Uploaded image for project: 'Red Hat Developer Hub Bugs'
  1. Red Hat Developer Hub Bugs
  2. RHDHBUGS-1032

RBAC: Aliases should work for all rules

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • 1.5.0
    • None
    • RBAC Plugin, Upstream
    • None
    • RHDH Plugins 3270, RHDH Plugins 3271

      First bug report: RBAC: Aliases should work for all rules

      Plugin Name

      rbac

      🔖 Feature description

      As far as I see currently rbac plugin supports aliases: $currentUser and $ownerRefs only for rule: 'IS_ENTITY_OWNER'. I need to extend this to be able to use with rule: 'HAS_ANNOTATION'. Currently the following configuration sees $currentUser as String

       
      {{- allOf:

      • rule: HAS_ANNOTATION
        resourceType: catalog-entity
        params:
        value: "$currentUser "
        annotation: "template/creator"
      • rule: IS_ENTITY_KIND
        resourceType: catalog-entity
        params:
        kinds:
      • "Component"}}
         
        if I use as annotation the same value. It evaluates it correctly, but if I place there something like user:default/tom and tom is trying to do requited operations it doesn't work

       
      template/creator: $currentUser
       
      Feature request: Expand alias functionality for all rules, so it can be passed to value field and evaluated as expected.

      🎤 Context

      I want to provide delete permission for case when specific annotation is set to user's entityRef. Owner of Catalog item should be a group and all members can see the item but only User who is mentioned in Annotation should be able to delete the Catalog item.

      Due to this field spec.owner uses Group as owner ref.

      ✌️ Possible Implementation

      No response

      👀 Have you spent some time to check if this feature request has been raised before?

      •  
        I checked and didn't find similar issue
         

      🏢 Have you read the Code of Conduct?

      Are you willing to submit PR?

      None

       

      Second bug report: RBAC: Conditional permission to view owned resources by Group not working with $ownerRefs alias

       

      Workspace

      rbac

      📜 Description

      Our current backstage setup uses Azure Auth and Entra ID integration to authenticate and manage users and groups.
      To ensure division of permission we installed and configured RBAC plugin.
      Our current goal is to give to the user possibility to read only catalog entities which are owned by group to which user belongs.
      We are not able to use alias $ownerRefs to provide user and group dynamically to filer owned resources in conditional permissions.
      If We use an alias there is no visible entities in catalog, change to the static providing group under claims resolve the problem.
      Providing the static name of the group is like workaround as that solution will be problematic in case of higher counter of groups

      👍 Expected behavior

      Able to read catalog entities which owned by group to which user belongs

       

      👎 Actual Behavior with Screenshots

      If We use an alias $ownerRefs in conditional permissions there is no visible entities in catalog

      👟 Reproduction steps

      All setup provided in context section

      1. Setup Azure Auth in Backstage Instance
      2. Setup Entra ID Integration to grab org data
      3. Configure rbac plugin
      4. Setup attached rbac rules and conditional permissions
      5. Register existing component
      6. Login with user which is not in admin group
      7. Display owned component in catalog

      📃 Provide the context for the Bug.

      RBAC

       
      {{ p, role:default/admins, catalog-entity, read, allow
      p, role:default/admins, catalog.entity.read, read, allow
      p, role:default/admins, catalog.entity.create, create, allow
      p, role:default/admins, catalog.entity.refresh, update, allow
      p, role:default/admins, catalog.entity.delete, delete, allow
      p, role:default/admins, catalog.location.read, read, allow
      p, role:default/admins, catalog.location.create, create, allow
      p, role:default/admins, catalog.location.delete, delete, allow

      p, role:default/admins, policy.entity.read, read, allow
      p, role:default/admins, policy.entity.create, create, allow
      p, role:default/admins, policy.entity.update, update, allow
      p, role:default/admins, policy.entity.delete, delete, allow

      p, role:default/admins, scaffolder.template.parameter.read, read, allow
      p, role:default/admins, scaffolder.template.step.read, read, allow
      p, role:default/admins, scaffolder.task.read, read, allow
      p, role:default/admins, scaffolder.task.create, create, allow
      p, role:default/admins, scaffolder.template.management, use, allow
      p, role:default/admins, scaffolder.task.cancel, use, allow
      p, role:default/admins, scaffolder-action, use, allow

      g, group:default/<USER_GROUP>, role:default/ownerread
      g, group:default/<ADMIN_GROUP>, role:default/admins}}
       
      Conditional RBAC which doesn't work

       
      {{ —
      result: CONDITIONAL
      roleEntityRef: 'role:default/ownerread'
      pluginId: catalog
      resourceType: catalog-entity
      permissionMapping:

      • read
        conditions:
        anyOf:
      • rule: IS_ENTITY_KIND
        resourceType: catalog-entity
        params:
        kinds:
      • Group
      • User
      • rule: IS_ENTITY_OWNER
        resourceType: catalog-entity
        params:
        claims:
      • $ownerRefs}}
         
        Conditional RBAC which works

       
      {{ —
      result: CONDITIONAL
      roleEntityRef: 'role:default/ownerread'
      pluginId: catalog
      resourceType: catalog-entity
      permissionMapping:

      • read
        conditions:
        anyOf:
      • rule: IS_ENTITY_KIND
        resourceType: catalog-entity
        params:
        kinds:
      • Group
      • User
      • rule: IS_ENTITY_OWNER
        resourceType: catalog-entity
        params:
        claims:
      • group:default/<USER_GROUP>}}
         
        Example Entity definition

       
      {{apiVersion: backstage.io/v1alpha1
      kind: Component
      metadata:
      name: NewComponent
      description: example new Component
      spec:
      type: service
      lifecycle: experimental
      owner: group:default/<USER_GROUP>}}
       
      User entity

       
      {{apiVersion: backstage.io/v1alpha1
      kind: User
      metadata:
      namespace: default
      annotations:
      backstage.io/managed-by-location: msgraph:default/xxxxx
      backstage.io/managed-by-origin-location: msgraph:default/xxxxxx
      graph.microsoft.com/user-id: xxxxx
      microsoft.com/email: user.name@example.com
      name: user.name_example.com
      relations:

      • type: memberOf
        targetRef: group:default/<USER_GROUP>
        target:
        kind: group
        namespace: default
        name: <USER_GROUP>
        spec:
        profile:
        displayName: Name, User
        email: user.name@example.com
        picture: data:image/jpeg;base64,xxxxxxxx
        memberOf:
      • group:default/<USER_GROUP>}}
         
        Group entity
         {{apiVersion: backstage.io/v1alpha1
        kind: Group
        metadata:
        namespace: default
        annotations:
        backstage.io/managed-by-location: msgraph:default/xxxxx
        backstage.io/managed-by-origin-location: msgraph:default/xxxx
        graph.microsoft.com/group-id: xxxx
        name: <USER_GROUP>
        relations:
      • type: childOf
        targetRef: group:default/<PARENT_USER_GROUP>
        target:
        kind: group
        namespace: default
        name: <PARENT_USER_GROUP>
      • type: hasMember
        targetRef: user:default/user.name_example.com
        target:
        kind: user
        namespace: default
        name: user.name@example.com}}
         

        👀 Have you spent some time to check if this bug has been raised before?

      •  
        I checked and didn't find similar issue
         

      🏢 Have you read the Code of Conduct?

      Are you willing to submit PR?

      None
      Create sub-issue
       
      👍3
       
       

      Upstream links: https://github.com/backstage/community-plugins/issues/2409 and https://github.com/backstage/community-plugins/issues/2950

              rh-ee-pknight Patrick Knight
              rh-ee-pknight Patrick Knight
              RHIDP - Plugins
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: