-
Bug
-
Resolution: Done
-
Blocker
-
None
-
2
-
False
-
-
False
-
-
Bug Fix
-
-
-
RHDH Core Team 3256
[2259221332] Upstream Reporter: CarTh
Upstream issue status: Closed
Upstream description:
Describe the bug
I'm using Backstage 1.26.0 with the new backend system. The authentication is done with '@backstage/plugin-auth-backend-module-microsoft-provider' The organization data ingestion is done with '@backstage/plugin-catalog-backend-module-msgraph/alpha' So far no problem, I can log in, the users/groups are present and access to everything. I enabled the '@backstage/plugin-permission-backend/alpha' and added a simple policy without problem. For convenience and because it offers great features, I installed the janus-idp rbac plugins in the front end and the back end as mentioned in the documentation. I can still log in, but I cannot access to anything (e.g. the catalog), even if my user is defined as admin. I think I have everything configured correctly (front, backend, service-to-service secret keys, rbac, ...) By accessing the catalog, I get an error 'Error: Could not fetch catalog entities.' 'ResponseError: Request failed with 403 Forbidden' In logging, some 403 errors with 'POST /api/permission/authorize'
[1] 2024-04-22T15:55:36.302Z permission info Policy check for user:default/xyz for permission catalog.entity.create [1] 2024-04-22T15:55:36.302Z permission info user:default/xyz is ALLOW for permission 'catalog.entity.create' and action create [1] 2024-04-22T15:55:36.303Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 200 74 "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest [1] 2024-04-22T15:55:36.308Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest [1] 2024-04-22T15:55:36.309Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=kind HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest [1] 2024-04-22T15:55:36.310Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest [1] 2024-04-22T15:55:36.311Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest [1] 2024-04-22T15:55:36.312Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest [1] 2024-04-22T15:55:36.312Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=spec.lifecycle HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest [1] 2024-04-22T15:55:36.313Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=metadata.tags HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest [1] 2024-04-22T15:55:36.313Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=metadata.namespace HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest [1] 2024-04-22T15:55:36.338Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest [1] 2024-04-22T15:55:36.339Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entities?filter=kind%3Dcomponent HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequestExpected Behavior
The logged use can access the catalog
What are the steps to reproduce this bug?
- Create a backstage app v1.26.x
- Add @backstage/plugin-auth-backend-module-microsoft-provider and @backstage/plugin-catalog-backend-module-msgraph/alpha
- Authenticate
- Access the catalog
Repository available : https://github.com/c4rth/backstage-playground rem: some values are in app-config.local.yaml and therefore not pushed.
Versions of software used and environment
- Backstage 1.26.0
- packages/app/package.json - dependencies
"@backstage-community/plugin-github-actions": "^0.6.16", "@backstage-community/plugin-tech-radar": "^0.7.4", "@backstage/app-defaults": "^1.5.4", "@backstage/catalog-model": "^1.4.5", "@backstage/cli": "^0.26.4", "@backstage/core-app-api": "^1.12.4", "@backstage/core-components": "^0.14.4", "@backstage/core-plugin-api": "^1.9.2", "@backstage/integration-react": "^1.1.26", "@backstage/plugin-api-docs": "^0.11.4", "@backstage/plugin-catalog": "^1.19.0", "@backstage/plugin-catalog-common": "^1.0.22", "@backstage/plugin-catalog-graph": "^0.4.4", "@backstage/plugin-catalog-import": "^0.10.10", "@backstage/plugin-catalog-react": "^1.11.3", "@backstage/plugin-home": "^0.7.3", "@backstage/plugin-notifications": "^0.2.0", "@backstage/plugin-notifications-node": "^0.1.3", "@backstage/plugin-org": "^0.6.24", "@backstage/plugin-permission-react": "^0.4.22", "@backstage/plugin-scaffolder": "^1.19.3", "@backstage/plugin-search": "^1.4.10", "@backstage/plugin-search-react": "^1.7.10", "@backstage/plugin-signals": "^0.0.5", "@backstage/plugin-techdocs": "^1.10.4", "@backstage/plugin-techdocs-module-addons-contrib": "^1.1.9", "@backstage/plugin-techdocs-react": "^1.2.3", "@backstage/plugin-user-settings": "^0.8.5", "@backstage/theme": "^0.5.3", "@drodil/backstage-plugin-qeta": "^2.1.1", "@janus-idp/backstage-plugin-rbac": "^1.17.6", "@material-ui/core": "^4.12.2", "@material-ui/icons": "^4.9.1", "history": "^5.0.0", "react": "^18.0.2", "react-dom": "^18.0.2", "react-router": "^6.3.0", "react-router-dom": "^6.3.0", "react-use": "^17.2.4"
- packages/backend/package.json - dependencies
"@backstage/backend-common": "^0.21.7", "@backstage/backend-defaults": "^0.2.17", "@backstage/backend-plugin-api": "^0.6.17", "@backstage/backend-tasks": "^0.5.22", "@backstage/config": "^1.2.0", "@backstage/plugin-app-backend": "^0.3.65", "@backstage/plugin-auth-backend": "^0.22.4", "@backstage/plugin-auth-backend-module-github-provider": "^0.1.14", "@backstage/plugin-auth-backend-module-guest-provider": "^0.1.3", "@backstage/plugin-auth-node": "^0.4.12", "@backstage/plugin-catalog-backend": "^1.21.1", "@backstage/plugin-catalog-backend-module-azure": "^0.1.37", "@backstage/plugin-catalog-backend-module-msgraph": "^0.5.25", "@backstage/plugin-catalog-backend-module-openapi": "^0.1.35", "@backstage/plugin-catalog-backend-module-scaffolder-entity-model": "^0.1.15", "@backstage/plugin-notifications-backend": "^0.2.0", "@backstage/plugin-permission-backend": "^0.5.41", "@backstage/plugin-permission-backend-module-allow-all-policy": "^0.1.14", "@backstage/plugin-permission-common": "^0.7.13", "@backstage/plugin-permission-node": "^0.7.28", "@backstage/plugin-proxy-backend": "^0.4.15", "@backstage/plugin-scaffolder-backend": "^1.22.4", "@backstage/plugin-search-backend": "^1.5.7", "@backstage/plugin-search-backend-module-catalog": "^0.1.22", "@backstage/plugin-search-backend-module-pg": "^0.5.26", "@backstage/plugin-search-backend-module-techdocs": "^0.1.22", "@backstage/plugin-search-backend-node": "^1.2.21", "@backstage/plugin-signals-backend": "^0.1.3", "@backstage/plugin-techdocs-backend": "^1.10.4", "@drodil/backstage-plugin-qeta-backend": "^2.1.1", "@drodil/backstage-plugin-search-backend-module-qeta": "^2.1.1", "@janus-idp/backstage-plugin-rbac-backend": "^2.6.4", "app": "link:../app", "better-sqlite3": "^9.0.0", "dockerode": "^3.3.1", "node-gyp": "^10.0.0", "pg": "^8.11.5", "winston": "^3.2.1"
- configuration: app-config.yaml
app: title: Backstage App baseUrl: http://localhost:3000 organization: name: Acme backend: baseUrl: http://localhost:7007 auth: externalAccess: - type: legacy options: secret: n7o5Roq0RxMfNSrCuwyEPwkfDr1AvYnB # generated with node -p 'require("crypto").randomBytes(24).toString("base64")' subject: legacy-catalog - type: legacy options: secret: Cssm84WMevbWWPxoO8T1Oy7hxKVCx2yp # generated with node -p 'require("crypto").randomBytes(24).toString("base64")' subject: legacy-scaffolder listen: port: 7007 csp: connect-src: ["'self'", "http:", "https:"] cors: origin: http://localhost:3000 methods: [GET, HEAD, PATCH, POST, PUT, DELETE, OPTIONS, CONNECT, TRACE] credentials: true database: client: pg connection: host: 127.0.0.1 port: 5432 user: postgres password: postgres # client: better-sqlite3 # connection: ":memory:" permission: enabled: true rbac: pluginsWithPermission: - catalog - policy - scaffolder - qeta admin: users: - name: 'group:default/backstage-admin' - name: 'user:default/<omitted>' superUsers: - name: 'user:default/<omitted>' qeta: tags: allowCreation: false allowedTags: - java - javascript - azure - python max: 3 moderators: - 'group:default/backstage-admin' integrations: github: - host: github.com token: ${GITHUB_TOKEN} techdocs: builder: "local" # Alternatives - 'external' generator: runIn: "local" # Alternatives - 'local' publisher: type: "local" # Alternatives - 'googleGcs' or 'awsS3'. Read documentation for using alternatives. auth: autologout: enabled: true idleTimeoutMinutes: 10 environment: development providers: microsoft: development: clientId: ${AZURE_AUTH_CLIENT_ID} clientSecret: ${AZURE_AUTH_CLIENT_SECRET} tenantId: ${AZURE_AUTH_TENANT_ID} domainHint: ${AZURE_AUTH_TENANT_ID} signIn: resolvers: - resolver: emailMatchingUserEntityProfileEmail search: pg: highlightOptions: useHighlight: true maxWord: 35 minWord: 15 shortWord: 3 highlightAll: false maxFragments: 0 fragmentDelimiter: ' ... ' collators: catalog: schedule: frequency: PT1M timeout: PT15M initialDelay: PT5S catalog: rules: - allow: [ Component, System, API, Resource, Template, Domain, Location, Group, User, ] providers: microsoftGraphOrg: default: target: https://graph.microsoft.com/v1.0 authority: https://login.microsoftonline.com tenantId: ${AZURE_GRAPH_TENANT_ID} clientId: ${AZURE_GRAPH_CLIENT_ID} clientSecret: ${AZURE_GRAPH_CLIENT_SECRET} user: select: ["id", "displayName", "description", "mail"] userGroupMember: expand: manager group: filter: securityEnabled eq true select: ["id", "displayName", "description"] rules: - allow: [User, Group] schedule: frequency: { minutes: 15 } timeout: { minutes: 5 } initialDelay: { seconds: 15 } locations: - type: file target: ../../examples/catalog-info.yaml - type: file target: ../../examples/org.yaml rules: - allow: [User, Group] - type: url target: https://github.com/backstage/backstage/blob/master/packages/catalog-model/examples/all-apis.yaml
Upstream URL: https://github.com/janus-idp/backstage-plugins/issues/1538
- is depended on by
-
-
- Closed
-
- links to
