🐛 RBAC: Group-Based Permissions Not Applied Correctly in File-Based Permissions Configuration

Question

🐛 RBAC: Group-Based Permissions Not Applied Correctly in File-Based Permissions Configuration

Closed this issue 4 months ago · 3 comments

Plugin Name

@janus-idp/backstage-plugin-rbac-backend

📜 Description

Issue Description:

When roles are assigned to a group in a file-based permissions setup, the expected permissions are not being applied correctly to users within the group.

👍 Expected behavior

Permissions assigned to a group in the file-based configuration should apply to all users in that group when they log in, without requiring additional manual intervention through the UI.

👎 Actual Behavior with Screenshots

When roles are assigned to a group in a file-based permissions setup, the expected permissions are not being applied correctly to users within the group. Here is an example configuration:

p, role:default/base-role, catalog-entity, read, allow  
g, group:default/A-Team, role:default/base-role

In this example, the user default/davor.milutinovic is assigned to the group:default/A-Team in backstage catalog. However, after logging in, the user has no permissions applied.

If the user is added to the list of admin users, the default/base-role can be seen in the RBAC UI. However, when inspecting the details of the role, the group is listed but shows zero members, despite the group having 15 members.

Screenshots:

Incorrect role assignment (group shows 0 members):

If a new role (not with same name) is created through the UI and assigned to the same group, the permissions are applied automatically. When reviewing the role details, the group correctly reflects the 15 members.

Correct role assignment (group shows 15 members):

Additional Information:

If the file-based configuration is modified to assign the role directly to the user rather than the group, the permissions are applied correctly:

p, role:default/base-role, catalog-entity, read, allow  
g, user:default/davor.milutinovic, role:default/base-role

Plugin version: "@janus-idp/backstage-plugin-rbac-backend": "^4.10.3",
Backstage version: 1.30.4

👟 Reproduction steps

Configure the file-based permissions as shown above, assigning a role to a group.
Assign the user default/davor.milutinovic to the group group:default/A-Team.
Log in as the user and observe that no permissions are applied.

📃 Provide the context for the Bug.

No response

👀 Have you spent some time to check if this bug has been raised before?

I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

I have read the Code of Conduct

Are you willing to submit PR?

None

Answer 1 · 2024-09-11T14:41:59.000Z

The issue was caused by the use of uppercase letters in the group name. It seems that group names should only contain lowercase letters to function correctly.

Answer 2 · 2024-09-11T14:42:18.000Z

The issue was caused by the use of uppercase letters in the group name. It seems that group names should only contain lowercase letters to function correctly.

Answer 3 · 2024-09-11T14:54:19.000Z

Hi @davormilutinovic, just for reference this plugin doesn't actually exist in this repo.