backstage/community-plugins

๐Ÿš€ RBAC: Evaluation without users in catalog

Opened this issue ยท 1 comments

bcorijn commented

Plugin Name

rbac-backend

๐Ÿ”– Feature description

I am using a proxy auth provider (oauth2-proxy to be specific), where I don't have my users loaded into the catalog and use a custom signInResolver. However, I can validate their identity and their ownerships resolution of any groups deemed relevant through my OIDC client's response and custom signInResolver code. I had hoped I would be able to use RBAC and specify policies that used these ownership references and evaluated them "at-runtime".
However, it looks like RBAC does not really take into account any ownership reference that my user object has.

๐ŸŽค Context

It is not feasible for me in my organization to populate the org-data in the catalog, however I can build the ownerships at sign-in (as suggested in the docs). This does not seem compatible with the RBAC plugin?

โœŒ๏ธ Possible Implementation

From what I understand, currently the plugin always builds a graph from the catalog and relies on that. Would it be doable to look at the current user's ownership references and base decisions off of that too?
Is there any way I can do with conditional policies or does the plugin always rely on the catalog-based graph?

๐Ÿ‘€ Have you spent some time to check if this feature request has been raised before?

  • I checked and didn't find similar issue

๐Ÿข Have you read the Code of Conduct?

Are you willing to submit PR?

No, I don't have time to work on this right now

PatAKnight commented

Hello! and thank you for opening up a feature request for the RBAC backend plugin

This is interesting, I never thought of a scenario where it wouldn't be feasible to populate the catalog with org information.

I need to double check but it does look doable. In handle, whenever we are evaluating for a permission policy, a PolicyQueryUser is passed. This PolicyQueryUser has information on the user and ownership refs through BackstageUserIdentity.

export type PolicyQueryUser = {
    token: string;
    expiresInSeconds?: number;
    identity: BackstageUserIdentity;
    credentials: BackstageCredentials;
    info: BackstageUserInfo;
};

export type BackstageUserIdentity = {
    type: 'user';
    userEntityRef: string;
    ownershipEntityRefs: string[];
};

At this time, I will pass this feature request on over to our PM for review.