Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-4378

Admin users should have high privilege

Prepare for Y ReleasePrepare for Z ReleaseRemove QuarterXMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • 1.3.1
    • 1.3
    • Plugins
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      A conditional alias that uses `$ownerRefs` doesn't work.

      There is no workaround.
      Show
      A conditional alias that uses `$ownerRefs` doesn't work. There is no workaround.
    • Known Issue
    • Done

      [2533219619] Upstream Reporter: mbmoon
      Upstream issue status: Open
      Upstream description:

      According to https://github.com/janus-idp/backstage-plugins/blob/a31020647ffcf210fc4d6434d6613aa0ecce71b7/plugins/rbac-backend/docs/conditions.md#conditional-policy-aliases I have put the following condition to conditional file:

      ---
      result: CONDITIONAL
      roleEntityRef: 'role:default/Group.Read2'
      pluginId: catalog
      resourceType: catalog-entity
      permissionMapping:
        - read
      conditions:
        rule: IS_ENTITY_OWNER
        resourceType: catalog-entity
        params:
          claims:
            - '$currentUser'

      It works as expected when catalog item has

      spec:
        lifecycle: experimental
        type: website
        owner: user:default/my_user_example_com

      But when I use $ownerRefs for condition and for catalog Item use my group as owner - it doesn't return any catalog items.

      ---
      result: CONDITIONAL
      roleEntityRef: 'role:default/Group.Read2'
      pluginId: catalog
      resourceType: catalog-entity
      permissionMapping:
        - read
      conditions:
        rule: IS_ENTITY_OWNER
        resourceType: catalog-entity
        params:
          claims:
            - '$ownerRefs'

      What is wrong? If I do something wrong - maybe you could provide more detailed documentation on how to use $ownerRefs'.

      My expectation that I should see all catalog items that has the same owner as my parent group.


      Upstream URL: https://github.com/janus-idp/backstage-plugins/issues/2197

              oandriie Aleksander Andriienko
              wisemax Maxim R. (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: