Skip to content

Commit

Permalink
feat(rbac): implement the concept of roles in rbac (#867)
Browse files Browse the repository at this point in the history
* feat(rbac): implement the concept of roles in rbac

* feat(rbac): review suggestions

* feat(rbac): more code review feedback

* fix(rbac) ability to update role name
  • Loading branch information
PatAKnight authored Oct 27, 2023
1 parent 406c147 commit 4d878a2
Show file tree
Hide file tree
Showing 10 changed files with 1,805 additions and 135 deletions.
10 changes: 7 additions & 3 deletions plugins/rbac-backend/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# RBAC backend plugin for Backstage

This plugin seamlessly integrates with the Backstage permission framework](https://backstage.io/docs/permissions/overview/) to empower you with robust role-based access control capabilities within your Backstage environment.
This plugin seamlessly integrates with the [Backstage permission framework](https://backstage.io/docs/permissions/overview/) to empower you with robust role-based access control capabilities within your Backstage environment.

The Backstage permission framework is a core component of the Backstage project, designed to provide meticulous control over resource and action access. Our RBAC plugin harnesses the power of this framework, allowing you to tailor access permissions without the need for coding. Instead, you can effortlessly manage your access policies through User interface embedded within Backstage or via the configuration files.

Expand Down Expand Up @@ -59,8 +59,12 @@ The RBAC plugin also allows you to import policies from an external file. These
Here's an example of an external permission policies configuration file named `rbac-policy.csv`:

```CSV
p, user:default/bob, catalog-entity, read, deny
p, user:default/alice, catalog.entity.create, use, deny
p, role:default/team_a, catalog-entity, read, deny
p, role:default/team_b, catalog.entity.create, use, deny
g, user:default/bob, role:default/team_a
g, group:default/team_b, role:default/team_b
```

You can specify the path to this configuration file in your application configuration:
Expand Down
7 changes: 5 additions & 2 deletions plugins/rbac-backend/model/rbac-policy.csv
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@


p, user:default/guest, catalog-entity, read, deny
p, user:default/guest, catalog.entity.create, use, deny
p, role:default/guests, catalog-entity, read, deny
p, role:default/guests, catalog.entity.create, use, deny

g, user:default/guest, role:default/guests

54 changes: 37 additions & 17 deletions plugins/rbac-backend/src/service/permission-policy.ts
Original file line number Diff line number Diff line change
Expand Up @@ -19,28 +19,48 @@ import { Logger } from 'winston';

import { MODEL } from './permission-model';

const useAdmins = (admins: Config[], enf: Enforcer) => {
const useAdmins = async (admins: Config[], enf: Enforcer) => {
const adminRoleName = 'role:default/rbac_admin';
admins.flatMap(async localConfig => {
const name = localConfig.getString('name');
const adminReadPermission = [name, 'policy-entity', 'read', 'allow'];
if (!(await enf.hasPolicy(...adminReadPermission))) {
await enf.addPolicy(...adminReadPermission);
}
const adminCreatePermission = [name, 'policy-entity', 'create', 'allow'];
if (!(await enf.hasPolicy(...adminCreatePermission))) {
await enf.addPolicy(...adminCreatePermission);
const adminRole = [name, adminRoleName];
if (!(await enf.hasGroupingPolicy(...adminRole))) {
await enf.addGroupingPolicy(...adminRole);
}
});
const adminReadPermission = [adminRoleName, 'policy-entity', 'read', 'allow'];
if (!(await enf.hasPolicy(...adminReadPermission))) {
await enf.addPolicy(...adminReadPermission);
}
const adminCreatePermission = [
adminRoleName,
'policy-entity',
'create',
'allow',
];
if (!(await enf.hasPolicy(...adminCreatePermission))) {
await enf.addPolicy(...adminCreatePermission);
}

const adminDeletePermission = [name, 'policy-entity', 'delete', 'allow'];
if (!(await enf.hasPolicy(...adminDeletePermission))) {
await enf.addPolicy(...adminDeletePermission);
}
const adminDeletePermission = [
adminRoleName,
'policy-entity',
'delete',
'allow',
];
if (!(await enf.hasPolicy(...adminDeletePermission))) {
await enf.addPolicy(...adminDeletePermission);
}

const adminUpdatePermission = [name, 'policy-entity', 'update', 'allow'];
if (!(await enf.hasPolicy(...adminUpdatePermission))) {
await enf.addPolicy(...adminUpdatePermission);
}
});
const adminUpdatePermission = [
adminRoleName,
'policy-entity',
'update',
'allow',
];
if (!(await enf.hasPolicy(...adminUpdatePermission))) {
await enf.addPolicy(...adminUpdatePermission);
}
};

const addPredefinedPolicies = async (
Expand Down
Loading

0 comments on commit 4d878a2

Please sign in to comment.