-
Bug
-
Resolution: Done
-
Normal
-
None
-
None
-
1
-
False
-
-
False
-
-
Bug Fix
-
Done
-
-
-
RHDH Plugins 3270, RHDH Plugins 3271
First bug report: RBAC: Aliases should work for all rules
Plugin Name
rbac
🔖 Feature description
As far as I see currently rbac plugin supports aliases: $currentUser and $ownerRefs only for rule: 'IS_ENTITY_OWNER'. I need to extend this to be able to use with rule: 'HAS_ANNOTATION'. Currently the following configuration sees $currentUser as String
{{- allOf:
- rule: HAS_ANNOTATION
resourceType: catalog-entity
params:
value: "$currentUser "
annotation: "template/creator" - rule: IS_ENTITY_KIND
resourceType: catalog-entity
params:
kinds: - "Component"}}
if I use as annotation the same value. It evaluates it correctly, but if I place there something like user:default/tom and tom is trying to do requited operations it doesn't work
template/creator: $currentUser
Feature request: Expand alias functionality for all rules, so it can be passed to value field and evaluated as expected.
🎤 Context
I want to provide delete permission for case when specific annotation is set to user's entityRef. Owner of Catalog item should be a group and all members can see the item but only User who is mentioned in Annotation should be able to delete the Catalog item.
Due to this field spec.owner uses Group as owner ref.
✌️ Possible Implementation
No response
👀 Have you spent some time to check if this feature request has been raised before?
I checked and didn't find similar issue
🏢 Have you read the Code of Conduct?
I have read the Code of Conduct
Are you willing to submit PR?
None
Second bug report: RBAC: Conditional permission to view owned resources by Group not working with $ownerRefs alias
Workspace
rbac
📜 Description
Our current backstage setup uses Azure Auth and Entra ID integration to authenticate and manage users and groups.
To ensure division of permission we installed and configured RBAC plugin.
Our current goal is to give to the user possibility to read only catalog entities which are owned by group to which user belongs.
We are not able to use alias $ownerRefs to provide user and group dynamically to filer owned resources in conditional permissions.
If We use an alias there is no visible entities in catalog, change to the static providing group under claims resolve the problem.
Providing the static name of the group is like workaround as that solution will be problematic in case of higher counter of groups
👍 Expected behavior
Able to read catalog entities which owned by group to which user belongs
👎 Actual Behavior with Screenshots
If We use an alias $ownerRefs in conditional permissions there is no visible entities in catalog
👟 Reproduction steps
All setup provided in context section
- Setup Azure Auth in Backstage Instance
- Setup Entra ID Integration to grab org data
- Configure rbac plugin
- Setup attached rbac rules and conditional permissions
- Register existing component
- Login with user which is not in admin group
- Display owned component in catalog
📃 Provide the context for the Bug.
RBAC
{{ p, role:default/admins, catalog-entity, read, allow
p, role:default/admins, catalog.entity.read, read, allow
p, role:default/admins, catalog.entity.create, create, allow
p, role:default/admins, catalog.entity.refresh, update, allow
p, role:default/admins, catalog.entity.delete, delete, allow
p, role:default/admins, catalog.location.read, read, allow
p, role:default/admins, catalog.location.create, create, allow
p, role:default/admins, catalog.location.delete, delete, allow
p, role:default/admins, policy.entity.read, read, allow
p, role:default/admins, policy.entity.create, create, allow
p, role:default/admins, policy.entity.update, update, allow
p, role:default/admins, policy.entity.delete, delete, allow
p, role:default/admins, scaffolder.template.parameter.read, read, allow
p, role:default/admins, scaffolder.template.step.read, read, allow
p, role:default/admins, scaffolder.task.read, read, allow
p, role:default/admins, scaffolder.task.create, create, allow
p, role:default/admins, scaffolder.template.management, use, allow
p, role:default/admins, scaffolder.task.cancel, use, allow
p, role:default/admins, scaffolder-action, use, allow
g, group:default/<USER_GROUP>, role:default/ownerread
g, group:default/<ADMIN_GROUP>, role:default/admins}}
Conditional RBAC which doesn't work
{{ —
result: CONDITIONAL
roleEntityRef: 'role:default/ownerread'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
anyOf: - rule: IS_ENTITY_KIND
resourceType: catalog-entity
params:
kinds: - Group
- User
- rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims: - $ownerRefs}}
Conditional RBAC which works
{{ —
result: CONDITIONAL
roleEntityRef: 'role:default/ownerread'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
- read
conditions:
anyOf: - rule: IS_ENTITY_KIND
resourceType: catalog-entity
params:
kinds: - Group
- User
- rule: IS_ENTITY_OWNER
resourceType: catalog-entity
params:
claims: - group:default/<USER_GROUP>}}
Example Entity definition
{{apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: NewComponent
description: example new Component
spec:
type: service
lifecycle: experimental
owner: group:default/<USER_GROUP>}}
User entity
{{apiVersion: backstage.io/v1alpha1
kind: User
metadata:
namespace: default
annotations:
backstage.io/managed-by-location: msgraph:default/xxxxx
backstage.io/managed-by-origin-location: msgraph:default/xxxxxx
graph.microsoft.com/user-id: xxxxx
microsoft.com/email: user.name@example.com
name: user.name_example.com
relations:
- type: memberOf
targetRef: group:default/<USER_GROUP>
target:
kind: group
namespace: default
name: <USER_GROUP>
spec:
profile:
displayName: Name, User
email: user.name@example.com
picture: data:image/jpeg;base64,xxxxxxxx
memberOf: - group:default/<USER_GROUP>}}
Group entity
{{apiVersion: backstage.io/v1alpha1
kind: Group
metadata:
namespace: default
annotations:
backstage.io/managed-by-location: msgraph:default/xxxxx
backstage.io/managed-by-origin-location: msgraph:default/xxxx
graph.microsoft.com/group-id: xxxx
name: <USER_GROUP>
relations: - type: childOf
targetRef: group:default/<PARENT_USER_GROUP>
target:
kind: group
namespace: default
name: <PARENT_USER_GROUP> - type: hasMember
targetRef: user:default/user.name_example.com
target:
kind: user
namespace: default
name: user.name@example.com}}
👀 Have you spent some time to check if this bug has been raised before?
I checked and didn't find similar issue
🏢 Have you read the Code of Conduct?
I have read the Code of Conduct
Are you willing to submit PR?
None
Create sub-issue
👍3
Upstream links: https://github.com/backstage/community-plugins/issues/2409 and https://github.com/backstage/community-plugins/issues/2950