From 119ac1f8ca2633be6869146b133df703ae2da186 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 16 Oct 2024 16:11:05 +0200 Subject: [PATCH 01/10] RHIDP-3972 enabling the rbac plugin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- ...bly-configuring-authorization-in-rhdh.adoc | 3 +++ .../proc-enabling-the-rbac-plugin.adoc | 22 +++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 modules/authorization/proc-enabling-the-rbac-plugin.adoc diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 6089d3cc52..5ed8719f6d 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -4,6 +4,9 @@ include::modules/authorization/con-rbac-overview.adoc[leveloffset=+1] +include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1] + + include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc new file mode 100644 index 0000000000..3a1909789f --- /dev/null +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -0,0 +1,22 @@ +[id='proc-enabling-rbac_{context}'] += Enabling Role-Based Access Control (RBAC) + +The Role-Based Access Control (RBAC) feature is disabled by default. +Enable the RBAC plugin to start using RBAC features. + +.Prerequisites +* You have link:{linkadminguide}#assembly-add-custom-app-file-openshift_admin-rhdh[added a custom {product-short} application configuration], and have sufficient permissions to modify it. + +.Procedure +* The RBAC plugin is installed but disabled by default. +To enable the `./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac` plugin, edit your `dynamic-plugins.yaml` with following content. ++ +.`dynamic-plugins.yaml` fragment +[source,yaml] +---- +plugins: + - package: ./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac + disabled: false +---- ++ +See link:{installing-and-viewing-dynamic-plugins-url}[{installing-and-viewing-dynamic-plugins-title}]. From 364984eb30a046a329dd0ca9d1f2d3e0cef1d398 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 16 Oct 2024 16:57:10 +0200 Subject: [PATCH 02/10] RHIDP-3973 configuring policy administrators MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- .../proc-enabling-the-rbac-plugin.adoc | 33 +++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc index 3a1909789f..d8d9e264d2 100644 --- a/modules/authorization/proc-enabling-the-rbac-plugin.adoc +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -1,14 +1,15 @@ [id='proc-enabling-rbac_{context}'] -= Enabling Role-Based Access Control (RBAC) += Enabling and giving access to the Role-Based Access Control (RBAC) feature The Role-Based Access Control (RBAC) feature is disabled by default. Enable the RBAC plugin to start using RBAC features. .Prerequisites * You have link:{linkadminguide}#assembly-add-custom-app-file-openshift_admin-rhdh[added a custom {product-short} application configuration], and have sufficient permissions to modify it. +* You have link:{authentication-book-title}[enabled an authentication provider]. .Procedure -* The RBAC plugin is installed but disabled by default. +. The RBAC plugin is installed but disabled by default. To enable the `./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac` plugin, edit your `dynamic-plugins.yaml` with following content. + .`dynamic-plugins.yaml` fragment @@ -20,3 +21,31 @@ plugins: ---- + See link:{installing-and-viewing-dynamic-plugins-url}[{installing-and-viewing-dynamic-plugins-title}]. + +. Declare policy administrators to allow a certain limited number of authenticated users to configure RBAC policies by using the REST API or the Web UI, rather than editing the CSV file. +The actual policies are defined in a separate CSV file and referenced in the app-config-rhdh ConfigMap. ++ +To declare users such as ___ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following lines to the `app-config-rhdh.yaml` content: ++ +.`app-config.yaml` fragment +[source,yaml,subs=+quotes] +---- +permission: + enabled: true + rbac: + admin: + users: + - name: user:default/____ +---- + +.Verification +. Sign out from the existing {product} session and log in again using the declared policy administrator account. +. Navigate to the Catalog page in RHDH. +The Create button is not visible. +You are not allowed to create new components. +. Navigate to the API page. +The Register button is not visible. + +.Next steps +* With RBAC enabled, most features are disabled by default. +Explicitly enable permissions to resources in {product-short}. From 586fa6f17b12c32a2d74d2948a06bc868b3fc415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 16 Oct 2024 17:03:00 +0200 Subject: [PATCH 03/10] RHIDP-3973 configuring policy administrators MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- .../authorization/proc-enabling-the-rbac-plugin.adoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc index d8d9e264d2..14f7599977 100644 --- a/modules/authorization/proc-enabling-the-rbac-plugin.adoc +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -2,7 +2,7 @@ = Enabling and giving access to the Role-Based Access Control (RBAC) feature The Role-Based Access Control (RBAC) feature is disabled by default. -Enable the RBAC plugin to start using RBAC features. +Enable the RBAC plugin and declare policy administrators to start using RBAC features. .Prerequisites * You have link:{linkadminguide}#assembly-add-custom-app-file-openshift_admin-rhdh[added a custom {product-short} application configuration], and have sufficient permissions to modify it. @@ -40,12 +40,12 @@ permission: .Verification . Sign out from the existing {product} session and log in again using the declared policy administrator account. -. Navigate to the Catalog page in RHDH. +. With RBAC enabled, most features are disabled by default. +.. Navigate to the Catalog page in RHDH. The Create button is not visible. You are not allowed to create new components. -. Navigate to the API page. +.. Navigate to the API page. The Register button is not visible. .Next steps -* With RBAC enabled, most features are disabled by default. -Explicitly enable permissions to resources in {product-short}. +* Explicitly enable permissions to resources in {product-short}. From cc6177e006557c573eb4e4739cb62eaccc745914 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 16 Oct 2024 17:09:33 +0200 Subject: [PATCH 04/10] RHIDP-3973 configuring policy administrators MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- ...rbac-config-permission-policies-admin.adoc | 36 ------------------- .../proc-enabling-the-rbac-plugin.adoc | 2 ++ 2 files changed, 2 insertions(+), 36 deletions(-) delete mode 100644 modules/authorization/con-rbac-config-permission-policies-admin.adoc diff --git a/modules/authorization/con-rbac-config-permission-policies-admin.adoc b/modules/authorization/con-rbac-config-permission-policies-admin.adoc deleted file mode 100644 index 15e8f74adb..0000000000 --- a/modules/authorization/con-rbac-config-permission-policies-admin.adoc +++ /dev/null @@ -1,36 +0,0 @@ -[id='con-rbac-config-permission-policies-admin_{context}'] -= Configuration of permission policies administrators - -The permission policies for users and groups in the {product-short} are managed by permission policy administrators. Only permission policy administrators can access the Role-Based Access Control REST API. - -The purpose of configuring policy administrators is to enable a specific, restricted number of authenticated users to access the RBAC REST API. The permission policies are defined in a `policy.csv` file, which is referenced in the `app-config-rhdh` ConfigMap. OpenShift platform administrators or cluster administrators can perform this task with access to the namespace where {product} is deployed. - -You can enable a permission policy administrator by configuring the `app-config.yaml` file as follows: - -[source,yaml] ----- -permission: - enabled: true - rbac: - admin: - users: - - name: user:default/joeuser ----- - -The permission policy role (`role:default/rbac_admin`) is a default role in {product-short} and includes some permissions upon creation, such as creating, reading, updating, and deleting permission policies/roles, as well as reading from the catalog. - -If the default permissions are not adequate for your requirements, you can define a new administrator role tailored to your requirements using relevant permission policies. Alternatively, you can use the optional `superUsers` configuration value, which grants unrestricted permissions across {product-short}. - -You can set the `superUsers` in the `app-config.yaml` file as follows: - -[source,yaml] ----- -# ... -permission: - enabled: true - rbac: - admin: - superUsers: - - name: user:default/joeuser - # ... ----- diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc index 14f7599977..663ae96a26 100644 --- a/modules/authorization/proc-enabling-the-rbac-plugin.adoc +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -4,6 +4,8 @@ The Role-Based Access Control (RBAC) feature is disabled by default. Enable the RBAC plugin and declare policy administrators to start using RBAC features. +The permission policies for users and groups in the {product-short} are managed by permission policy administrators. Only permission policy administrators can access the Role-Based Access Control REST API. + .Prerequisites * You have link:{linkadminguide}#assembly-add-custom-app-file-openshift_admin-rhdh[added a custom {product-short} application configuration], and have sufficient permissions to modify it. * You have link:{authentication-book-title}[enabled an authentication provider]. From 5e261860d50ca17a57b02c41fb8f35b4c8242a7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 16 Oct 2024 17:09:43 +0200 Subject: [PATCH 05/10] RHIDP-3973 configuring policy administrators MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabrice Flore-Thébault --- assemblies/assembly-configuring-authorization-in-rhdh.adoc | 3 --- 1 file changed, 3 deletions(-) diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 5ed8719f6d..62f8dcde54 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -13,9 +13,6 @@ include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] include::modules/authorization/con-rbac-config-permission-policies.adoc[leveloffset=+2] -include::modules/authorization/con-rbac-config-permission-policies-admin.adoc[leveloffset=+3] - - include::modules/authorization/con-rbac-config-permission-policies-external-file.adoc[leveloffset=+3] include::modules/authorization/proc-mounting-the-policy-csv-file-using-the-operator.adoc[leveloffset=+4] From d1da68a0a474adaae53199a5e7fd31267da9437a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Wed, 16 Oct 2024 17:27:14 +0200 Subject: [PATCH 06/10] Update modules/authorization/proc-enabling-the-rbac-plugin.adoc --- modules/authorization/proc-enabling-the-rbac-plugin.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc index 663ae96a26..79884779a9 100644 --- a/modules/authorization/proc-enabling-the-rbac-plugin.adoc +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -1,4 +1,4 @@ -[id='proc-enabling-rbac_{context}'] +[id='enabling-and-giving-access-to-rbac'] = Enabling and giving access to the Role-Based Access Control (RBAC) feature The Role-Based Access Control (RBAC) feature is disabled by default. From a77defcf538a0c1aff583529366132500153cd13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 17 Oct 2024 13:58:56 +0200 Subject: [PATCH 07/10] Update modules/authorization/proc-enabling-the-rbac-plugin.adoc Co-authored-by: Dominika Zemanovicova <36102317+dzemanov@users.noreply.github.com> --- modules/authorization/proc-enabling-the-rbac-plugin.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc index 79884779a9..ccb31f9010 100644 --- a/modules/authorization/proc-enabling-the-rbac-plugin.adoc +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -25,7 +25,7 @@ plugins: See link:{installing-and-viewing-dynamic-plugins-url}[{installing-and-viewing-dynamic-plugins-title}]. . Declare policy administrators to allow a certain limited number of authenticated users to configure RBAC policies by using the REST API or the Web UI, rather than editing the CSV file. -The actual policies are defined in a separate CSV file and referenced in the app-config-rhdh ConfigMap. +The permissions can be defined in a separate CSV file that is referenced in the app-config-rhdh ConfigMap, or they can be created via REST API or Web UI. + To declare users such as ___ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following lines to the `app-config-rhdh.yaml` content: + From 74fb39c420b95493348a216b603fd1fb44e1f072 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 22 Oct 2024 14:27:44 +0200 Subject: [PATCH 08/10] Apply suggestions from code review Co-authored-by: jmagak <124673476+jmagak@users.noreply.github.com> --- modules/authorization/proc-enabling-the-rbac-plugin.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc index ccb31f9010..ee0148fc22 100644 --- a/modules/authorization/proc-enabling-the-rbac-plugin.adoc +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -27,7 +27,7 @@ See link:{installing-and-viewing-dynamic-plugins-url}[{installing-and-viewing-dy . Declare policy administrators to allow a certain limited number of authenticated users to configure RBAC policies by using the REST API or the Web UI, rather than editing the CSV file. The permissions can be defined in a separate CSV file that is referenced in the app-config-rhdh ConfigMap, or they can be created via REST API or Web UI. + -To declare users such as ___ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following lines to the `app-config-rhdh.yaml` content: +To declare users such as __ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following lines to the `app-config-rhdh.yaml` content: + .`app-config.yaml` fragment [source,yaml,subs=+quotes] @@ -43,7 +43,7 @@ permission: .Verification . Sign out from the existing {product} session and log in again using the declared policy administrator account. . With RBAC enabled, most features are disabled by default. -.. Navigate to the Catalog page in RHDH. +.. Navigate to the Catalog page in {product-very-short}. The Create button is not visible. You are not allowed to create new components. .. Navigate to the API page. From 7044b7202cfd426b246b2e6b36bde577301ab58b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Tue, 22 Oct 2024 14:28:33 +0200 Subject: [PATCH 09/10] Update modules/authorization/proc-enabling-the-rbac-plugin.adoc --- modules/authorization/proc-enabling-the-rbac-plugin.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc index ee0148fc22..350be3573e 100644 --- a/modules/authorization/proc-enabling-the-rbac-plugin.adoc +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -45,7 +45,7 @@ permission: . With RBAC enabled, most features are disabled by default. .. Navigate to the Catalog page in {product-very-short}. The Create button is not visible. -You are not allowed to create new components. +You cannot create new components. .. Navigate to the API page. The Register button is not visible. From 63ba4ce4e6521d9ecef6b1e521f359ba0ccc3ba6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 24 Oct 2024 04:58:37 +0200 Subject: [PATCH 10/10] Apply suggestions from code review Co-authored-by: Heena Manwani <59050394+hmanwani-rh@users.noreply.github.com> --- .../proc-enabling-the-rbac-plugin.adoc | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/authorization/proc-enabling-the-rbac-plugin.adoc b/modules/authorization/proc-enabling-the-rbac-plugin.adoc index 350be3573e..fce9db1e76 100644 --- a/modules/authorization/proc-enabling-the-rbac-plugin.adoc +++ b/modules/authorization/proc-enabling-the-rbac-plugin.adoc @@ -12,7 +12,7 @@ The permission policies for users and groups in the {product-short} are managed .Procedure . The RBAC plugin is installed but disabled by default. -To enable the `./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac` plugin, edit your `dynamic-plugins.yaml` with following content. +To enable the `./dynamic-plugins/dist/janus-idp-backstage-plugin-rbac` plugin, edit your `dynamic-plugins.yaml` with the following content. + .`dynamic-plugins.yaml` fragment [source,yaml] @@ -24,10 +24,10 @@ plugins: + See link:{installing-and-viewing-dynamic-plugins-url}[{installing-and-viewing-dynamic-plugins-title}]. -. Declare policy administrators to allow a certain limited number of authenticated users to configure RBAC policies by using the REST API or the Web UI, rather than editing the CSV file. -The permissions can be defined in a separate CSV file that is referenced in the app-config-rhdh ConfigMap, or they can be created via REST API or Web UI. +. Declare policy administrators to enable a select number of authenticated users to configure RBAC policies through the REST API or Web UI, instead of modifying the CSV file directly. +The permissions can be specified in a separate CSV file referenced in the `app-config-rhdh` ConfigMap, or permissions can be created using the REST API or Web UI. + -To declare users such as __ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following lines to the `app-config-rhdh.yaml` content: +To declare users such as __ as policy administrators, edit your custom {product-short} ConfigMap, such as `app-config-rhdh`, and add following code to the `app-config-rhdh.yaml` content: + .`app-config.yaml` fragment [source,yaml,subs=+quotes] @@ -43,11 +43,11 @@ permission: .Verification . Sign out from the existing {product} session and log in again using the declared policy administrator account. . With RBAC enabled, most features are disabled by default. -.. Navigate to the Catalog page in {product-very-short}. -The Create button is not visible. +.. Navigate to the *Catalog* page in {product-very-short}. +The *Create* button is not visible. You cannot create new components. .. Navigate to the API page. -The Register button is not visible. +The *Register* button is not visible. .Next steps * Explicitly enable permissions to resources in {product-short}.