diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 9779347b93..476178fe3a 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -27,13 +27,13 @@ To apply RBAC in {product-short}: .. Assign the roles to users and groups -include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] +include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1] -include::modules/authorization/con-rbac-config-permission-policies.adoc[leveloffset=+2] +include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] -include::modules/authorization/con-rbac-config-permission-policies-admin.adoc[leveloffset=+3] +include::modules/authorization/con-rbac-config-permission-policies.adoc[leveloffset=+2] include::modules/authorization/con-rbac-config-permission-policies-external-file.adoc[leveloffset=+3] diff --git a/modules/authorization/con-rbac-config-permission-policies-admin.adoc b/modules/authorization/con-rbac-config-permission-policies-admin.adoc deleted file mode 100644 index 15e8f74adb..0000000000 --- a/modules/authorization/con-rbac-config-permission-policies-admin.adoc +++ /dev/null @@ -1,36 +0,0 @@ -[id='con-rbac-config-permission-policies-admin_{context}'] -= Configuration of permission policies administrators - -The permission policies for users and groups in the {product-short} are managed by permission policy administrators. Only permission policy administrators can access the Role-Based Access Control REST API. - -The purpose of configuring policy administrators is to enable a specific, restricted number of authenticated users to access the RBAC REST API. The permission policies are defined in a `policy.csv` file, which is referenced in the `app-config-rhdh` ConfigMap. OpenShift platform administrators or cluster administrators can perform this task with access to the namespace where {product} is deployed. - -You can enable a permission policy administrator by configuring the `app-config.yaml` file as follows: - -[source,yaml] ----- -permission: - enabled: true - rbac: - admin: - users: - - name: user:default/joeuser ----- - -The permission policy role (`role:default/rbac_admin`) is a default role in {product-short} and includes some permissions upon creation, such as creating, reading, updating, and deleting permission policies/roles, as well as reading from the catalog. - -If the default permissions are not adequate for your requirements, you can define a new administrator role tailored to your requirements using relevant permission policies. Alternatively, you can use the optional `superUsers` configuration value, which grants unrestricted permissions across {product-short}. - -You can set the `superUsers` in the `app-config.yaml` file as follows: - -[source,yaml] ----- -# ... -permission: - enabled: true - rbac: - admin: - superUsers: - - name: user:default/joeuser - # ... ----- diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc new file mode 100644 index 0000000000..fce9db1e76 --- /dev/null +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -0,0 +1,53 @@ +[id='enabling-and-giving-access-to-rbac'] += Enabling and giving access to the Role-Based Access Control (RBAC) feature + +The Role-Based Access Control (RBAC) feature is disabled by default. +Enable the RBAC plugin and declare policy administrators to start using RBAC features. + +The permission policies for users and groups in the {product-short} are managed by permission policy administrators. Only permission policy administrators can access the Role-Based Access Control REST API. + +.Prerequisites +* You have link:{linkadminguide}#assembly-add-custom-app-file-openshift_admin-rhdh[added a custom {product-short} application configuration], and have sufficient permissions to modify it. +* You have link:{authentication-book-title}[enabled an authentication provider]. + +.Procedure +. The RBAC plugin is installed but disabled by default. +To enable the `./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac` plugin, edit your `dynamic-plugins.yaml` with the following content. ++ +.`dynamic-plugins.yaml` fragment +[source,yaml] +---- +plugins: + - package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac + disabled: false +---- ++ +See link:{installing-and-viewing-dynamic-plugins-url}[{installing-and-viewing-dynamic-plugins-title}]. + +. Declare policy administrators to enable a select number of authenticated users to configure RBAC policies through the REST API or Web UI, instead of modifying the CSV file directly. +The permissions can be specified in a separate CSV file referenced in the `app-config-rhdh` ConfigMap, or permissions can be created using the REST API or Web UI. ++ +To declare users such as __ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following code to the `app-config-rhdh.yaml` content: ++ +.`app-config.yaml` fragment +[source,yaml,subs=+quotes] +---- +permission: + enabled: true + rbac: + admin: + users: + - name: user:default/____ +---- + +.Verification +. Sign out from the existing {product} session and log in again using the declared policy administrator account. +. With RBAC enabled, most features are disabled by default. +.. Navigate to the *Catalog* page in {product-very-short}. +The *Create* button is not visible. +You cannot create new components. +.. Navigate to the API page. +The *Register* button is not visible. + +.Next steps +* Explicitly enable permissions to resources in {product-short}.