260459 100644
--- a/handler/organization/organization.go
+++ b/handler/organization/organization.go
@@ -84,6 +84,7 @@ type Handler interface {
 	// PermissionsGet list of permissions
 	// GET /v1/organization/{organization_id}/permissions/{resource_type}/{resource_id}
 	// https://api.aiven.io/doc/#tag/Permissions/operation/PermissionsGet
+	// Required roles or permissions: project:permissions:read
 	PermissionsGet(ctx context.Context, organizationId string, resourceType ResourceType, resourceId string) ([]PermissionOut, error)
 
 	// PermissionsSet set permissions
diff --git a/handler/organizationbilling/organizationbilling.go b/handler/organizationbilling/organizationbilling.go
index 6549623..9db368c 100644
--- a/handler/organizationbilling/organizationbilling.go
+++ b/handler/organizationbilling/organizationbilling.go
@@ -44,6 +44,7 @@ type Handler interface {
 	// PaymentMethodsList [EXPERIMENTAL] List payment methods for an organization
 	// GET /v1/organization/{organization_id}/payment-methods
 	// https://api.aiven.io/doc/#tag/OrganizationPaymentMethod/operation/PaymentMethodsList
+	// Required roles or permissions: organization:billing:read, organization:billing:write
 	PaymentMethodsList(ctx context.Context, organizationId string) ([]PaymentMethodsListOut, error)
 }
 
diff --git a/handler/project/project.go b/handler/project/project.go
index 98fc47d..e0c1a36 100644
--- a/handler/project/project.go
+++ b/handler/project/project.go
@@ -87,7 +87,7 @@ type Handler interface {
 	// ProjectServicePlanList list service plans
 	// GET /v1/project/{project}/service-types/{service_type}/plans
 	// https://api.aiven.io/doc/#tag/Project/operation/ProjectServicePlanList
-	// Required roles or permissions: developer, operator, read_only
+	// Required roles or permissions: project:services:write
 	ProjectServicePlanList(ctx context.Context, project string, serviceType string) ([]ServicePlanOut, error)
 
 	// ProjectServicePlanPriceGet get plan pricing
diff --git a/handler/service/service.go b/handler/service/service.go
index 4b59823..b3e9e28 100644
--- a/handler/service/service.go
+++ b/handler/service/service.go
@@ -210,7 +210,7 @@ type Handler interface {
 	// ServiceMetricsFetch fetch service metrics
 	// POST /v1/project/{project}/service/{service_name}/metrics
 	// https://api.aiven.io/doc/#tag/Service/operation/ServiceMetricsFetch
-	// Required roles or permissions: developer, operator, read_only
+	// Required roles or permissions: service:metrics:read
 	ServiceMetricsFetch(ctx context.Context, project string, serviceName string, in *ServiceMetricsFetchIn) (map[string]any, error)
 
 	// ServiceQueryActivity fetch current queries for the service
@@ -228,13 +228,13 @@ type Handler interface {
 	// ServiceTaskCreate create a new task for service
 	// POST /v1/project/{project}/service/{service_name}/task
 	// https://api.aiven.io/doc/#tag/Service/operation/ServiceTaskCreate
-	// Required roles or permissions: operator
+	// Required roles or permissions: role:services:maintenance
 	ServiceTaskCreate(ctx context.Context, project string, serviceName string, in *ServiceTaskCreateIn) (*ServiceTaskCreateOut, error)
 
 	// ServiceTaskGet get task result
 	// GET /v1/project/{project}/service/{service_name}/task/{task_id}
 	// https://api.aiven.io/doc/#tag/Service/operation/ServiceTaskGet
-	// Required roles or permissions: operator
+	// Required roles or permissions: role:services:maintenance
 	ServiceTaskGet(ctx context.Context, project string, serviceName string, taskId string) (*ServiceTaskGetOut, error)
 
 	// ServiceUpdate update service configuration
diff --git a/handler/staticip/staticip.go b/handler/staticip/staticip.go
index a7b821d..ed610d6 100644
--- a/handler/staticip/staticip.go
+++ b/handler/staticip/staticip.go
@@ -48,6 +48,7 @@ type Handler interface {
 	// StaticIPDelete delete a static IP address
 	// DELETE /v1/project/{project}/static-ips/{static_ip_address_id}
 	// https://api.aiven.io/doc/#tag/StaticIP/operation/StaticIPDelete
+	// Required roles or permissions: operator
 	StaticIPDelete(ctx context.Context, project string, staticIpaddressId string) (*StaticIPDeleteOut, error)
 
 	// StaticIPList list static IP addresses
diff --git a/permissions.yaml b/permissions.yaml
index 03d9c5c..beb8c8d 100644
--- a/permissions.yaml
+++ b/permissions.yaml
@@ -51,6 +51,18 @@ BillingGroupProjectList:
   - developer
   - operator
   - read_only
+CMKAccessCheckTrigger:
+  - operator
+CMKAccessorsList:
+  - operator
+CMKCreate:
+  - operator
+CMKDelete:
+  - operator
+CMKGet:
+  - operator
+CMKUpdate:
+  - operator
 ListProjectClouds:
   - project:services:write
 ListProjectServiceTypes:
@@ -134,6 +146,11 @@ PGServiceAvailableExtensions:
   - service:data:write
 PGServiceQueryStatistics:
   - service:data:write
+PaymentMethodsList:
+  - organization:billing:read
+  - organization:billing:write
+PermissionsGet:
+  - project:permissions:read
 ProjectAlertsList:
   - developer
   - operator
@@ -170,9 +187,7 @@ ProjectKmsGetCA:
 ProjectPrivatelinkAvailabilityList:
   - project:services:write
 ProjectServicePlanList:
-  - developer
-  - operator
-  - read_only
+  - project:services:write
 ProjectServicePlanPriceGet:
   - developer
   - operator
@@ -233,7 +248,6 @@ ServiceClickHouseDatabaseDelete:
 ServiceClickHouseDatabaseList:
   - service:data:write
 ServiceClickHousePasswordReset:
-  - service:data:write
   - service:users:write
 ServiceClickHouseQuery:
   - service:data:write
@@ -242,13 +256,10 @@ ServiceClickHouseQueryStats:
 ServiceClickHouseTieredStorageSummary:
   - service:data:write
 ServiceClickHouseUserCreate:
-  - service:data:write
   - service:users:write
 ServiceClickHouseUserDelete:
-  - service:data:write
   - service:users:write
 ServiceClickHouseUserList:
-  - service:data:write
   - service:users:write
 ServiceCreate:
   - project:services:write
@@ -443,9 +454,7 @@ ServiceList:
 ServiceMaintenanceStart:
   - role:services:maintenance
 ServiceMetricsFetch:
-  - developer
-  - operator
-  - read_only
+  - service:metrics:read
 ServiceOpenSearchAclGet:
   - service:data:write
 ServiceOpenSearchAclSet:
@@ -532,9 +541,9 @@ ServiceSchemaRegistrySubjectVersionsGet:
 ServiceSchemaRegistrySubjects:
   - service:data:write
 ServiceTaskCreate:
-  - operator
+  - role:services:maintenance
 ServiceTaskGet:
-  - operator
+  - role:services:maintenance
 ServiceThanosStorageSummary:
   - service:data:write
 ServiceUpdate:
@@ -555,6 +564,8 @@ ServiceUserGet:
   - service:users:write
 StaticIPCreate:
   - operator
+StaticIPDelete:
+  - operator
 StaticIPList:
   - developer
   - operator