Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-6215

Topology RBAC

XMLWordPrintable

    • Topology RBAC
    • M
    • False
    • Hide

      None

      Show
      None
    • False
    • RHIDP-6379Topology RBAC
    • Done
    • RHIDP-6379 - Topology RBAC
    • QE Needed, Docs Needed, TE Needed, Customer Facing, PX Needed
    • 0% To Do, 0% In Progress, 100% Done
    • Hide
      = The Topology-specific permission `topology.view.read` is removed

      Previously, the Topology plugin used `topology.view.read` permission to control access. Users were unable to configure Topology permissions using the RBAC UI. With this update, users can configure Kubernetes plugin permissions using the RBAC UI, which now governs the access to the Topology plugin. You can now use Kubernetes plugin permissions `kubernetes.clusters.read`, `kubernetes.resources.read` and `kubernetes.proxy` for the Topology plugin, as the Topology-specific permission `topology.view.read` is removed.

      If you are using a CSV permission file, update the following lines:

      .Old Topology permission definition
      [source,csv]
      ----
      p, role:default/topology-viewer, topology.view.read, read, allow
      p, role:default/topology-viewer, kubernetes.proxy, use, allow
      ----

      .New Topology permission definition
      [source,csv]
      ----
      p, role:default/topology-viewer, kubernetes.clusters.read, read, allow
      p, role:default/topology-viewer, kubernetes.resources.read, read, allow
      p, role:default/topology-viewer, kubernetes.proxy, use, allow
      ----
      Show
      = The Topology-specific permission `topology.view.read` is removed Previously, the Topology plugin used `topology.view.read` permission to control access. Users were unable to configure Topology permissions using the RBAC UI. With this update, users can configure Kubernetes plugin permissions using the RBAC UI, which now governs the access to the Topology plugin. You can now use Kubernetes plugin permissions `kubernetes.clusters.read`, `kubernetes.resources.read` and `kubernetes.proxy` for the Topology plugin, as the Topology-specific permission `topology.view.read` is removed. If you are using a CSV permission file, update the following lines: .Old Topology permission definition [source,csv] ---- p, role:default/topology-viewer, topology.view.read, read, allow p, role:default/topology-viewer, kubernetes.proxy, use, allow ---- .New Topology permission definition [source,csv] ---- p, role:default/topology-viewer, kubernetes.clusters.read, read, allow p, role:default/topology-viewer, kubernetes.resources.read, read, allow p, role:default/topology-viewer, kubernetes.proxy, use, allow ----
    • Removed Functionality
    • Done

      EPIC Goal

      The goal of this Epic is to properly add Topology permissions to RHDH.

      Background/Feature Origin{}{}

      Today, there are a number of plugins that have implemented permissions that are unable to be viewed from within the RBAC UI. This is because they are either missing the permission declaration through the use of passing them to the `createPermissionIntegrationRouter` in their respective backend or they do not have a backend plugin at all. These plugins include: Topology, Tekton, Quay, and Red Hat ArgoCD

      Why is this important?

      Topology permissions were not displayed in RBAC UI due to not having backend plugin, so users could not create topology permissions via UI. Authorization checks on the frontend should be used in addition to the corresponding backend authorization.

      User Scenarios

      As a user of RHDH, I want to see Topology permissions in RBAC UI so that I can create roles with Topology permissions.

      Dependencies (internal and external){}

      Acceptance Criteria

      • Remove custom Topology permissions, remove now not needed `@backstage-community/plugin-topology-common`
      • Use Kubernetes permissions kubernetes.clusters.read and kubernetes.resources.read for topology plugin instead of custom @backstage-community/plugin-topology-common topology.view.read permission.
      • Update topology permission alert for missing kubernetes.clusters.read and kubernetes.resources.read permissions.
      • Add topology permission alert for missing kubernetes.proxy permission when accessing pod logs.
      • Update RBAC documentation regarding Topology permissions.

      Release Enablement/Demo - Provide necessary release enablement details
      and documents

      DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
      Issue>

      DEV - Upstream documentation merged: <link to meaningful PR or GitHub
      Issue>

      DEV - Downstream build attached to advisory: <link to errata>

      QE - Test plans in Playwright: <link or reference to playwright>

      QE - Automated tests merged: <link or reference to automated tests>

      DOC - Downstream documentation merged: <link to meaningful PR>

              rh-ee-dzemanov Dominika Zemanovicova
              rh-ee-dzemanov Dominika Zemanovicova
              RHIDP - Plugins
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: