Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-4069

Conditional alias `$ownerRefs` does not work

Prepare for Y ReleasePrepare for Z ReleaseRemove QuarterXMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • 1.3.1
    • 1.3
    • Plugins
    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Before this update, a conditional alias that uses `$ownerRefs` did not work.

      With this update, a conditional alias can use `$ownerRefs`.
      Show
      Before this update, a conditional alias that uses `$ownerRefs` did not work. With this update, a conditional alias can use `$ownerRefs`.
    • Bug Fix
    • Done
    • RHDH Plugins 3263, RHDH Plugins 3265

      [2533219619] Upstream Reporter: mbmoon
      Upstream issue status: Open
      Upstream description:

      According to https://github.com/janus-idp/backstage-plugins/blob/a31020647ffcf210fc4d6434d6613aa0ecce71b7/plugins/rbac-backend/docs/conditions.md#conditional-policy-aliases I have put the following condition to conditional file:

      ---
      result: CONDITIONAL
      roleEntityRef: 'role:default/Group.Read2'
      pluginId: catalog
      resourceType: catalog-entity
      permissionMapping:
        - read
      conditions:
        rule: IS_ENTITY_OWNER
        resourceType: catalog-entity
        params:
          claims:
            - '$currentUser'

      It works as expected when catalog item has

      spec:
        lifecycle: experimental
        type: website
        owner: user:default/my_user_example_com

      But when I use $ownerRefs for condition and for catalog Item use my group as owner - it doesn't return any catalog items.

      ---
      result: CONDITIONAL
      roleEntityRef: 'role:default/Group.Read2'
      pluginId: catalog
      resourceType: catalog-entity
      permissionMapping:
        - read
      conditions:
        rule: IS_ENTITY_OWNER
        resourceType: catalog-entity
        params:
          claims:
            - '$ownerRefs'

      What is wrong? If I do something wrong - maybe you could provide more detailed documentation on how to use $ownerRefs'.

      My expectation that I should see all catalog items that has the same owner as my parent group.


      Upstream URL: https://github.com/janus-idp/backstage-plugins/issues/2197

              oandriie Aleksander Andriienko
              upstream-sync Upstream Sync
              RHIDP - Plugins
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: