[release-1.7] RHIDP-7572 - RBAC: Ability to add plugin(s) with permissions to the plugins configuration for the rbac-backend via the UI or API (#1386)

* RHIDP-7572 - RBAC: Ability to add plugin(s) with permissions to the plugins configuration for the rbac-backend via the UI or API

* Update modules/authorization/proc-enabling-the-rbac-plugin.adoc

Co-authored-by: Oleksandr Andriienko <[email protected]>

---------

Co-authored-by: Gerry-Forde <[email protected]>
Co-authored-by: Oleksandr Andriienko <[email protected]>

Author: 3 people

modules/authorization/proc-enabling-the-rbac-plugin.adoc

@@ -39,9 +39,11 @@ permission:
       users:
         - name: user:default/__<your_policy_administrator_name>__
 ----
-. In order for the {product-short} Web UI to display available permissions provided by installed plugins, add the corresponding plugin IDs to {configuring-book-link}[your custom `{my-app-config-file}` {product-short} configuration file].
+
+. In order to display the available permissions provided by installed plugins in the {product-short} UI, you must supply the corresponding list of plugin IDs. There are two ways to do this, by updating your application configuration or by using the RBAC REST API permissions endpoint.
 +
-To display available permissions in RBAC UI, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following code to the `{my-app-config-file}` content:
+
+.. To provide plugins by updating your application configuration, you can specify the plugins with permissions in your `{my-app-config-file}` file as follows:
 +
 .`{my-app-config-file}` fragment
 [source,yaml,subs=+quotes]
@@ -58,6 +60,8 @@ permission:
       - permission
 ----
 
+.. To specify the plugins with permissions by using the RBAC REST API permissions endpoint, see the xref:rbac-rest-api-permission-endpoints_{context}[RBAC REST API permissions endpoint].
+
 .Verification
 . Sign out from the existing {product} session and log in again using the declared policy administrator account.
 . With RBAC enabled, most features are disabled by default.

modules/authorization/ref-rbac-rest-api-endpoints.adoc

@@ -559,6 +559,86 @@ Returns permission policies for all static plugins.
 ----
 --
 
+[id='rbac-rest-api-permission-endpoints_{context}']
+[GET] /api/permission/plugins/id::
++
+--
+Returns object with list plugin IDs:
+
+.Example response (JSON)
+[source,json]
+----
+[
+  {
+    "ids": ["catalog", "permission"]
+  }
+]
+----
+--
+
+[POST] /api/permission/plugins/id::
++
+--
+Add more plugins IDs defined in the request object.
+
+Request Parameters: object in JSON format.
+
+.Example request body (JSON)
+[source,json]
+----
+[
+  {
+    "ids": ["scaffolder"]
+  }
+]
+----
+
+Returns a status code of 200 and JSON with actual object stored in the server:
+
+.Example response (JSON)
+[source,json]
+----
+[
+  {
+    "ids": ["catalog", "permission", "scaffolder"]
+  }
+]
+----
+--
+
+[DELETE] /api/permission/plugins/id::
++
+--
+Delete plugins IDs defined in the request object.
+
+Request Parameters: object in JSON format.
+
+.Example request body (JSON)
+[source,json]
+----
+[
+  {
+    "ids": ["scaffolder"]
+  }
+]
+----
+
+Returns a status code of 200 and JSON with actual object stored in the server:
+
+.Example response (JSON)
+[source,json]
+----
+[
+  {
+    "ids": ["catalog", "permission"]
+  }
+]
+----
+--
+
+[NOTE]
+In order to prevent an inconsistent state after a deployment restart, the REST API does not allow deletion of plugin IDs that were provided by using the application configuration. These ID values can only be removed through the configuration file. 
+
 == Conditional policies
 
 The RBAC REST API supports the following endpoints for managing conditional policies in the {product}.