npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@janus-idp/backstage-plugin-rbac-backend

v4.2.1

Published

This plugin seamlessly integrates with the [Backstage permission framework](https://backstage.io/docs/permissions/overview/) to empower you with robust role-based access control capabilities within your Backstage environment.

Downloads

4,200

Readme

RBAC backend plugin for Backstage

This plugin seamlessly integrates with the Backstage permission framework to empower you with robust role-based access control capabilities within your Backstage environment.

The Backstage permission framework is a core component of the Backstage project, designed to provide meticulous control over resource and action access. Our RBAC plugin harnesses the power of this framework, allowing you to tailor access permissions without the need for coding. Instead, you can effortlessly manage your access policies through User interface embedded within Backstage or via the configuration files.

With the RBAC plugin, you'll have the means to efficiently administer permissions within your Backstage instance by assigning them to users and groups.

Prerequisites

Before you dive into utilizing the RBAC plugin for Backstage, there are a few essential prerequisites to ensure a seamless experience. Please review the following requirements to make sure your environment is properly set up

Setup Permision Framework

To effectively utilize the RBAC plugin, you must have the Backstage permission framework in place. If you're using the Red Hat Developer Hub, some of these steps may have already been completed for you. However, for other Backstage application instances, please verify that the following prerequisites are satisfied:

You need to set up the permission framework in Backstage.Since this plugin provides a dynamic policy that replaces the traditional one, there's no need to create a policy manually. Please note that one of the requirements for permission framework is enabling the service-to-service authentication. Ensure that you complete these authentication setup steps as well.

Identity resolver

The permission framework, and consequently, this RBAC plugin, rely on the concept of group membership. To ensure smooth operation, please follow the Sign-in identities and resolvers documentation. It's crucial that when populating groups, you include any groups that you plan to assign permissions to.

Installation

To integrate the RBAC plugin into your Backstage instance, follow these steps.

Installing the plugin

Add the RBAC plugin packages as dependencies by running the following command.

yarn workspace backend add @janus-idp/backstage-plugin-rbac-backend

NOTE: If you are using Red Hat Developer Hub backend plugin is pre-installed and you do not need this step.

Configuring the Backend

Old Backend System

To connect the RBAC framework to your backend use the PolicyBuilder class in your backend permissions plugin (typically packages/backend/src/plugins/permissions.ts) as follows:

/* highlight-add-start */
import { Router } from 'express';

import {
  PluginIdProvider,
  PolicyBuilder,
} from '@janus-idp/backstage-plugin-rbac-backend';

import { PluginEnvironment } from '../types';

export default async function createPlugin(
  env: PluginEnvironment,
  pluginIdProvider: PluginIdProvider,
): Promise<Router> {
  return PolicyBuilder.build(
    {
      config: env.config,
      logger: env.logger,
      discovery: env.discovery,
      identity: env.identity,
      permissions: env.permissions,
    },
    pluginIdProvider,
  );
}
/* highlight-add-end */

Secondly, in your backend router (typically packages/backend/src/index.ts) add a route for /permission specifying the list of plugin id's that support permissions:

// ...
/* highlight-add-next-line */
import permission from './plugins/permissions';

async function main() {
  // ...
  /* highlight-add-next-line */
  const permissionEnv = useHotMemoize(module, () => createEnv('permission'));

  // ...
  /* highlight-add-start */
  apiRouter.use(
    '/permission',
    await permission(permissionEnv, {
      // return list static plugin which supports Backstage permissions.
      getPluginIds: () => ['catalog', 'scaffolder', 'permission'],
    }),
  );
  /* highlight-add-end */
}

New Backend System

The RBAC plugin supports the integration with the new backend system.

Add the RBAC plugin to the packages/backend/src/index.ts file.

backend.add(import('@janus-idp/backstage-plugin-rbac-backend'));

Configure policy admins

The RBAC plugin empowers you to manage permission policies for users and groups with a designated group of individuals known as policy administrators. These administrators are granted access to the RBAC plugin's REST API and user interface as well as the ability to read from the catalog.

You can specify the policy administrators in your application configuration as follows:

permission:
  enabled: true
  rbac:
    admin:
      users:
        - name: user:default/alice
        - name: group:default/admins

The RBAC plugin also enables you to grant users the title of 'super user,' which provides them with unrestricted access throughout the Backstage instance.

You can specify the super users in your application configuration as follows:

permission:
  enabled: true
  rbac:
    admin:
      superUsers:
        - name: user:default/alice
        - name: user:default/mike

For more information on the available API endpoints accessible to the policy administrators, refer to the API documentation.

Configuring policies via file

The RBAC plugin also allows you to import policies from an external file. These policies are defined in the Casbin rules format, known for its simplicity and clarity. For a quick start, please refer to the format details in the provided link.

Here's an example of an external permission policies configuration file named rbac-policy.csv:

p, role:default/team_a, catalog-entity, read, deny
p, role:default/team_b, catalog.entity.create, create, deny

g, user:default/bob, role:default/team_a

g, group:default/team_b, role:default/team_b

NOTE: When you add a role in the permission policies configuration file, ensure that the role is associated with at least one permission policy with the allow effect.


You can specify the path to this configuration file in your application configuration:

permission:
  enabled: true
  rbac:
    policies-csv-file: /some/path/rbac-policy.csv

Also, there is an additional configuration value that allows for the reloading of the CSV file without the need to restart.

permission:
  enabled: true
  rbac:
    policies-csv-file: /some/path/rbac-policy.csv
    policyFileReload: true

For more information on the available permissions within Showcase and RHDH, refer to the permissions documentation.

We also have a fairly strict validation for permission policies and roles based on the originating role's source information, refer to the api documentation.

Configuring Database Storage for policies

The RBAC plugin offers the option to store policies in a database. It supports two database storage options:

  • sqlite3: Suitable for development environments.
  • postgres: Recommended for production environments.

Ensure that you have already configured the database backend for your Backstage instance, as the RBAC plugin utilizes the same database configuration.

Optional maximum depth

The RBAC plugin also includes an option max depth feature for organizations with potentially complex group hierarchy, this configuration value will ensure that the RBAC plugin will stop at a certain depth when building user graphs.

permission:
  enabled: true
  rbac:
    maxDepth: 1

The maxDepth must be greater than 0 to ensure that the graphs are built correctly. Also the graph will be built with a hierarchy of 1 + maxDepth.