Uploaded image for project: 'Red Hat Developer Hub Bugs'
  1. Red Hat Developer Hub Bugs
  2. RHDHBUGS-1645

[janus-idp/backstage-plugins] RBAC: Could not fetch catalog entities. Request failed with 403 Forbidden.

XMLWordPrintable

    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Recent updates to Backstage makes it so that plugins that utilize service to service authentication needed to be updated to use the new `httpAuth` and `auth` services. This update now allows the RBAC Backend plugin to be able to query information from other plugins without breaking.
      Show
      Recent updates to Backstage makes it so that plugins that utilize service to service authentication needed to be updated to use the new `httpAuth` and `auth` services. This update now allows the RBAC Backend plugin to be able to query information from other plugins without breaking.
    • Bug Fix
    • RHDH Core Team 3256

      [2259221332] Upstream Reporter: CarTh
      Upstream issue status: Closed
      Upstream description:

      Describe the bug

      I'm using Backstage 1.26.0 with the new backend system. The authentication is done with '@backstage/plugin-auth-backend-module-microsoft-provider' The organization data ingestion is done with '@backstage/plugin-catalog-backend-module-msgraph/alpha' So far no problem, I can log in, the users/groups are present and access to everything. I enabled the '@backstage/plugin-permission-backend/alpha' and added a simple policy without problem. For convenience and because it offers great features, I installed the janus-idp rbac plugins in the front end and the back end as mentioned in the documentation. I can still log in, but I cannot access to anything (e.g. the catalog), even if my user is defined as admin. I think I have everything configured correctly (front, backend, service-to-service secret keys, rbac, ...) By accessing the catalog, I get an error 'Error: Could not fetch catalog entities.' 'ResponseError: Request failed with 403 Forbidden' In logging, some 403 errors with 'POST /api/permission/authorize'

      [1] 2024-04-22T15:55:36.302Z permission info Policy check for user:default/xyz for permission catalog.entity.create 
      [1] 2024-04-22T15:55:36.302Z permission info user:default/xyz is ALLOW for permission 'catalog.entity.create' and action create 
      [1] 2024-04-22T15:55:36.303Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 200 74 "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
      [1] 2024-04-22T15:55:36.308Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
      [1] 2024-04-22T15:55:36.309Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=kind HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
      [1] 2024-04-22T15:55:36.310Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
      [1] 2024-04-22T15:55:36.311Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
      [1] 2024-04-22T15:55:36.312Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
      [1] 2024-04-22T15:55:36.312Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=spec.lifecycle HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
      [1] 2024-04-22T15:55:36.313Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=metadata.tags HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
      [1] 2024-04-22T15:55:36.313Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=metadata.namespace HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
      [1] 2024-04-22T15:55:36.338Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
      [1] 2024-04-22T15:55:36.339Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entities?filter=kind%3Dcomponent HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest

      Expected Behavior

      The logged use can access the catalog

      What are the steps to reproduce this bug?

      1. Create a backstage app v1.26.x
      2. Add @backstage/plugin-auth-backend-module-microsoft-provider and @backstage/plugin-catalog-backend-module-msgraph/alpha
      3. Authenticate
      4. Access the catalog

      Repository available : https://github.com/c4rth/backstage-playground rem: some values are in app-config.local.yaml and therefore not pushed.

      Versions of software used and environment

      • Backstage 1.26.0
      • packages/app/package.json - dependencies
          "@backstage-community/plugin-github-actions": "^0.6.16",
          "@backstage-community/plugin-tech-radar": "^0.7.4",
          "@backstage/app-defaults": "^1.5.4",
          "@backstage/catalog-model": "^1.4.5",
          "@backstage/cli": "^0.26.4",
          "@backstage/core-app-api": "^1.12.4",
          "@backstage/core-components": "^0.14.4",
          "@backstage/core-plugin-api": "^1.9.2",
          "@backstage/integration-react": "^1.1.26",
          "@backstage/plugin-api-docs": "^0.11.4",
          "@backstage/plugin-catalog": "^1.19.0",
          "@backstage/plugin-catalog-common": "^1.0.22",
          "@backstage/plugin-catalog-graph": "^0.4.4",
          "@backstage/plugin-catalog-import": "^0.10.10",
          "@backstage/plugin-catalog-react": "^1.11.3",
          "@backstage/plugin-home": "^0.7.3",
          "@backstage/plugin-notifications": "^0.2.0",
          "@backstage/plugin-notifications-node": "^0.1.3",
          "@backstage/plugin-org": "^0.6.24",
          "@backstage/plugin-permission-react": "^0.4.22",
          "@backstage/plugin-scaffolder": "^1.19.3",
          "@backstage/plugin-search": "^1.4.10",
          "@backstage/plugin-search-react": "^1.7.10",
          "@backstage/plugin-signals": "^0.0.5",
          "@backstage/plugin-techdocs": "^1.10.4",
          "@backstage/plugin-techdocs-module-addons-contrib": "^1.1.9",
          "@backstage/plugin-techdocs-react": "^1.2.3",
          "@backstage/plugin-user-settings": "^0.8.5",
          "@backstage/theme": "^0.5.3",
          "@drodil/backstage-plugin-qeta": "^2.1.1",
          "@janus-idp/backstage-plugin-rbac": "^1.17.6",
          "@material-ui/core": "^4.12.2",
          "@material-ui/icons": "^4.9.1",
          "history": "^5.0.0",
          "react": "^18.0.2",
          "react-dom": "^18.0.2",
          "react-router": "^6.3.0",
          "react-router-dom": "^6.3.0",
          "react-use": "^17.2.4"
      • packages/backend/package.json - dependencies
          "@backstage/backend-common": "^0.21.7",
          "@backstage/backend-defaults": "^0.2.17",
          "@backstage/backend-plugin-api": "^0.6.17",
          "@backstage/backend-tasks": "^0.5.22",
          "@backstage/config": "^1.2.0",
          "@backstage/plugin-app-backend": "^0.3.65",
          "@backstage/plugin-auth-backend": "^0.22.4",
          "@backstage/plugin-auth-backend-module-github-provider": "^0.1.14",
          "@backstage/plugin-auth-backend-module-guest-provider": "^0.1.3",
          "@backstage/plugin-auth-node": "^0.4.12",
          "@backstage/plugin-catalog-backend": "^1.21.1",
          "@backstage/plugin-catalog-backend-module-azure": "^0.1.37",
          "@backstage/plugin-catalog-backend-module-msgraph": "^0.5.25",
          "@backstage/plugin-catalog-backend-module-openapi": "^0.1.35",
          "@backstage/plugin-catalog-backend-module-scaffolder-entity-model": "^0.1.15",
          "@backstage/plugin-notifications-backend": "^0.2.0",
          "@backstage/plugin-permission-backend": "^0.5.41",
          "@backstage/plugin-permission-backend-module-allow-all-policy": "^0.1.14",
          "@backstage/plugin-permission-common": "^0.7.13",
          "@backstage/plugin-permission-node": "^0.7.28",
          "@backstage/plugin-proxy-backend": "^0.4.15",
          "@backstage/plugin-scaffolder-backend": "^1.22.4",
          "@backstage/plugin-search-backend": "^1.5.7",
          "@backstage/plugin-search-backend-module-catalog": "^0.1.22",
          "@backstage/plugin-search-backend-module-pg": "^0.5.26",
          "@backstage/plugin-search-backend-module-techdocs": "^0.1.22",
          "@backstage/plugin-search-backend-node": "^1.2.21",
          "@backstage/plugin-signals-backend": "^0.1.3",
          "@backstage/plugin-techdocs-backend": "^1.10.4",
          "@drodil/backstage-plugin-qeta-backend": "^2.1.1",
          "@drodil/backstage-plugin-search-backend-module-qeta": "^2.1.1",
          "@janus-idp/backstage-plugin-rbac-backend": "^2.6.4",
          "app": "link:../app",
          "better-sqlite3": "^9.0.0",
          "dockerode": "^3.3.1",
          "node-gyp": "^10.0.0",
          "pg": "^8.11.5",
          "winston": "^3.2.1"
      • configuration: app-config.yaml
      app:   title: Backstage App
        baseUrl: http://localhost:3000
      
      organization:   name: Acme
      
      backend:   baseUrl: http://localhost:7007
        auth:     externalAccess:       - type: legacy
              options:           secret: n7o5Roq0RxMfNSrCuwyEPwkfDr1AvYnB # generated with node -p 'require("crypto").randomBytes(24).toString("base64")'
                subject: legacy-catalog
            - type: legacy
              options:           secret: Cssm84WMevbWWPxoO8T1Oy7hxKVCx2yp # generated with node -p 'require("crypto").randomBytes(24).toString("base64")'
                subject: legacy-scaffolder
        listen:     port: 7007
        csp:     connect-src: ["'self'", "http:", "https:"]
        cors:     origin: http://localhost:3000
          methods: [GET, HEAD, PATCH, POST, PUT, DELETE, OPTIONS, CONNECT, TRACE]
          credentials: true
        database:     client: pg
          connection:       host: 127.0.0.1
            port: 5432
            user: postgres
            password: postgres
          # client: better-sqlite3
          # connection: ":memory:"
      permission:   enabled: true
        rbac:     pluginsWithPermission:       - catalog
            - policy
            - scaffolder
            - qeta
          admin:       users:        - name: 'group:default/backstage-admin'
             - name: 'user:default/<omitted>'
            superUsers:        - name: 'user:default/<omitted>'
      qeta:   tags:     allowCreation: false
          allowedTags:       - java
            - javascript
            - azure
            - python
          max: 3
        moderators:     - 'group:default/backstage-admin'
      integrations:   github:     - host: github.com
            token: ${GITHUB_TOKEN}
      techdocs:   builder: "local" # Alternatives - 'external'
        generator:     runIn: "local" # Alternatives - 'local'
        publisher:     type: "local" # Alternatives - 'googleGcs' or 'awsS3'. Read documentation for using alternatives.
      auth:   autologout:     enabled: true
          idleTimeoutMinutes: 10
        environment: development
        providers:     microsoft:       development:         clientId: ${AZURE_AUTH_CLIENT_ID}
              clientSecret: ${AZURE_AUTH_CLIENT_SECRET}
              tenantId: ${AZURE_AUTH_TENANT_ID}
              domainHint: ${AZURE_AUTH_TENANT_ID}
              signIn:           resolvers:             - resolver: emailMatchingUserEntityProfileEmail
      search:   pg:     highlightOptions:       useHighlight: true
            maxWord: 35
            minWord: 15
            shortWord: 3
            highlightAll: false
            maxFragments: 0
            fragmentDelimiter: ' ... '
        collators:     catalog:       schedule:         frequency: PT1M
              timeout: PT15M
              initialDelay: PT5S
      catalog:   rules:     - allow:         [
                Component,
                System,
                API,
                Resource,
                Template,
                Domain,
                Location,
                Group,
                User,
              ]
        providers:     microsoftGraphOrg:       default:         target: https://graph.microsoft.com/v1.0
              authority: https://login.microsoftonline.com
              tenantId: ${AZURE_GRAPH_TENANT_ID}
              clientId: ${AZURE_GRAPH_CLIENT_ID}
              clientSecret: ${AZURE_GRAPH_CLIENT_SECRET}
              user:           select: ["id", "displayName", "description", "mail"]
              userGroupMember:           expand: manager
              group:           filter: securityEnabled eq true
                select: ["id", "displayName", "description"]
              rules:           - allow: [User, Group]
              schedule:           frequency: { minutes: 15 }
                timeout: { minutes: 5 }
                initialDelay: { seconds: 15 }
        locations:     - type: file
            target: ../../examples/catalog-info.yaml
          - type: file
            target: ../../examples/org.yaml
            rules:         - allow: [User, Group]
          - type: url
            target: https://github.com/backstage/backstage/blob/master/packages/catalog-model/examples/all-apis.yaml
      

      Upstream URL: https://github.com/janus-idp/backstage-plugins/issues/1538

              rh-ee-pknight Patrick Knight
              upstream-sync Upstream Sync
              RHIDP - Plugins
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: