-
Task
-
Resolution: Won't Do
-
Critical
-
None
-
False
-
-
False
-
RHIDP-2144 - RHDH 1.3 Release (Feature)
-
-
Removed Functionality
-
Rejected
-
-
Spike to collect breaking changes for release notes and requirement for any new/reworked content
This is the complete list of breaking changes published for Backtage 1.28. Which are worth mentioning in the release notes?
https://github.com/backstage/backstage/releases/tag/v1.28.0 :{}
BREAKING: Proxy backend plugin protected by default
The proxy backend plugin is now protected by Backstage auth, by default. Unless specifically configured (see below), all proxy endpoints will reject requests immediately unless a valid Backstage user or service token is passed along with the request. This aligns the proxy with how other Backstage backends behave out of the box, and serves to protect your upstreams from unauthorized access.
Here's an example of how to configure:
proxy: endpoints: '/pagerduty': target: https://api.pagerduty.com + credentials: require headers: Authorization: Token token=${PAGERDUTY_TOKEN}
There are three credentials settings:
- require: Callers need Backstage credentials. These are not forwarded to the target.
- forward: Callers need Backstage credentials, which are forwarded to the target.
- dangerously-allow-unauthenticated: No Backstage credentials needed. Target can apply its own checks. Incoming tokens of any sort will be allowed but ignored, and will also be forwarded if allowedHeaders: ['Authorization'] is included.
The new default is require, replacing the old dangerously-allow-unauthenticated. This means some previously permitted requests may now result in 401 Unauthorized responses. This does not apply if backend.auth.dangerouslyDisableDefaultAuthPolicy is set to true.
For proxy endpoints still requiring unauthenticated access, add credentials: dangerously-allow-unauthenticated in your app-config.
See the proxy documentation for more information.
BREAKING: Gerrit integration breaking changes
- The workdir argument have been removed from The GerritUrlReader constructor;
- The Gerrit readTree implementation will now only use the Gitiles api, so the support for using git to clone the repo has been removed;
- The gitilesBaseUrl is now mandatory for the Gerrit integration and the ability to override this requirement using the DISABLE_GERRIT_GITILES_REQUIREMENT environment variable has been removed.
Contributed by 
BREAKING: Github integration breaking changes
- Removed deprecated code from when casing was changed from GitHub to Github nearly two years ago. The following items have been removed:
- getGitHubFileFetchUrl (use getGithubFileFetchUrl instead)
- GitHubIntegrationConfig (use GithubIntegrationConfig instead)
- GitHubIntegration (use GithubIntegration instead)
- readGitHubIntegrationConfig (use readGithubIntegrationConfig instead)
- readGitHubIntegrationConfigs (use readGithubIntegrationConfigs instead)
- replaceGitHubUrlType (use replaceGithubUrlType instead)
Contributed by 
BREAKING: OAuth Scope Updates
The way that OAuth-based auth providers handle scopes has received several updates. There is now a new .additionalScopes configuration for all OAuth providers, which can be used to request additional scopes for all sessions. Many providers already had a similar configuration, but in most cases this did not work correctly as scopes requested by the client would override the configured set.
Many providers now also have a set of required scopes that will always be present. This is in contrast to the previous solution where the client would be responsible for including a set of baseline scopes.
A bug has also been fixed in the handling of persistent scopes, which could break session refresh for some providers, such as GitHub.
BREAKING: User Info service
Limited-access user tokens (as used in cookies) no longer contain the ent ownership claim. This is notably used by TechDocs and the app-backend. If you use those services, you may want to log out and in again.
Background: As part of the previous auth improvements, we added the coreServices.userInfo service. This service can extract user details from incoming credentials - notably the so-called ent claim with its ownership information.
In this release, the auth backend part of this has been implemented, such that the information returned by your sign-in resolver gets persisted and can be acquired after the fact. With this in place, we could finally start slimming down on token sizes, starting with the cookie tokens. Unfortunately this has to be done in such a way that it’s breaking in the short term.
If any issues persist, try clearing your cookies, and then reach out to us on Discord or with an issue if necessary.
https://github.com/backstage/backstage/blob/master/docs/releases/v1.28.0-changelog.md
@backstage/backend-defaults@0.3.0
Minor Changes
https://github.com/backstage/backstage/blob/master/docs/releases/v1.28.0-changelog.md#minor-changes-1 * 662dce8: BREAKING: The workdir argument have been removed from The GerritUrlReader constructor.
BREAKING: The Gerrit readTree implementation will now only use the Gitiles api. Support for using git to clone the repo has been removed.
@backstage/integration@1.12.0
Minor Changes
https://github.com/backstage/backstage/blob/master/docs/releases/v1.28.0-changelog.md#minor-changes-3 * be1014d: BREAKING Removed deprecated code from when casing was changed from GitHub to Github nearly two years ago. The following items have been removed:
-
- getGitHubFileFetchUrl (use getGithubFileFetchUrl instead)
- GitHubIntegrationConfig (use GithubIntegrationConfig instead)
- GitHubIntegration (use GithubIntegration instead)
- readGitHubIntegrationConfig (use readGithubIntegrationConfig instead)
- readGitHubIntegrationConfigs (use readGithubIntegrationConfigs instead)
- replaceGitHubUrlType (use replaceGithubUrlType instead)
- 395b973: Implemented readTree for Harness provider to support TechDocs functionality
- 662dce8: BREAKING: gitilesBaseUrl is now mandatory for the Gerrit integration. The ability to override this requirement using the DISABLE_GERRIT_GITILES_REQUIREMENT environment variable has been removed.
@backstage/plugin-auth-backend-module-oauth2-provider@0.2.0
Minor Changes
https://github.com/backstage/backstage/blob/master/docs/releases/v1.28.0-changelog.md#minor-changes-5 * 8efc6cf: BREAKING: The scope config option have been removed and replaced by the standard additionalScopes config.
@backstage/plugin-auth-backend-module-oidc-provider@0.2.0
Minor Changes
https://github.com/backstage/backstage/blob/master/docs/releases/v1.28.0-changelog.md#minor-changes-6 * 8efc6cf: BREAKING: The scope config option have been removed and replaced by the standard additionalScopes config. In addition, openid, profile, and email scopes have been set to required and will always be present.
@backstage/plugin-auth-backend-module-vmware-cloud-provider@0.2.0
Minor Changes
https://github.com/backstage/backstage/blob/master/docs/releases/v1.28.0-changelog.md#minor-changes-8 * 8efc6cf: BREAKING: The scope config option have been removed and replaced by the standard additio
@backstage/plugin-proxy-backend@0.5.0
Minor Changes
- 88480e4: BREAKING: The proxy backend plugin is now protected by Backstage auth, by default. Unless specifically configured (see below), all proxy endpoints will reject requests immediately unless a valid Backstage user or service token is passed along with the request. This aligns the proxy with how other Backstage backends behave out of the box, and serves to protect your upstreams from unauthorized access.
A proxy configuration section can now look as follows:
proxy: endpoints: '/pagerduty': target: https://api.pagerduty.com credentials: require # NEW! headers: Authorization: Token token=${PAGERDUTY_TOKEN}
There are three possible credentials settings at this point:
- require: Callers must provide Backstage user or service credentials with each request. The credentials are not forwarded to the proxy target.
- forward: Callers must provide Backstage user or service credentials with each request, and those credentials are forwarded to the proxy target.
- dangerously-allow-unauthenticated: No Backstage credentials are required to access this proxy target. The target can still apply its own credentials checks, but the proxy will not help block non-Backstage-blessed callers. If you also add allowedHeaders: ['Authorization'] to an endpoint configuration, then the Backstage token (if provided) WILL be forwarded.
The value dangerously-allow-unauthenticated was the old default.
The value require is the new default, so requests that were previously permitted may now start resulting in 401 Unauthorized responses. If you have backend.auth.dangerouslyDisableDefaultAuthPolicy set to true, this does not apply; the proxy will behave as if all endpoints were set to dangerously-allow-unauthenticated.
If you have proxy endpoints that require unauthenticated access still, please add credentials: dangerously-allow-unauthenticated to their declarations in your app-config.
@backstage/plugin-search-backend-module-elasticsearch@1.5.0
Minor Changes
https://github.com/backstage/backstage/blob/master/docs/releases/v1.28.0-changelog.md#minor-changes-23 * b186701: BREAKING: The ElasticSearch indexer will now delete stale indices matching the indexer's pattern. The method getAliases of ElasticSearchClientWrapper has been deprecated and might be removed in future releases.
An indexer using the some-type-index__* pattern will remove indices matching this pattern after indexation to prevent stale indices leading to shards exhaustion.
Before upgrading ensure that the index pattern doesn't match indices that are not managed by Backstage and thus shouldn't be deleted.
Note: The ElasticSearch indexer already uses wildcards patterns to remove aliases on these indices.
@backstage/backend-plugin-api@0.6.19
Patch Changes
https://github.com/backstage/backstage/blob/master/docs/releases/v1.28.0-changelog.md#patch-changes-28 * 78a0b08: DEPRECATION: You should no longer do a function call on backend features when adding them to backends. The support for doing that is deprecated, and you should remove all trailing () parentheses after plugins and modules where you add them to your backend or test backends (e.g. when using startTestBackend).
The background for this is that createBackendPlugin and createBackendModule function now effectively return a BackendFeature rather than a () => BackendFeature. This is part of the cleanup efforts for New Backend System 1.0. In the short run this is non-breaking because the feature type has been given a callback signature that returns itself. But we strongly recommend that you remove all now-redundant calls made to feature objects, because that callback signature will be removed in a future release.
Service factories are still callbacks at this point.
Example change:
await startTestBackend({ features: [ eventsServiceFactory(), // service - stays unchanged - catalogModuleBitbucketCloudEntityProvider(), // module - remove parentheses + catalogModuleBitbucketCloudEntityProvider,
@backstage/plugin-auth-backend-module-pinniped-provider@0.1.13
Patch Changes
https://github.com/backstage/backstage/blob/master/docs/releases/v1.28.0-changelog.md#patch-changes-67 * 78a0b08: Internal refactor to handle BackendFeature contract change.
- 8efc6cf: BREAKING: The scope config option have been removed and replaced by the standard additionalScopes config. In addition, the openid, pinniped:request-audience, username, and offline_access scopes have been set to required and will always be present.
- d44a20a: Adde
- is related to
-
-
- Closed
-
-
-
- Closed
-
