First bug report: RBAC: Aliases should work for all rules

Plugin Name

rbac

🔖 Feature description

As far as I see currently rbac plugin supports aliases: $currentUser and $ownerRefs only for rule: 'IS_ENTITY_OWNER'. I need to extend this to be able to use with rule: 'HAS_ANNOTATION'. Currently the following configuration sees $currentUser as String

 
{{- allOf:

• rule: HAS_ANNOTATION
  resourceType: catalog-entity
  params:
  value: "$currentUser "
  annotation: "template/creator"
• rule: IS_ENTITY_KIND
  resourceType: catalog-entity
  params:
  kinds:
• "Component"}}
   
  if I use as annotation the same value. It evaluates it correctly, but if I place there something like user:default/tom and tom is trying to do requited operations it doesn't work

 
template/creator: $currentUser
 
Feature request: Expand alias functionality for all rules, so it can be passed to value field and evaluated as expected.

🎤 Context

I want to provide delete permission for case when specific annotation is set to user's entityRef. Owner of Catalog item should be a group and all members can see the item but only User who is mentioned in Annotation should be able to delete the Catalog item.

Due to this field spec.owner uses Group as owner ref.

✌️ Possible Implementation

No response

👀 Have you spent some time to check if this feature request has been raised before?

•  
  I checked and didn't find similar issue
   

🏢 Have you read the Code of Conduct?

•  
  I have read the Code of Conduct
   

Are you willing to submit PR?

None

Second bug report: RBAC: Conditional permission to view owned resources by Group not working with $ownerRefs alias

Workspace

rbac

📜 Description

Our current backstage setup uses Azure Auth and Entra ID integration to authenticate and manage users and groups.
To ensure division of permission we installed and configured RBAC plugin.
Our current goal is to give to the user possibility to read only catalog entities which are owned by group to which user belongs.
We are not able to use alias $ownerRefs to provide user and group dynamically to filer owned resources in conditional permissions.
If We use an alias there is no visible entities in catalog, change to the static providing group under claims resolve the problem.
Providing the static name of the group is like workaround as that solution will be problematic in case of higher counter of groups

👍 Expected behavior

Able to read catalog entities which owned by group to which user belongs

👎 Actual Behavior with Screenshots

If We use an alias $ownerRefs in conditional permissions there is no visible entities in catalog

👟 Reproduction steps

All setup provided in context section

1. Setup Azure Auth in Backstage Instance
2. Setup Entra ID Integration to grab org data
3. Configure rbac plugin
4. Setup attached rbac rules and conditional permissions
5. Register existing component
6. Login with user which is not in admin group
7. Display owned component in catalog

📃 Provide the context for the Bug.

RBAC

 
{{ p, role:default/admins, catalog-entity, read, allow
p, role:default/admins, catalog.entity.read, read, allow
p, role:default/admins, catalog.entity.create, create, allow
p, role:default/admins, catalog.entity.refresh, update, allow
p, role:default/admins, catalog.entity.delete, delete, allow
p, role:default/admins, catalog.location.read, read, allow
p, role:default/admins, catalog.location.create, create, allow
p, role:default/admins, catalog.location.delete, delete, allow

p, role:default/admins, policy.entity.read, read, allow
p, role:default/admins, policy.entity.create, create, allow
p, role:default/admins, policy.entity.update, update, allow
p, role:default/admins, policy.entity.delete, delete, allow

p, role:default/admins, scaffolder.template.parameter.read, read, allow
p, role:default/admins, scaffolder.template.step.read, read, allow
p, role:default/admins, scaffolder.task.read, read, allow
p, role:default/admins, scaffolder.task.create, create, allow
p, role:default/admins, scaffolder.template.management, use, allow
p, role:default/admins, scaffolder.task.cancel, use, allow
p, role:default/admins, scaffolder-action, use, allow

g, group:default/<USER_GROUP>, role:default/ownerread
g, group:default/<ADMIN_GROUP>, role:default/admins}}
 
Conditional RBAC which doesn't work

 
{{ —
result: CONDITIONAL
roleEntityRef: 'role:default/ownerread'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:

• read
  conditions:
  anyOf:
• rule: IS_ENTITY_KIND
  resourceType: catalog-entity
  params:
  kinds:
• Group
• User
• rule: IS_ENTITY_OWNER
  resourceType: catalog-entity
  params:
  claims:
• $ownerRefs}}
   
  Conditional RBAC which works

 
{{ —
result: CONDITIONAL
roleEntityRef: 'role:default/ownerread'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:

• read
  conditions:
  anyOf:
• rule: IS_ENTITY_KIND
  resourceType: catalog-entity
  params:
  kinds:
• Group
• User
• rule: IS_ENTITY_OWNER
  resourceType: catalog-entity
  params:
  claims:
• group:default/<USER_GROUP>}}
   
  Example Entity definition

 
{{apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: NewComponent
description: example new Component
spec:
type: service
lifecycle: experimental
owner: group:default/<USER_GROUP>}}
 
User entity

 
{{apiVersion: backstage.io/v1alpha1
kind: User
metadata:
namespace: default
annotations:
backstage.io/managed-by-location: msgraph:default/xxxxx
backstage.io/managed-by-origin-location: msgraph:default/xxxxxx
graph.microsoft.com/user-id: xxxxx
microsoft.com/email: user.name@example.com
name: user.name_example.com
relations:

• type: memberOf
  targetRef: group:default/<USER_GROUP>
  target:
  kind: group
  namespace: default
  name: <USER_GROUP>
  spec:
  profile:
  displayName: Name, User
  email: user.name@example.com
  picture: data:image/jpeg;base64,xxxxxxxx
  memberOf:
• group:default/<USER_GROUP>}}
   
  Group entity
   {{apiVersion: backstage.io/v1alpha1
  kind: Group
  metadata:
  namespace: default
  annotations:
  backstage.io/managed-by-location: msgraph:default/xxxxx
  backstage.io/managed-by-origin-location: msgraph:default/xxxx
  graph.microsoft.com/group-id: xxxx
  name: <USER_GROUP>
  relations:
• type: childOf
  targetRef: group:default/<PARENT_USER_GROUP>
  target:
  kind: group
  namespace: default
  name: <PARENT_USER_GROUP>
• type: hasMember
  targetRef: user:default/user.name_example.com
  target:
  kind: user
  namespace: default
  name: user.name@example.com}}
   

  👀 Have you spent some time to check if this bug has been raised before?

•  
  I checked and didn't find similar issue
   

🏢 Have you read the Code of Conduct?

•  
  I have read the Code of Conduct
   

Are you willing to submit PR?

None
Create sub-issue
 
👍3
 
 

Upstream links: https://github.com/backstage/community-plugins/issues/2409 and https://github.com/backstage/community-plugins/issues/2950