backstage-plugins icon indicating copy to clipboard operation
backstage-plugins copied to clipboard
verified publisher icon janus-idp

feat(rbac): add extensions to rbac backend plugin

Open PatAKnight opened this issue 1 year ago • 1 comments

Description

Adds extension points to the RBAC backend plugin to allow for backend module support. This extension support will allow for the use of third party access management tools when it comes to loading in permission policies and roles. Included in this PR is an example backend module that can be paired with the RBAC backend plugin.

Fixes

Special Notes to the reviewer

Included is an example backend module that can be used to test the new feature. Within the example module is a CSV file in which you can manipulate the roles and permissions to test the scenarios of adding / removing permissions and roles.

Adding the test provider to test new functionality

Install the provider

backend.add(
  import('@janus-idp/backstage-plugin-rbac-backend-module-test/alpha'),
);

Configure the test provider

permission:
  rbac:
    providers:
      test:
        baseUrl: http://localhost:8099
        accessToken: temp
        schedule:
          frequency: { minutes: 1 }
          timeout: { minutes: 1 }
          initialDelay: { seconds: 1 }

This will set the provider schedule to apply the roles and permissions from a csv file every minute.

To see the permissions and roles be updated, edit the csv file plugins/rbac-backend-module-test/test-policy.csv

Finally, to test the manual refresh capability use update the config to adjust the frequency of the schedule

permission:
  rbac:
    providers:
      test:
        baseUrl: http://localhost:8099
        accessToken: temp
        schedule:
          frequency: { minutes: 10 }
          timeout: { minutes: 1 }
          initialDelay: { seconds: 1 }

10 Minutes should give you enough time to edit the csv file and manually trigger refresh.

Edit the csv file with your desire changes.

Call the refresh endpoint

curl -X POST "http://localhost:7007/api/permission/refresh/testProvider" -H "Authorization: Bearer $token" -v

Should return a 200

PatAKnight avatar Aug 12 '24 14:08 PatAKnight

Tested, works fine.

AndrienkoAleksandr avatar Aug 19 '24 13:08 AndrienkoAleksandr

Works by me as well.

Tested scenarios:
  • no provider
{"error":{"name":"NotFoundError","message":"The RBAC provider testProvider was not found","stack":"NotFoundError: The RBAC provider testProvider was not found\n    at <anonymous> (/home/dzemanov/Projects/janus2/backstage-plugins/plugins/rbac-backend/src/service/policies-rest-api.ts:1030:15)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"},"request":{"method":"POST","url":"/api/permission/refresh/testProvider"},"response":{"statusCode":404}}%

  • Provider loaded - correctly loads data defined by provider

  • Editing policies from provider by rbac ui correctly results in error

Unable to edit role: source does not match originating role role:default/test-provider, consider making changes to the 'TESTPROVIDER'

  • Changing csv file correctly updates - removing / adding works

  • Adding new role via ui with the same name as from provider correctly does not create

Error: Unable to create role. Unable to add role: source does not match originating role role:default/test-provider, consider making changes to the 'TESTPROVIDER'
  • Refresh endpoint works as expected

dzemanov avatar Aug 19 '24 17:08 dzemanov

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

sonarqubecloud[bot] avatar Aug 19 '24 17:08 sonarqubecloud[bot]