feat(orchestrator): add fine-grained RBAC (#82)

* feat(orchestrator): add fine-grained RBAC

The admin can limit access to specific workflows and instances by
workflow ID.

Signed-off-by: Marek Libra <mlibra@redhat.com>

* feat: reduce permissions to workflow and workflow.use

* fix GH IDP config

* add @backstage-community/plugin-rbac plugin

* run prettier

* add config for rbac administration

* Catch exceptions from internal routes

* Add auditLogger for generic router exception handler

* Update documentation

* Update getInstances() for authorization

* yarn.lock

* Let data index filter authorized instances

* rebuild api reports

---------

Signed-off-by: Marek Libra <mlibra@redhat.com>

Author: mareklibra

workspaces/orchestrator/.changeset/smooth-rockets-act.md

@@ -0,0 +1,7 @@
+---
+'@red-hat-developer-hub/backstage-plugin-orchestrator-backend': minor
+'@red-hat-developer-hub/backstage-plugin-orchestrator-common': minor
+'@red-hat-developer-hub/backstage-plugin-orchestrator': minor
+---
+
+Access can now be managed on a per-workflow basis.

workspaces/orchestrator/README.md

@@ -175,6 +175,13 @@ yarn dev
 
 The `orchestrator` plugin includes an extensible form for executing forms. For detailed guidance see the [Extensible Workflow Execution Form Documentation](https://github.com/redhat-developer/rhdh-plugins/blob/main/workspaces/orchestrator/plugins/orchestrator/docs/extensibleForm.md).
 
+### Setting up permissions
+
+The HTTP endpoints exposed by the `orchestrator-backend` can enforce authorization if the [RBAC plugin](https://github.com/backstage/community-plugins/tree/main/workspaces/rbac/plugins) is deployed.
+Please refer the RBAC plugin documentation for the setup steps (mind they rely on the [Backstage authentication and identity](https://backstage.io/docs/auth)).
+
+More detailed info about permissions can be found in [docs/Permissions.md](docs/Permissions.md).
+
 ## For users
 
 ### Using the Orchestrator plugin in Backstage

workspaces/orchestrator/app-config.yaml

@@ -76,14 +76,16 @@ auth:
         clientSecret: ${AUTH_GITHUB_CLIENT_SECRET}
         signIn:
           resolvers:
-            # See https://backstage.io/docs/auth/github/provider#resolvers for more resolvers
             - resolver: emailMatchingUserEntityProfileEmail
 
 # permission:
 #   enabled: true
 #   rbac:
-#     policies-csv-file: /full/path/to/the/rbac-policy.csv
+#     policies-csv-file: ../../plugins/orchestrator/docs/rbac-policy.csv
 #     policyFileReload: true
+#     admin:
+#       users:
+#         - name: user:default/mareklibra
 
 scaffolder:
   {}

workspaces/orchestrator/packages/app/package.json

@@ -19,6 +19,7 @@
     "lint": "backstage-cli package lint"
   },
   "dependencies": {
+    "@backstage-community/plugin-rbac": "^1.33.2",
     "@backstage/app-defaults": "^1.5.12",
     "@backstage/catalog-model": "^1.7.0",
     "@backstage/cli": "^0.28.0",

workspaces/orchestrator/packages/app/src/App.tsx

@@ -49,6 +49,7 @@ import { OrchestratorPage } from '@red-hat-developer-hub/backstage-plugin-orches
 import { getThemes } from '@redhat-developer/red-hat-developer-hub-theme';
 import { NotificationsPage } from '@backstage/plugin-notifications';
 import { SignalsDisplay } from '@backstage/plugin-signals';
+import { RbacPage } from '@backstage-community/plugin-rbac';
 import React from 'react';
 import { Navigate, Route } from 'react-router-dom';
 import { apis } from './apis';
@@ -131,6 +132,7 @@ const routes = (
     <Route path="/catalog-graph" element={<CatalogGraphPage />} />
     <Route path="/notifications" element={<NotificationsPage />} />
     <Route path="/orchestrator" element={<OrchestratorPage />} />
+    <Route path="/rbac" element={<RbacPage />} />
   </FlatRoutes>
 );
 

workspaces/orchestrator/packages/app/src/components/Root/Root.tsx

@@ -41,6 +41,7 @@ import SearchIcon from '@mui/icons-material/Search';
 import { makeStyles } from '@mui/styles';
 import { OrchestratorIcon } from '@red-hat-developer-hub/backstage-plugin-orchestrator';
 import { NotificationsSidebarItem } from '@backstage/plugin-notifications';
+import { Administration } from '@backstage-community/plugin-rbac';
 import React, { PropsWithChildren } from 'react';
 import LogoFull from './LogoFull';
 import LogoIcon from './LogoIcon';
@@ -111,6 +112,7 @@ export const Root = ({ children }: PropsWithChildren<{}>) => {
         </SidebarGroup>
         <SidebarSpace />
         <SidebarDivider />
+        <Administration />
         <SidebarGroup
           label="Settings"
           icon={<UserSettingsSignInAvatar />}

workspaces/orchestrator/packages/backend/package.json

@@ -21,6 +21,7 @@
     "build-image": "docker build ../.. -f Dockerfile --tag backstage"
   },
   "dependencies": {
+    "@backstage-community/plugin-rbac-backend": "^5.2.6",
     "@backstage/backend-defaults": "^0.5.2",
     "@backstage/config": "^1.2.0",
     "@backstage/plugin-app-backend": "^0.3.76",

workspaces/orchestrator/packages/backend/src/index.ts

@@ -38,14 +38,6 @@ backend.add(
 // See https://backstage.io/docs/features/software-catalog/configuration#subscribing-to-catalog-errors
 backend.add(import('@backstage/plugin-catalog-backend-module-logs'));
 
-// permission plugin
-backend.add(import('@backstage/plugin-permission-backend/alpha'));
-
-// See https://backstage.io/docs/permissions/getting-started for how to create your own permission policy
-backend.add(
-  import('@backstage/plugin-permission-backend-module-allow-all-policy'),
-);
-
 // search plugin
 backend.add(import('@backstage/plugin-search-backend/alpha'));
 
@@ -64,4 +56,7 @@ backend.add(
 backend.add(import('@backstage/plugin-notifications-backend'));
 backend.add(import('@backstage/plugin-signals-backend'));
 
+// permission plugin
+backend.add(import('@backstage-community/plugin-rbac-backend'));
+
 backend.start();

workspaces/orchestrator/plugins/orchestrator-backend/src/service/OrchestratorService.ts

@@ -36,6 +36,9 @@ export class OrchestratorService {
   ) {}
 
   // Data Index Service Wrapper
+  public getWorkflowIds(): string[] {
+    return this.workflowCacheService.definitionIds;
+  }
 
   public async abortWorkflowInstance(args: {
     instanceId: string;
@@ -70,10 +73,10 @@ export class OrchestratorService {
   public async fetchInstances(args: {
     pagination?: Pagination;
     filter?: Filter;
-    workflowId?: string;
+    workflowIds?: string[];
   }): Promise<ProcessInstance[]> {
-    const definitionIds = args.workflowId
-      ? [args.workflowId]
+    const definitionIds = args.workflowIds
+      ? args.workflowIds
       : this.workflowCacheService.definitionIds;
     return await this.dataIndexService.fetchInstances({
       definitionIds: definitionIds,
@@ -83,11 +86,11 @@ export class OrchestratorService {
   }
 
   public async fetchInstancesTotalCount(
-    workflowId?: string,
+    workflowIds?: string[],
     filter?: Filter,
   ): Promise<number> {
-    const definitionIds = workflowId
-      ? [workflowId]
+    const definitionIds = workflowIds
+      ? workflowIds
       : this.workflowCacheService.definitionIds;
     return await this.dataIndexService.fetchInstancesTotalCount(
       definitionIds,

workspaces/orchestrator/plugins/orchestrator-backend/src/service/api/v2.ts

@@ -70,6 +70,10 @@ export class V2 {
     return result;
   }
 
+  public getWorkflowIds(): string[] {
+    return this.orchestratorService.getWorkflowIds();
+  }
+
   public async getWorkflowOverviewById(
     workflowId: string,
   ): Promise<WorkflowOverviewDTO> {
@@ -105,15 +109,15 @@ export class V2 {
   public async getInstances(
     pagination?: Pagination,
     filter?: Filter,
-    workflowId?: string,
+    workflowIds?: string[],
   ): Promise<ProcessInstanceListResultDTO> {
     const instances = await this.orchestratorService.fetchInstances({
       pagination,
       filter,
-      workflowId,
+      workflowIds,
     });
     const totalCount = await this.orchestratorService.fetchInstancesTotalCount(
-      workflowId,
+      workflowIds,
       filter,
     );