Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-2139

Filtering for permissions policies that do not exist leads to an error being thrown

Prepare for Y ReleasePrepare for Z ReleaseRemove QuarterXMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Minor Minor
    • 1.3
    • 1.1.1
    • RBAC Plugin
    • None
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • RHIDP-1431 - Engineering Improvements
    • Hide
      Before this update, permission checks by the permission framework would throw an error if a matching permission policy was not previously defined.
      Therefore, {product-short} denied the request with an error.

      With this update, {product-short} denies the request without throwing an error.
      Show
      Before this update, permission checks by the permission framework would throw an error if a matching permission policy was not previously defined. Therefore, {product-short} denied the request with an error. With this update, {product-short} denies the request without throwing an error.
    • Bug Fix
    • Done
    • Low

      Description of problem:

      Recently, we introduced the ability to reduce the number of permissions that are enforcer checks against during enforcement. It seems like this lead to an error whenever we attempt to filter for a permission that is not defined through the REST API or the CSV file. 

      error: Policy check failed with Error: Entity reference must not be empty {"plugin":"permission","service":"backstage","timestamp":"2024-04-23 13:08:41"}

       

      This error is happening because the enforcer is being loaded with no permissions at all, which results in it being unable to perform any checks.

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      1. Create a CSV file with the following 
        • g, user:default/<YOUR_USERNAME>, role:default/policy-error
p, role:default/policy-error, catalog-entity, read, allow
      1. Enable the RBAC Backend plugin using the following 
        • permission:
  enabled: true
  rbac:
    policies-csv-file: ../<PATH>/<TO>/<CSV-FILE>.csv
      1. Attempt to navigate to the home page of the catalog

      Actual results:

      Throws an error for the permission `catalog.entity.create` and denies the request.

      Expected results:

      It should just deny the request without throwing an error

      Reproducibility (Always/Intermittent/Only Once):

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

            rh-ee-dzemanov Dominika Zemanovicova
            rh-ee-pknight Patrick Knight
            RHIDP - Plugins
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: