Skip to content

fix(rbac): implement conditional aliases #1847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Aug 6, 2024
Merged

fix(rbac): implement conditional aliases #1847

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
92cf16f
fix(rbac): implement conditional aliases
AndrienkoAleksandr Jun 27, 2024
2e73f75
fix(rbac): fix build
AndrienkoAleksandr Jun 28, 2024
470354a
fix(rbac): rework currentUser alias to cover ownershipEntityRefs
AndrienkoAleksandr Jun 28, 2024
e9f01c7
fix(rbac): add more unit tests
AndrienkoAleksandr Jun 29, 2024
b7ad1ae
feat(rbac): make feature working after backstage update to 1.29.2
AndrienkoAleksandr Jul 31, 2024
9a1667c
feat(rbac): fix compilation and tests
AndrienkoAleksandr Jul 31, 2024
c13c91d
feat(rbac): Support two aliases: currentUser and ownerRefs
AndrienkoAleksandr Jul 31, 2024
71fcd8c
feat(rbac): add doc about conditional policies aliases
AndrienkoAleksandr Jul 31, 2024
958ab37
feat(rbac): clean up unit test
AndrienkoAleksandr Aug 1, 2024
befccf9
feat(rbac): clean up
AndrienkoAleksandr Aug 1, 2024
c7be861
feat(rbac): clean up
AndrienkoAleksandr Aug 1, 2024
c463b4a
feat(rbac): fix dependencies
AndrienkoAleksandr Aug 6, 2024
82b27cb
feat(rbac): update yarn.lock
AndrienkoAleksandr Aug 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 38 additions & 2 deletions plugins/rbac-backend/docs/conditions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,13 +274,49 @@ To utilize this condition to the RBAC REST api you need to wrap it with more inf
}
```

## Conditional Policy Aliases

The RBAC-backend plugin allows for the use of aliases in the conditional policy rule parameters. These aliases are dynamically replaced with corresponding values during the policy evaluation process. Each alias is prefixed with a `$` sign to denote its special function.

### Supported Aliases

1. **`$currentUser`**:

- **Description**: This alias is replaced with the user entity reference for the user currently requesting access to the resource.
- **Example**: If the user "Tom" from the "default" namespace is requesting access, `$currentUser` will be replaced with `user:default/tom`.

2. **`$ownerRefs`**:
- **Description**: This alias is replaced with ownership references, typically in the form of an array. The array usually contains the user entity reference and the user's parent group entity reference.
- **Example**: For a user "Tom" who belongs to "team-a", `$ownerRefs` will be replaced with `['user:default/tom', 'group:default/team-a']`.

### Example of a Conditional Policy Object with Alias

This condition should allow members of the `role:default/developer` to delete only their own catalogs and no others:

```json
{
"result": "CONDITIONAL",
"roleEntityRef": "role:default/developer",
"pluginId": "catalog",
"resourceType": "catalog-entity",
"permissionMapping": ["delete"],
"conditions": {
"rule": "IS_ENTITY_OWNER",
"resourceType": "catalog-entity",
"params": {
"claims": ["$currentUser"]
}
}
}
```

## Examples of Conditional Policies

Below are a few examples that can be used on some of the Janus IDP plugins. These can help in determining how based to define conditional policies

### Keycloak plugin

```JSON
```json
{
"result": "CONDITIONAL",
"roleEntityRef": "role:default/developer",
Expand All @@ -303,7 +339,7 @@ Notice the use of the annotation `keycloak.org/realm` requires the value of `<YO

### Quay Actions

```JSON
```json
{
"result": "CONDITIONAL",
"roleEntityRef": "role:default/developer",
Expand Down
5 changes: 3 additions & 2 deletions plugins/rbac-backend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,11 @@
"@backstage/plugin-permission-backend": "^0.5.46",
"@backstage/plugin-permission-common": "^0.8.0",
"@backstage/plugin-permission-node": "^0.8.0",
"@backstage/types": "^1.1.1",
"@dagrejs/graphlib": "^2.1.13",
"@janus-idp/backstage-plugin-audit-log-node": "1.4.0",
"@janus-idp/backstage-plugin-rbac-common": "1.8.1",
"@janus-idp/backstage-plugin-rbac-node": "1.4.0",
"@janus-idp/backstage-plugin-audit-log-node": "1.4.0",
"casbin": "^5.27.1",
"chokidar": "^3.6.0",
"csv-parse": "^5.5.5",
Expand All @@ -58,8 +59,8 @@
"yn": "^4.0.0"
},
"devDependencies": {
"@backstage/cli": "0.26.11",
"@backstage/backend-test-utils": "0.4.4",
"@backstage/cli": "0.26.11",
"@types/express": "4.17.21",
"@types/node": "18.19.34",
"@types/supertest": "2.0.16",
Expand Down
Loading