From b95b3f788e98812bc0a0491c3249e371aba10b12 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 4 Feb 2025 19:59:58 +0100 Subject: [PATCH 1/5] Updates the setting up RBAC permission --- ...bly-configuring-authorization-in-rhdh.adoc | 3 ++ ...guest-access-for-rbac-frontend-plugin.adoc | 46 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 73e4daada3..c157b2b700 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -29,6 +29,9 @@ To define authorizations in {product-short}: include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1] +include::modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc[leveloffset=+2] + + include::modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc new file mode 100644 index 0000000000..4f976f0923 --- /dev/null +++ b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc @@ -0,0 +1,46 @@ +[id="enabling-guest-access-for-the-rbac-frontend-plugin_{context}"] += Enabling guest access for the RBAC frontend plugin + +Use guest access for the Role-Based Access Control (RBAC) frontend plugin to test and develop, except in production. To enable the guest access for the RBAC frontend, configure the backend plugin and set up the guest authentication provider. + +.Prerequisites +* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. + +== Configuring the RBAC backend plugin + +Update the `app-config.yaml` to enable the permission framework, include the user `user:default/guest` in the admin users section, and ensure that the plugins with permissions appear in the UI as shown: + +[source,yaml,subs=+quotes] +---- +permission + enabled: true + rbac: + admin: + users: + - name: user:default/guest + pluginsWithPermission: + - catalog + - permission + - scaffolder +---- + +[NOTE] +==== +The `pluginsWithPermission` section includes only three plugins. Update the section as needed to include any additional plugins that also incorporate permissions. +==== + +== Setting up the guest authentication provider + +To enable guest authentication and to use it alongside the RBAC frontend plugin, update the `app-config.yaml`. Add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: + +[source,yaml,subs="+attributes,+quotes"] +---- +auth: + environment: development + providers: + guest: + userEntityRef: user:default/guest + dangerouslyAllowOutsideDevelopment: true +---- + +You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml`. From ef6eac1b5af946b34d5a7f6f8fa87b67ad9cd9b4 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 5 Feb 2025 23:53:07 +0100 Subject: [PATCH 2/5] Update the setting up RBAC permission --- ...bly-configuring-authorization-in-rhdh.adoc | 2 -- ...guest-access-for-rbac-frontend-plugin.adoc | 22 ++++++++++++++----- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index c157b2b700..521a2d0aab 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -28,10 +28,8 @@ To define authorizations in {product-short}: include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1] - include::modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc[leveloffset=+2] - include::modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc index 4f976f0923..24c930d4c3 100644 --- a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc +++ b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc @@ -6,9 +6,11 @@ Use guest access for the Role-Based Access Control (RBAC) frontend plugin to tes .Prerequisites * You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. -== Configuring the RBAC backend plugin +.Procedure -Update the `app-config.yaml` to enable the permission framework, include the user `user:default/guest` in the admin users section, and ensure that the plugins with permissions appear in the UI as shown: +To configure the RBAC backend plugin, complete the following steps: + +Update the `app-config.yaml` file to enable the permission framework as shown: [source,yaml,subs=+quotes] ---- @@ -26,12 +28,16 @@ permission [NOTE] ==== -The `pluginsWithPermission` section includes only three plugins. Update the section as needed to include any additional plugins that also incorporate permissions. +The `pluginsWithPermission` section of the `app-config.yaml` section includes only three plugins by default. Update the section as needed to include any additional plugins that also incorporate permissions. ==== == Setting up the guest authentication provider -To enable guest authentication and to use it alongside the RBAC frontend plugin, update the `app-config.yaml`. Add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: +.Procedure + +To enable guest authentication and to use it alongside the RBAC frontend plugin, complete the following step: + +* In the `app-config.yaml` file, add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: [source,yaml,subs="+attributes,+quotes"] ---- @@ -43,4 +49,10 @@ auth: dangerouslyAllowOutsideDevelopment: true ---- -You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml`. +[NOTE] +==== +You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml` file. +==== + + + From f3372d2c74e67393c14af501083b476ab1ea9e33 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 19 Feb 2025 18:57:38 +0100 Subject: [PATCH 3/5] Update the setting up RBAC permission --- ...bly-configuring-authorization-in-rhdh.adoc | 1 - ...configuring-guest-access-with-rbac-ui.adoc | 9 +++ ...c-configuring-the-RBAC-backend-plugin.adoc | 29 ++++++++++ ...guest-access-for-rbac-frontend-plugin.adoc | 58 ------------------- ...-up-the-guest-authentication-provider.adoc | 26 +++++++++ 5 files changed, 64 insertions(+), 59 deletions(-) create mode 100644 assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc create mode 100644 modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc delete mode 100644 modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc create mode 100644 modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 521a2d0aab..73e4daada3 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -28,7 +28,6 @@ To define authorizations in {product-short}: include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1] -include::modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc[leveloffset=+2] include::modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc[leveloffset=+1] diff --git a/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc new file mode 100644 index 0000000000..1ce6094574 --- /dev/null +++ b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc @@ -0,0 +1,9 @@ +[id="configuring-guest-access-with-rbac-ui_{context}"] += Configuring guest access with RBAC UI + +Use guest access for the Role-Based Access Control (RBAC) frontend plugin only during initial testing and development, and not for production. To enable the guest access for the RBAC frontend, configure the backend plugin and set up the guest authentication provider. + + +include::modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc[leveloffset=+1] + +include::modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc b/modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc new file mode 100644 index 0000000000..c30f2701ee --- /dev/null +++ b/modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc @@ -0,0 +1,29 @@ +[id="configuring-the-rbac-backend-plugin_{context}"] += Configuring the RBAC backend plugin + +You can configure the RBAC backend plugin by updating the `app-config.yaml` file to enable the permission framework. + +.Prerequisites +* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. + +.Procedure +* Update the `app-config.yaml` file to enable the permission framework as shown: + +[source,yaml,subs=+quotes] +---- +permission + enabled: true + rbac: + admin: + users: + - name: user:default/guest + pluginsWithPermission: + - catalog + - permission + - scaffolder +---- + +[NOTE] +==== +The `pluginsWithPermission` section of the `app-config.yaml` section includes only three plugins by default. Update the section as needed to include any additional plugins that also incorporate permissions. +==== diff --git a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc deleted file mode 100644 index 24c930d4c3..0000000000 --- a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc +++ /dev/null @@ -1,58 +0,0 @@ -[id="enabling-guest-access-for-the-rbac-frontend-plugin_{context}"] -= Enabling guest access for the RBAC frontend plugin - -Use guest access for the Role-Based Access Control (RBAC) frontend plugin to test and develop, except in production. To enable the guest access for the RBAC frontend, configure the backend plugin and set up the guest authentication provider. - -.Prerequisites -* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. - -.Procedure - -To configure the RBAC backend plugin, complete the following steps: - -Update the `app-config.yaml` file to enable the permission framework as shown: - -[source,yaml,subs=+quotes] ----- -permission - enabled: true - rbac: - admin: - users: - - name: user:default/guest - pluginsWithPermission: - - catalog - - permission - - scaffolder ----- - -[NOTE] -==== -The `pluginsWithPermission` section of the `app-config.yaml` section includes only three plugins by default. Update the section as needed to include any additional plugins that also incorporate permissions. -==== - -== Setting up the guest authentication provider - -.Procedure - -To enable guest authentication and to use it alongside the RBAC frontend plugin, complete the following step: - -* In the `app-config.yaml` file, add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: - -[source,yaml,subs="+attributes,+quotes"] ----- -auth: - environment: development - providers: - guest: - userEntityRef: user:default/guest - dangerouslyAllowOutsideDevelopment: true ----- - -[NOTE] -==== -You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml` file. -==== - - - diff --git a/modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc b/modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc new file mode 100644 index 0000000000..19b5de4092 --- /dev/null +++ b/modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc @@ -0,0 +1,26 @@ +[id="setting-up-the-guest-authentication-provider_{context}"] += Setting up the guest authentication provider + +You can enable guest authentication and use it alongside the RBAC frontend plugin. + +.Prerequisites +* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. + +.Procedure + +* In the `app-config.yaml` file, add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: + +[source,yaml,subs="+attributes,+quotes"] +---- +auth: + environment: development + providers: + guest: + userEntityRef: user:default/guest + dangerouslyAllowOutsideDevelopment: true +---- + +[NOTE] +==== +You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml` file. +==== From 5799bea7e526e559038643ee376a20a403b53cf6 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 19 Feb 2025 19:28:53 +0100 Subject: [PATCH 4/5] Update the setting up RBAC permission --- assemblies/assembly-configuring-authorization-in-rhdh.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 73e4daada3..217a146e57 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -41,6 +41,9 @@ include::assembly-managing-authorizations-by-using-the-rest-api.adoc[leveloffset include::assembly-managing-authorizations-by-using-external-files.adoc[leveloffset=+1] +include::assembly-configuring-guest-access-with-rbac-ui.adoc[leveloffset=+1] + + include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] From 825e906e3dba76285255883045d6fcdc40bb4606 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 25 Feb 2025 17:48:18 +0100 Subject: [PATCH 5/5] Incorporate suggestions --- .../assembly-configuring-guest-access-with-rbac-ui.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc index 1ce6094574..ed01bbe3b0 100644 --- a/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc +++ b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc @@ -1,8 +1,12 @@ [id="configuring-guest-access-with-rbac-ui_{context}"] = Configuring guest access with RBAC UI -Use guest access for the Role-Based Access Control (RBAC) frontend plugin only during initial testing and development, and not for production. To enable the guest access for the RBAC frontend, configure the backend plugin and set up the guest authentication provider. +Use guest access with the role-based access control (RBAC) front-end plugin to allow a user to test role and policy creation without the need to set up and configure an authentication provider. +[NOTE] +==== +Guest access is not recommended for production. +==== include::modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc[leveloffset=+1]