diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 73e4daada3..217a146e57 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -41,6 +41,9 @@ include::assembly-managing-authorizations-by-using-the-rest-api.adoc[leveloffset include::assembly-managing-authorizations-by-using-external-files.adoc[leveloffset=+1] +include::assembly-configuring-guest-access-with-rbac-ui.adoc[leveloffset=+1] + + include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] diff --git a/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc new file mode 100644 index 0000000000..ed01bbe3b0 --- /dev/null +++ b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc @@ -0,0 +1,13 @@ +[id="configuring-guest-access-with-rbac-ui_{context}"] += Configuring guest access with RBAC UI + +Use guest access with the role-based access control (RBAC) front-end plugin to allow a user to test role and policy creation without the need to set up and configure an authentication provider. + +[NOTE] +==== +Guest access is not recommended for production. +==== + +include::modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc[leveloffset=+1] + +include::modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc b/modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc new file mode 100644 index 0000000000..c30f2701ee --- /dev/null +++ b/modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc @@ -0,0 +1,29 @@ +[id="configuring-the-rbac-backend-plugin_{context}"] += Configuring the RBAC backend plugin + +You can configure the RBAC backend plugin by updating the `app-config.yaml` file to enable the permission framework. + +.Prerequisites +* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. + +.Procedure +* Update the `app-config.yaml` file to enable the permission framework as shown: + +[source,yaml,subs=+quotes] +---- +permission + enabled: true + rbac: + admin: + users: + - name: user:default/guest + pluginsWithPermission: + - catalog + - permission + - scaffolder +---- + +[NOTE] +==== +The `pluginsWithPermission` section of the `app-config.yaml` section includes only three plugins by default. Update the section as needed to include any additional plugins that also incorporate permissions. +==== diff --git a/modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc b/modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc new file mode 100644 index 0000000000..19b5de4092 --- /dev/null +++ b/modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc @@ -0,0 +1,26 @@ +[id="setting-up-the-guest-authentication-provider_{context}"] += Setting up the guest authentication provider + +You can enable guest authentication and use it alongside the RBAC frontend plugin. + +.Prerequisites +* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. + +.Procedure + +* In the `app-config.yaml` file, add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: + +[source,yaml,subs="+attributes,+quotes"] +---- +auth: + environment: development + providers: + guest: + userEntityRef: user:default/guest + dangerouslyAllowOutsideDevelopment: true +---- + +[NOTE] +==== +You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml` file. +====