feat: add authz Conditions documentation

[binoyPeries]

Purpose

Documents the new conditions feature on AuthzRoleBinding and ClusterAuthzRoleBinding, which lets users attach CEL expressions to role mappings to restrict when granted actions apply.

Changes

New: Conditions concept page
A dedicated page in the Authorization category that introduces conditions as the fourth constraint on role bindings (alongside subject, scope, and role). Covers the field structure, the available-attributes model, the dual-scoped identifier format used for resources like environments, evaluation semantics, and a worked YAML example.

Authorization overview updated
The overview now mentions conditions in the Core Concepts section and adds a fourth step to the access-determination algorithm. A new Fail-Closed Evaluation subsection documents how OpenChoreo handles malformed condition expressions and other corrupted policy state, applicable across the full RBAC pipeline.

API references updated
Both AuthzRoleBinding and ClusterAuthzRoleBinding API reference pages now document the conditions field on each role mapping, the AuthzCondition shape, OR semantics across entries, and include a YAML example showing conditions in use.

Backstage UI walkthrough updated
The Custom Roles and Bindings guide reflects the recently-shipped page-based binding wizard (previously a modal). The role-mapping step now includes a new Conditions (Optional) sub-section that walks through the Conditions panel — adding/editing/confirming conditions, picking actions, writing the CEL expression, and the attribute-chip discovery mechanism. The attribute-intersection rule is documented along with the disabled-Expression state for action selections that share no attributes.

Related Issues

openchoreo/openchoreo#3409

Checklist

• Updated sidebars.ts if adding a new documentation page
• Run npm run start to preview the changes locally
• Run npm run build to ensure the build passes without errors
• Verified all links are working (no broken links)

[coderabbitai]

Warning

Rate limit exceeded

@binoyPeries has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 48 minutes and 32 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3fd9c405-6efc-4519-ac46-771391aaaa17

📥 Commits

Reviewing files that changed from the base of the PR and between ba0923f and 9c0046d.

⛔ Files ignored due to path filters (6)

• docs/platform-engineer-guide/authorization/images/role-binding-creation-allow-deny-selection.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-conditions-editing.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-review-selection.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-role-mapping-view.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-role-mapping.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-subject-selection.png is excluded by !**/*.png, !**/*.png

📒 Files selected for processing (6)

• docs/platform-engineer-guide/authorization/conditions.md
• docs/platform-engineer-guide/authorization/custom-roles.mdx
• docs/platform-engineer-guide/authorization/overview.md
• docs/reference/api/platform/authzrolebinding.md
• docs/reference/api/platform/clusterauthzrolebinding.md
• sidebars.ts

📝 Walkthrough

Walkthrough

This PR adds comprehensive documentation for the Conditions feature, which enables attribute-based access control within RBAC role bindings. It spans a new dedicated reference guide, updates to conceptual overviews, API specifications, platform engineer workflow instructions, and documentation navigation.

Changes

Authorization Conditions Feature Documentation

Layer / File(s)	Summary
Authorization overview and core concepts docs/platform-engineer-guide/authorization/overview.md	Conditions added to core RBAC concepts with fail-closed evaluation semantics; authorization decision flow updated with explicit Conditions satisfaction requirement and admission webhook validation.
Conditions reference guide and technical specification docs/platform-engineer-guide/authorization/conditions.md	New comprehensive guide documenting Conditions structure (actions + CEL expression), action wildcard matching, available request attributes (resource.environment, scoped/cluster identifiers), authorization semantics with fail-closed behavior, OR-combination across multiple condition entries, and end-to-end YAML examples.
API reference updates for AuthzRoleBinding and ClusterAuthzRoleBinding docs/reference/api/platform/authzrolebinding.md, docs/reference/api/platform/clusterauthzrolebinding.md	Both role binding types updated to document optional conditions field with AuthzCondition structure (actions list and CEL expression), OR-combination semantics across multiple conditions, and YAML examples showing environment-gated release binding mutations and observability action restrictions.
Platform engineer workflow guide for conditions configuration docs/platform-engineer-guide/authorization/custom-roles.mdx	Role binding wizard introduction refined; role-mapping configuration step expanded to include optional Conditions with dedicated UI subsection covering actions selection, CEL expression entry, available attribute filtering, confirm/discard controls, and OR semantics.
Documentation site navigation update sidebars.ts	Sidebar entry added for the new Conditions reference page under Authorization & Access Control section.

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: add authz Conditions documentation' is fully related to the main change: adding comprehensive authorization Conditions documentation across multiple files including a new dedicated guide, API references, and sidebar updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description comprehensively covers all required template sections with detailed context about the changes, related issues, and completed checklist items.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[binoyPeries]

@CodeRabbit full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

docs/reference/api/platform/authzrolebinding.md (1)

1-196: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix Prettier formatting issues before merge.

The pipeline reports formatting violations. Run npx prettier --write docs/reference/api/platform/authzrolebinding.md to fix.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/api/platform/authzrolebinding.md` around lines 1 - 196, The
markdown file for the AuthzRoleBinding API reference has Prettier formatting
violations; run the formatter (npx prettier --write
docs/reference/api/platform/authzrolebinding.md) to reformat the document,
verify code blocks and frontmatter around the AuthzRoleBinding sections remain
intact, then stage and commit the updated file so the pipeline passes.

docs/platform-engineer-guide/authorization/conditions.md (1)

1-124: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix Prettier formatting issues before merge.

The pipeline reports formatting violations. Run npm run format or npx prettier --write docs/platform-engineer-guide/authorization/conditions.md to fix.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/platform-engineer-guide/authorization/conditions.md` around lines 1 -
124, Prettier formatting violations were detected in the Conditions doc; run the
formatter and commit the changes: execute the project formatter (npm run format)
or run npx prettier --write on the conditions.md file, review the resulting
whitespace/linewrap edits in the doc (title, tables, code blocks, and YAML
examples), stage the formatted file, and push the commit so the CI formatting
check passes.

docs/reference/api/platform/clusterauthzrolebinding.md (1)

1-193: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix Prettier formatting issues before merge.

The pipeline reports formatting violations. Run npx prettier --write docs/reference/api/platform/clusterauthzrolebinding.md to fix.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/reference/api/platform/clusterauthzrolebinding.md` around lines 1 - 193,
The markdown file docs/reference/api/platform/clusterauthzrolebinding.md has
Prettier formatting violations reported by CI; fix by running Prettier to
reformat the file (for example: run npx prettier --write
docs/reference/api/platform/clusterauthzrolebinding.md) then commit the updated
file so the pipeline passes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/platform-engineer-guide/authorization/conditions.md`:
- Line 53: The sentence "For resources that exist in only one scope, the
resource identifiers simply carries the resource name." has subject-verb
agreement error; change "carries" to "carry" so it reads "the resource
identifiers simply carry the resource name." Update the sentence in the
Authorization Conditions documentation (the line that starts "For resources that
exist in only one scope, the resource identifiers...") to use "carry".

---

Outside diff comments:
In `@docs/platform-engineer-guide/authorization/conditions.md`:
- Around line 1-124: Prettier formatting violations were detected in the
Conditions doc; run the formatter and commit the changes: execute the project
formatter (npm run format) or run npx prettier --write on the conditions.md
file, review the resulting whitespace/linewrap edits in the doc (title, tables,
code blocks, and YAML examples), stage the formatted file, and push the commit
so the CI formatting check passes.

In `@docs/reference/api/platform/authzrolebinding.md`:
- Around line 1-196: The markdown file for the AuthzRoleBinding API reference
has Prettier formatting violations; run the formatter (npx prettier --write
docs/reference/api/platform/authzrolebinding.md) to reformat the document,
verify code blocks and frontmatter around the AuthzRoleBinding sections remain
intact, then stage and commit the updated file so the pipeline passes.

In `@docs/reference/api/platform/clusterauthzrolebinding.md`:
- Around line 1-193: The markdown file
docs/reference/api/platform/clusterauthzrolebinding.md has Prettier formatting
violations reported by CI; fix by running Prettier to reformat the file (for
example: run npx prettier --write
docs/reference/api/platform/clusterauthzrolebinding.md) then commit the updated
file so the pipeline passes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5544efd9-6374-4003-9ff0-8143c3bb501b

📥 Commits

Reviewing files that changed from the base of the PR and between a843203 and ba0923f.

⛔ Files ignored due to path filters (6)

• docs/platform-engineer-guide/authorization/images/role-binding-creation-allow-deny-selection.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-conditions-editing.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-review-selection.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-role-mapping-view.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-role-mapping.png is excluded by !**/*.png, !**/*.png
• docs/platform-engineer-guide/authorization/images/role-binding-creation-subject-selection.png is excluded by !**/*.png, !**/*.png

📒 Files selected for processing (6)

• docs/platform-engineer-guide/authorization/conditions.md
• docs/platform-engineer-guide/authorization/custom-roles.mdx
• docs/platform-engineer-guide/authorization/overview.md
• docs/reference/api/platform/authzrolebinding.md
• docs/reference/api/platform/clusterauthzrolebinding.md
• sidebars.ts

[LakshanSS]

LGTM