From 2a05ee8453f4d3f8985ee5c1c758e5cce80386f8 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 4 Feb 2025 19:59:58 +0100 Subject: [PATCH 1/5] Updates the setting up RBAC permission --- ...bly-configuring-authorization-in-rhdh.adoc | 3 ++ ...guest-access-for-rbac-frontend-plugin.adoc | 46 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 73e4daada3..c157b2b700 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -29,6 +29,9 @@ To define authorizations in {product-short}: include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1] +include::modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc[leveloffset=+2] + + include::modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc new file mode 100644 index 0000000000..4f976f0923 --- /dev/null +++ b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc @@ -0,0 +1,46 @@ +[id="enabling-guest-access-for-the-rbac-frontend-plugin_{context}"] += Enabling guest access for the RBAC frontend plugin + +Use guest access for the Role-Based Access Control (RBAC) frontend plugin to test and develop, except in production. To enable the guest access for the RBAC frontend, configure the backend plugin and set up the guest authentication provider. + +.Prerequisites +* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. + +== Configuring the RBAC backend plugin + +Update the `app-config.yaml` to enable the permission framework, include the user `user:default/guest` in the admin users section, and ensure that the plugins with permissions appear in the UI as shown: + +[source,yaml,subs=+quotes] +---- +permission + enabled: true + rbac: + admin: + users: + - name: user:default/guest + pluginsWithPermission: + - catalog + - permission + - scaffolder +---- + +[NOTE] +==== +The `pluginsWithPermission` section includes only three plugins. Update the section as needed to include any additional plugins that also incorporate permissions. +==== + +== Setting up the guest authentication provider + +To enable guest authentication and to use it alongside the RBAC frontend plugin, update the `app-config.yaml`. Add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: + +[source,yaml,subs="+attributes,+quotes"] +---- +auth: + environment: development + providers: + guest: + userEntityRef: user:default/guest + dangerouslyAllowOutsideDevelopment: true +---- + +You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml`. From b77d5c8e225b76de00768aa093af876657357f1e Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 5 Feb 2025 23:53:07 +0100 Subject: [PATCH 2/5] Update the setting up RBAC permission --- ...bly-configuring-authorization-in-rhdh.adoc | 2 -- ...guest-access-for-rbac-frontend-plugin.adoc | 22 ++++++++++++++----- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index c157b2b700..521a2d0aab 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -28,10 +28,8 @@ To define authorizations in {product-short}: include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1] - include::modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc[leveloffset=+2] - include::modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc index 4f976f0923..24c930d4c3 100644 --- a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc +++ b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc @@ -6,9 +6,11 @@ Use guest access for the Role-Based Access Control (RBAC) frontend plugin to tes .Prerequisites * You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. -== Configuring the RBAC backend plugin +.Procedure -Update the `app-config.yaml` to enable the permission framework, include the user `user:default/guest` in the admin users section, and ensure that the plugins with permissions appear in the UI as shown: +To configure the RBAC backend plugin, complete the following steps: + +Update the `app-config.yaml` file to enable the permission framework as shown: [source,yaml,subs=+quotes] ---- @@ -26,12 +28,16 @@ permission [NOTE] ==== -The `pluginsWithPermission` section includes only three plugins. Update the section as needed to include any additional plugins that also incorporate permissions. +The `pluginsWithPermission` section of the `app-config.yaml` section includes only three plugins by default. Update the section as needed to include any additional plugins that also incorporate permissions. ==== == Setting up the guest authentication provider -To enable guest authentication and to use it alongside the RBAC frontend plugin, update the `app-config.yaml`. Add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: +.Procedure + +To enable guest authentication and to use it alongside the RBAC frontend plugin, complete the following step: + +* In the `app-config.yaml` file, add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: [source,yaml,subs="+attributes,+quotes"] ---- @@ -43,4 +49,10 @@ auth: dangerouslyAllowOutsideDevelopment: true ---- -You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml`. +[NOTE] +==== +You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml` file. +==== + + + From 3d2456552b7bedb7576506ef3710e183a256edf2 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 19 Feb 2025 18:57:38 +0100 Subject: [PATCH 3/5] Update the setting up RBAC permission --- ...bly-configuring-authorization-in-rhdh.adoc | 1 - ...configuring-guest-access-with-rbac-ui.adoc | 9 +++ ...c-configuring-the-RBAC-backend-plugin.adoc | 29 ++++++++++ ...guest-access-for-rbac-frontend-plugin.adoc | 58 ------------------- ...-up-the-guest-authentication-provider.adoc | 26 +++++++++ 5 files changed, 64 insertions(+), 59 deletions(-) create mode 100644 assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc create mode 100644 modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc delete mode 100644 modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc create mode 100644 modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 521a2d0aab..73e4daada3 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -28,7 +28,6 @@ To define authorizations in {product-short}: include::modules/authorization/proc-enabling-the-rbac-plugin.adoc[leveloffset=+1] -include::modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc[leveloffset=+2] include::modules/authorization/proc-determining-permission-policy-and-role-configuration-source.adoc[leveloffset=+1] diff --git a/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc new file mode 100644 index 0000000000..1ce6094574 --- /dev/null +++ b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc @@ -0,0 +1,9 @@ +[id="configuring-guest-access-with-rbac-ui_{context}"] += Configuring guest access with RBAC UI + +Use guest access for the Role-Based Access Control (RBAC) frontend plugin only during initial testing and development, and not for production. To enable the guest access for the RBAC frontend, configure the backend plugin and set up the guest authentication provider. + + +include::modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc[leveloffset=+1] + +include::modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc[leveloffset=+1] diff --git a/modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc b/modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc new file mode 100644 index 0000000000..c30f2701ee --- /dev/null +++ b/modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc @@ -0,0 +1,29 @@ +[id="configuring-the-rbac-backend-plugin_{context}"] += Configuring the RBAC backend plugin + +You can configure the RBAC backend plugin by updating the `app-config.yaml` file to enable the permission framework. + +.Prerequisites +* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. + +.Procedure +* Update the `app-config.yaml` file to enable the permission framework as shown: + +[source,yaml,subs=+quotes] +---- +permission + enabled: true + rbac: + admin: + users: + - name: user:default/guest + pluginsWithPermission: + - catalog + - permission + - scaffolder +---- + +[NOTE] +==== +The `pluginsWithPermission` section of the `app-config.yaml` section includes only three plugins by default. Update the section as needed to include any additional plugins that also incorporate permissions. +==== diff --git a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc b/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc deleted file mode 100644 index 24c930d4c3..0000000000 --- a/modules/authorization/proc-enabling-guest-access-for-rbac-frontend-plugin.adoc +++ /dev/null @@ -1,58 +0,0 @@ -[id="enabling-guest-access-for-the-rbac-frontend-plugin_{context}"] -= Enabling guest access for the RBAC frontend plugin - -Use guest access for the Role-Based Access Control (RBAC) frontend plugin to test and develop, except in production. To enable the guest access for the RBAC frontend, configure the backend plugin and set up the guest authentication provider. - -.Prerequisites -* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. - -.Procedure - -To configure the RBAC backend plugin, complete the following steps: - -Update the `app-config.yaml` file to enable the permission framework as shown: - -[source,yaml,subs=+quotes] ----- -permission - enabled: true - rbac: - admin: - users: - - name: user:default/guest - pluginsWithPermission: - - catalog - - permission - - scaffolder ----- - -[NOTE] -==== -The `pluginsWithPermission` section of the `app-config.yaml` section includes only three plugins by default. Update the section as needed to include any additional plugins that also incorporate permissions. -==== - -== Setting up the guest authentication provider - -.Procedure - -To enable guest authentication and to use it alongside the RBAC frontend plugin, complete the following step: - -* In the `app-config.yaml` file, add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: - -[source,yaml,subs="+attributes,+quotes"] ----- -auth: - environment: development - providers: - guest: - userEntityRef: user:default/guest - dangerouslyAllowOutsideDevelopment: true ----- - -[NOTE] -==== -You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml` file. -==== - - - diff --git a/modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc b/modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc new file mode 100644 index 0000000000..19b5de4092 --- /dev/null +++ b/modules/authorization/proc-setting-up-the-guest-authentication-provider.adoc @@ -0,0 +1,26 @@ +[id="setting-up-the-guest-authentication-provider_{context}"] += Setting up the guest authentication provider + +You can enable guest authentication and use it alongside the RBAC frontend plugin. + +.Prerequisites +* You have installed the `@janus-idp/backstage-plugin-rbac` plugin in {product-short}. For more information, see link:{plugins-configure-book-url}[{plugins-configure-book-title}]. + +.Procedure + +* In the `app-config.yaml` file, add the user entity reference to resolve and enable the `dangerouslyAllowOutsideDevelopment` option, as shown in the following example: + +[source,yaml,subs="+attributes,+quotes"] +---- +auth: + environment: development + providers: + guest: + userEntityRef: user:default/guest + dangerouslyAllowOutsideDevelopment: true +---- + +[NOTE] +==== +You can use `user:default/guest` as the user entity reference to match the added user under the `permission.rbac.admin.users` section of the `app-config.yaml` file. +==== From 99e8c1a76b4f2d9bf32a46b047663afc4d65402f Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Wed, 19 Feb 2025 19:28:53 +0100 Subject: [PATCH 4/5] Update the setting up RBAC permission --- assemblies/assembly-configuring-authorization-in-rhdh.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/assemblies/assembly-configuring-authorization-in-rhdh.adoc b/assemblies/assembly-configuring-authorization-in-rhdh.adoc index 73e4daada3..217a146e57 100644 --- a/assemblies/assembly-configuring-authorization-in-rhdh.adoc +++ b/assemblies/assembly-configuring-authorization-in-rhdh.adoc @@ -41,6 +41,9 @@ include::assembly-managing-authorizations-by-using-the-rest-api.adoc[leveloffset include::assembly-managing-authorizations-by-using-external-files.adoc[leveloffset=+1] +include::assembly-configuring-guest-access-with-rbac-ui.adoc[leveloffset=+1] + + include::modules/authorization/ref-rbac-permission-policies.adoc[leveloffset=+1] From 8bce77b8ad4436ba22be854fe007c30e9657d2e1 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Tue, 25 Feb 2025 17:48:18 +0100 Subject: [PATCH 5/5] Incorporate suggestions --- .../assembly-configuring-guest-access-with-rbac-ui.adoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc index 1ce6094574..ed01bbe3b0 100644 --- a/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc +++ b/assemblies/assembly-configuring-guest-access-with-rbac-ui.adoc @@ -1,8 +1,12 @@ [id="configuring-guest-access-with-rbac-ui_{context}"] = Configuring guest access with RBAC UI -Use guest access for the Role-Based Access Control (RBAC) frontend plugin only during initial testing and development, and not for production. To enable the guest access for the RBAC frontend, configure the backend plugin and set up the guest authentication provider. +Use guest access with the role-based access control (RBAC) front-end plugin to allow a user to test role and policy creation without the need to set up and configure an authentication provider. +[NOTE] +==== +Guest access is not recommended for production. +==== include::modules/authorization/proc-configuring-the-RBAC-backend-plugin.adoc[leveloffset=+1]