Consolidate AI feature authorization logic
What does this MR do and why?
- Previously, each policy was checking the following things:
- ai_global_switch ops FF enabled
- AI license available
- AI feature available via StageCheck
- Is the user actually a member of the parent resource? (only members can use AI features)
- Not surprisingly, given the number of things to check, this was done somewhat inconsistently throughout the policies.
- This MR uses "Llm::FeatureAuthorizer", which handles this logic.
- Now, any permissions checks related to AI features can call
Llm::FeatureAuthorizer
and be confident that they are making all of the correct checks. - This is a follow-up to the fix for #422754 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Jessie Young