-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
1.8.0
-
None
-
False
-
-
False
-
-
Description of problem:
The orchestrator workflows are not listed when the RBAC flag is enabled. However, when it is disabled the workflows are showed successfully.
From slack thread
Prerequisites (if any, like setup, operators/versions):
A RBDC instance managed by the Operator.
Steps to Reproduce
- Integrate RBDC with GitHub, GitLab or other IdP for authentication.
- Enable RBAC using the next configuration:
permission: enabled: true rbac: admin: users: - name: user:default/root policies-csv-file: /opt/app-root/src/rbac/rbac-policy.csv conditionalPoliciesFile: /opt/app-root/src/rbac/rbac-conditional-policies.yaml policyFileReload: true pluginsWithPermission: - catalog - scaffolder - permission - orchestrator
- Use the next RBAC files to setup the authorization policies:
kind: ConfigMap apiVersion: v1 metadata: name: rbac-policy data: rbac-conditional-policies.yaml: | --- # Team B can only see 'sample' templates result: CONDITIONAL roleEntityRef: 'role:default/team-b' pluginId: catalog resourceType: catalog-entity permissionMapping: - read conditions: anyOf: - not: rule: IS_ENTITY_KIND resourceType: catalog-entity params: kinds: - 'Template' - rule: HAS_METADATA resourceType: catalog-entity params: key: tags value: sample rbac-policy.csv: | # Catalog permissions p, role:default/team-a, catalog-entity, read, allow p, role:default/team-a, catalog.entity.read, read, allow p, role:default/team-a, catalog.entity.create, create, allow p, role:default/team-a, catalog.entity.refresh, update, allow p, role:default/team-a, catalog.entity.delete, delete, allow p, role:default/team-a, catalog.location.read, read, allow p, role:default/team-a, catalog.location.create, create, allow p, role:default/team-a, catalog.location.delete, delete, allow # Scaffolder permissions p, role:default/team-a, scaffolder-template, read, allow p, role:default/team-a, scaffolder.template.parameter.read, read, allow p, role:default/team-a, scaffolder.template.step.read, read, allow p, role:default/team-a, scaffolder-action, use, allow p, role:default/team-a, scaffolder.action.execute, use, allow p, role:default/team-a, scaffolder.task.read, read, allow p, role:default/team-a, scaffolder.task.create, create, allow p, role:default/team-a, scaffolder.task.cancel, use, allow # Adoption Insights permissions p, role:default/team-a, adoption-insights.events.read, read, allow # Lightspeed permissions p, role:default/team-a, lightspeed.chat.read, read, allow p, role:default/team-a, lightspeed.chat.create, create, allow p, role:default/team-a, lightspeed.chat.delete, delete, allow # Team-B Role # Catalog permissions p, role:default/team-b, catalog-entity, read, allow p, role:default/team-b, catalog.entity.read, read, allow p, role:default/team-b, catalog.entity.create, create, deny p, role:default/team-b, catalog.entity.refresh, update, deny p, role:default/team-b, catalog.entity.delete, delete, deny p, role:default/team-b, catalog.location.read, read, deny p, role:default/team-b, catalog.location.create, create, deny p, role:default/team-b, catalog.location.delete, delete, deny # Scaffolder permissions p, role:default/team-b, scaffolder-template, read, deny p, role:default/team-b, scaffolder.template.parameter.read, read, deny p, role:default/team-b, scaffolder.template.step.read, read, deny p, role:default/team-b, scaffolder-action, use, deny p, role:default/team-b, scaffolder.action.execute, use, deny p, role:default/team-b, scaffolder.task.read, read, deny p, role:default/team-b, scaffolder.task.create, create, deny p, role:default/team-b, scaffolder.task.cancel, use, deny # Groups g, group:default/team-a, role:default/team-a g, group:default/team-b, role:default/team-b
- Declare a Backstage CR as:
apiVersion: rhdh.redhat.com/v1alpha4 kind: Backstage metadata: name: developer-hub spec: application: appConfig: configMaps: - name: app-config-rhdh mountPath: /opt/app-root/src dynamicPluginsConfigMapName: dynamic-plugins-rhdh extraEnvs: configMaps: - name: rhdh-techdocs-bucket-claim envs: - containers: - '*' name: NODE_TLS_REJECT_UNAUTHORIZED value: '0' secrets: - name: gitlab-secrets - name: rhdh-secrets - name: rhdh-techdocs-bucket-claim extraFiles: configMaps: - name: rbac-policy mountPath: /opt/app-root/src/rbac replicas: 1 route: enabled: true database: enableLocalDb: true deployment: patch: spec: replicas: 1 template: spec: volumes: - $patch: replace name: dynamic-plugins-root persistentVolumeClaim: claimName: dynamic-plugins-root monitoring: enabled: true
- Enable the Orchestrator plugins:
kind: ConfigMap apiVersion: v1 metadata: name: dynamic-plugins-rhdh labels: rhdh.redhat.com/ext-config-sync: 'true' data: dynamic-plugins.yaml: | includes: - dynamic-plugins.default.yaml plugins: # Add here your GitHub, GitLab plugins for Authentication - package: './dynamic-plugins/dist/backstage-community-plugin-rbac' disabled: false # Notifications - package: ./dynamic-plugins/dist/backstage-plugin-notifications disabled: false - package: ./dynamic-plugins/dist/backstage-plugin-notifications-backend-dynamic disabled: false # Orchestrator - package: "@redhat/backstage-plugin-orchestrator@1.8.2" disabled: false - package: "@redhat/backstage-plugin-orchestrator-backend-dynamic@1.8.2" disabled: false dependencies: - ref: sonataflow - package: "@redhat/backstage-plugin-scaffolder-backend-module-orchestrator-dynamic@1.8.2" disabled: false - package: "@redhat/backstage-plugin-orchestrator-form-widgets@1.8.2" disabled: false
Actual results:
Workflows are not listed.
Expected results:
Workflows should be listed for an authenticated and authorized user.
Reproducibility (Always/Intermittent/Only Once): Always
Build Details:
Additional info (Such as Logs, Screenshots, etc):
There is no reference or documentation describing the RBAC policies for the Orchestrator plugin. It could be an documentation issue, or a real bug not managed by RHDH or the Orchestrator plugin.
- is documented by
-
RHIDP-9739 [Doc] Orchestrator Permissions
-
- New
-
