Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🚀 RBAC: Evaluation without users in catalog #2077

Open
2 tasks done
bcorijn opened this issue Nov 26, 2024 · 1 comment
Open
2 tasks done

🚀 RBAC: Evaluation without users in catalog #2077

bcorijn opened this issue Nov 26, 2024 · 1 comment
Assignees
@PatAKnight
Labels
enhancement New feature or request

Comments

@bcorijn
Copy link

bcorijn commented Nov 26, 2024
edited
Loading

Plugin Name

rbac-backend

🔖 Feature description

I am using a proxy auth provider (oauth2-proxy to be specific), where I don't have my users loaded into the catalog and use a custom signInResolver. However, I can validate their identity and their ownerships resolution of any groups deemed relevant through my OIDC client's response and custom signInResolver code. I had hoped I would be able to use RBAC and specify policies that used these ownership references and evaluated them "at-runtime".
However, it looks like RBAC does not really take into account any ownership reference that my user object has.

🎤 Context

It is not feasible for me in my organization to populate the org-data in the catalog, however I can build the ownerships at sign-in (as suggested in the docs). This does not seem compatible with the RBAC plugin?

✌️ Possible Implementation

From what I understand, currently the plugin always builds a graph from the catalog and relies on that. Would it be doable to look at the current user's ownership references and base decisions off of that too?
Is there any way I can do with conditional policies or does the plugin always rely on the catalog-based graph?

👀 Have you spent some time to check if this feature request has been raised before?

  • I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

Are you willing to submit PR?

No, I don't have time to work on this right now
@bcorijn bcorijn added the enhancement New feature or request label Nov 26, 2024
@PatAKnight
Copy link
Contributor

Hello! and thank you for opening up a feature request for the RBAC backend plugin

This is interesting, I never thought of a scenario where it wouldn't be feasible to populate the catalog with org information.

I need to double check but it does look doable. In handle, whenever we are evaluating for a permission policy, a PolicyQueryUser is passed. This PolicyQueryUser has information on the user and ownership refs through BackstageUserIdentity.

export type PolicyQueryUser = {
    token: string;
    expiresInSeconds?: number;
    identity: BackstageUserIdentity;
    credentials: BackstageCredentials;
    info: BackstageUserInfo;
};

export type BackstageUserIdentity = {
    type: 'user';
    userEntityRef: string;
    ownershipEntityRefs: string[];
};

At this time, I will pass this feature request on over to our PM for review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PatAKnight PatAKnight

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@christoph-jerolimov @bcorijn @PatAKnight