Skip to content

Commit a77bd7f

Browse files
openshift-cherrypick-robothmanwani-rh
openshift-cherrypick-robot
and
hmanwani-rh
authored
[1.3.x] RHIDP-3425 3426: RBAC conditional policies in 1.3 (#504)
* RHIDP-3425 3426: RBAC conditional policies in 1.3 * File added in assembly * fix minor typo * QE review incorporated * Incorporated review suggestions * Incorporated review suggestions * Review comments * Review comments incorporated --------- Co-authored-by: Heena Manwani <[email protected]>
1 parent e2f6419 commit a77bd7f

File tree

3 files changed

+225
-0
lines changed

3 files changed

+225
-0
lines changed

assemblies/assembly-configuring-authorization-in-rhdh.adoc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,9 @@ include::modules/admin/con-rbac-conditional-policies-rhdh.adoc[leveloffset=+1]
2222
include::modules/admin/ref-rbac-conditional-policy-definition.adoc[leveloffset=+2]
2323

2424

25+
include::modules/admin/proc-rbac-config-conditional-policy-file.adoc[leveloffset=+2]
26+
27+
2528
include::modules/admin/proc-rbac-ui-manage-roles.adoc[leveloffset=+1]
2629

2730

modules/admin/con-rbac-conditional-policies-rhdh.adoc

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,4 +58,60 @@ A conditional object contains the following parameters:
5858
|===
5959
--
6060

61+
Conditional policy aliases::
62+
+
63+
--
64+
The RBAC backend plugin (`backstage-plugin-rbac-backend`) supports the use of aliases in conditional policy rule parameters. The conditional policy aliases are dynamically replaced with the corresponding values during policy evaluation. Each alias in conditional policy is prefixed with a `$` sign indicating its special function.
65+
66+
The supported conditional aliases include:
67+
68+
* `$currentUser`: This alias is replaced with the user entity reference for the user who requests access to the resource. For example, if user Tom from the default namespace requests access, `$currentUser` becomes `user:default/tom`.
69+
+
70+
--
71+
72+
.Example conditional policy object with `$currentUser` alias
73+
[source,json]
74+
----
75+
{
76+
"result": "CONDITIONAL",
77+
"roleEntityRef": "role:default/developer",
78+
"pluginId": "catalog",
79+
"resourceType": "catalog-entity",
80+
"permissionMapping": ["delete"],
81+
"conditions": {
82+
"rule": "IS_ENTITY_OWNER",
83+
"resourceType": "catalog-entity",
84+
"params": {
85+
"claims": ["$currentUser"]
86+
}
87+
}
88+
}
89+
----
90+
--
91+
92+
* `$ownerRefs`: This alias is replaced with ownership references, usually as an array that includes the user entity reference and the user's parent group entity reference. For example, for user Tom from team-a, `$ownerRefs` becomes `['user:default/tom', 'group:default/team-a']`.
93+
+
94+
--
95+
.Example conditional policy object with `$ownerRefs` alias
96+
[source,json]
97+
----
98+
{
99+
"result": "CONDITIONAL",
100+
"roleEntityRef": "role:default/developer",
101+
"pluginId": "catalog",
102+
"resourceType": "catalog-entity",
103+
"permissionMapping": ["delete"],
104+
"conditions": {
105+
"rule": "IS_ENTITY_OWNER",
106+
"resourceType": "catalog-entity",
107+
"params": {
108+
"claims": ["$ownerRefs"]
109+
}
110+
}
111+
}
112+
----
113+
--
114+
--
115+
116+
61117

modules/admin/proc-rbac-config-conditional-policy-file.adoc

Lines changed: 166 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,166 @@
1+
[id='proc-rbac-config-conditional-policy-file_{context}']
2+
= Configuring conditional policies defined in an external file
3+
4+
You can configure and manage conditional policies that are defined in an external file. To define conditional policies, you can directly edit the configuration files and pass them to {product-short}, instead of using the {product-short} web UI or API. You can configure {product-short} to use these files instead of the default files.
5+
6+
.Prerequisites
7+
* You are logged in to your {ocp-short} account using the {ocp-short} web console.
8+
* You have defined roles and associated policies in a CSV file that serves as a basis for creating roles and permissions. Ensure that you mount the CSV file to {product-short}.
9+
+
10+
For more information, see xref:ref-rbac-conditional-policy-definition_title-authorization[] and xref:con-rbac-config-permission-policies-external-file_title-authorization[].
11+
12+
.Procedure
13+
14+
. Define conditional policies in a YAML file, which includes role references, permission mappings, and conditions.
15+
+
16+
--
17+
The following is an example of a YAML file defining conditional policies:
18+
19+
.Example YAML file defining conditional policies
20+
[source,yaml]
21+
----
22+
---
23+
result: CONDITIONAL
24+
roleEntityRef: 'role:default/test'
25+
pluginId: catalog
26+
resourceType: catalog-entity
27+
permissionMapping:
28+
- read
29+
- update
30+
conditions:
31+
rule: IS_ENTITY_OWNER
32+
resourceType: catalog-entity
33+
params:
34+
claims:
35+
- 'group:default/team-a'
36+
- 'group:default/team-b'
37+
---
38+
result: CONDITIONAL
39+
roleEntityRef: 'role:default/test'
40+
pluginId: catalog
41+
resourceType: catalog-entity
42+
permissionMapping:
43+
- delete
44+
conditions:
45+
rule: IS_ENTITY_OWNER
46+
resourceType: catalog-entity
47+
params:
48+
claims:
49+
- 'group:default/team-a'
50+
----
51+
--
52+
. In {ocp-short}, create a ConfigMap to hold the policies as shown in the following example:
53+
+
54+
--
55+
.Example ConfigMap
56+
[source, yaml]
57+
----
58+
kind: ConfigMap
59+
apiVersion: v1
60+
metadata:
61+
name: rbac-conditional-policy
62+
namespace: rhdh
63+
data:
64+
rbac-policy.yaml: |
65+
p, role:default/guests, catalog-entity, read, allow
66+
67+
result: CONDITIONAL
68+
roleEntityRef: 'role:default/test'
69+
pluginId: catalog
70+
resourceType: catalog-entity
71+
permissionMapping:
72+
- read
73+
- update
74+
conditions:
75+
rule: IS_ENTITY_OWNER
76+
resourceType: catalog-entity
77+
params:
78+
claims:
79+
- 'group:default/team-a'
80+
- 'group:default/team-b'
81+
----
82+
--
83+
84+
. Open `app-config.yaml` file and specify the path to `conditionalPoliciesFile` as shown in the following example:
85+
+
86+
--
87+
.Example `app-config.yaml` file
88+
[source,yaml]
89+
----
90+
permission:
91+
enabled: true
92+
rbac:
93+
conditionalPoliciesFile: /some/path/conditional-policies.yaml
94+
----
95+
--
96+
97+
. To enable automatic reloading of the policy file without restarting the application, add the `policyFileReload` option and set it to `true`:
98+
+
99+
--
100+
.Example `app-config.yaml` file
101+
[source,yaml]
102+
----
103+
permission:
104+
enabled: true
105+
rbac:
106+
conditionalPoliciesFile: /some/path/conditional-policies.yaml
107+
policies-csv-file: /some/path/rbac-policy.csv
108+
policyFileReload: true
109+
----
110+
--
111+
112+
. Optional: Define nested conditional policies in the YAML file as needed.
113+
+
114+
--
115+
.Example for nested conditional policies
116+
[source,yaml]
117+
----
118+
{
119+
"result": "CONDITIONAL",
120+
"roleEntityRef": "role:default/developer",
121+
"pluginId": "catalog",
122+
"resourceType": "catalog-entity",
123+
"permissionMapping": ["delete"],
124+
"conditions": {
125+
"allOf": [
126+
{
127+
"anyOf": [
128+
{
129+
"rule": "IS_ENTITY_KIND",
130+
"resourceType": "catalog-entity",
131+
"params": {
132+
"kinds": [
133+
"group"
134+
]
135+
}
136+
},
137+
{
138+
"rule": "IS_ENTITY_OWNER",
139+
"resourceType": "catalog-entity",
140+
"params": {
141+
"claims": [
142+
"$ownerRefs"
143+
]
144+
}
145+
}
146+
]
147+
},
148+
{
149+
"not": {
150+
"rule": "IS_ENTITY_KIND",
151+
"resourceType": "catalog-entity",
152+
"params": {
153+
"kinds": [
154+
"api"
155+
]
156+
}
157+
}
158+
}
159+
]
160+
}
161+
}
162+
----
163+
164+
In the previous example, the `role:default/developer` is granted the condition to delete catalog entities only if they are the entity owner or if the catalog entity belongs to a group. However, this condition does not apply if the catalog entity is an API.
165+
--
166+

0 commit comments

Comments
 (0)