community-plugins icon indicating copy to clipboard operation
community-plugins copied to clipboard
verified publisher icon backstage

feat(rbac): add default role configuration for authenticated users

Open JohannesWill opened this issue 6 months ago • 14 comments

Hey, I just made a Pull Request!

This PR introduces support for assigning a default role to every authenticated user when using Backstage's Sign-In without Users in the Catalog feature.

Currently, when this option is enabled, the @backstage-community/plugin-rbac-backend cannot evaluate permissions for users not present in the catalog. This limitation is also discussed in issue #2077.

With this change, a configurable default role can be specified and automatically assigned to all authenticated users, enabling consistent permission evaluation even without catalog user entries.

You can assing the role "role:default/my-default-role" to all users

permission:
  rbac:
    defaultRole: role:default/my-default-role

:heavy_check_mark: Checklist

  • [x] A changeset describing the change and affected packages. (more info)
  • [x] Added or updated documentation
  • [x] Tests for new functionality and regression tests for bug fixes
  • [x] Screenshots attached (for UI changes)
  • [x] All your commits have a Signed-off-by line in the message. (more info)

JohannesWill avatar Jun 24 '25 11:06 JohannesWill

Changed Packages

Package Name Package Path Changeset Bump Current Version
@backstage-community/plugin-rbac-backend workspaces/rbac/plugins/rbac-backend minor v7.4.2

backstage-goalie[bot] avatar Jun 24 '25 11:06 backstage-goalie[bot]

@PatAKnight I just added docs for it

JohannesWill avatar Jul 18 '25 13:07 JohannesWill

Tested, looks good to me.

AndrienkoAleksandr avatar Jul 29 '25 13:07 AndrienkoAleksandr

@AndrienkoAleksandr anything to do or can it be merged?

JohannesWill avatar Aug 12 '25 12:08 JohannesWill

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

github-actions[bot] avatar Aug 26 '25 18:08 github-actions[bot]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

github-actions[bot] avatar Sep 16 '25 18:09 github-actions[bot]

@PatAKnight @AndrienkoAleksandr Can the PR be merged now, or is something still missing?

JohannesWill avatar Sep 17 '25 08:09 JohannesWill

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

github-actions[bot] avatar Oct 14 '25 18:10 github-actions[bot]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

github-actions[bot] avatar Oct 29 '25 06:10 github-actions[bot]

@JohannesWill, it looks like your latest merge introduced some CI issues.

@AndrienkoAleksandr, @dzemanov would either of you be able to take a look here to see if we can get the contribution over the line? @JohannesWill has been very patient

BethGriggs avatar Nov 10 '25 13:11 BethGriggs

Thanks for the contribution! All commits need to be DCO signed before they are reviewed. Please refer to the the DCO section in CONTRIBUTING.md or the DCO status for more info.

backstage-goalie[bot] avatar Nov 10 '25 14:11 backstage-goalie[bot]

@AndrienkoAleksandr, @dzemanov would either of you be able to take a look here to see if we can get the contribution over the line? @JohannesWill has been very patient

Yes, I agree. We definitely need this PR. I will take a look and see what I can do this week. I need to refresh my memory a bit, but in general: some time ago, we discussed with @PatAKnight this PR and we made conclusions that the default role should be displayed in the UI (in read-only mode). But for this purpose, the default role should have metadata with source type. The source type should be only one for consistency to prevent overriding permissions after restarting the Backstage application. For this particular case, the source type can be either "csv-file" OR "configuration":

  • "csv-file" source type - means default permissions are applied to the default role with help of permission policy files https://github.com/backstage/community-plugins/issues/5358
  • "configuration" - default permissions should be applied to the role with help of application configuration. We had PRs to achieve that: https://github.com/backstage/community-plugins/pull/3521 and https://github.com/backstage/community-plugins/pull/3908

So we have two options, but I think we need to select only one of them. It would be nice to deliver the full feature with both default role and default permissions. But we'll see. I will consult with @dzemanov and we will discuss what is the best way to deliver default permissions to the default role.

AndrienkoAleksandr avatar Nov 11 '25 23:11 AndrienkoAleksandr

Hi, I've removed myself from this and tried to clean up anyone else who's like not needed as a reviewer. The Plugin Owners like @AndrienkoAleksandr know best so leaving them to review and approve 👍

awanlin avatar Nov 21 '25 18:11 awanlin

Hi @JohannesWil, thank you for the PR! I've filed a Jira ticket for tracking: https://issues.redhat.com/browse/RHDHPLAN-366. We'll coordinate with the PM to ensure alignment and final approval for this feature.

dzemanov avatar Nov 24 '25 15:11 dzemanov