1.2.2 • Published 1 year ago

@infosys_ltd/openfga-plugin-backstage v1.2.2

Weekly downloads
-
License
Apache-2.0
Repository
github
Last release
1 year ago

openfga

This plugin wraps around the Backstage Permission Framework and uses the OPENFGA client to evaluate policies. It will send a request to OPENFGA with the permission and identity information, OPENFGA will then evaluate the policy and return a decision, which is then passed back to the Permission Framework.

Installation

yarn --cwd packages/app add @infosys_ltd/openfga-plugin-backstage
yarn --cwd packages/backend add @infosys_ltd/backstage-plugin-permission-backend-module-openfga-policy
```

Make the following changes to the :
```diff
// packages/app/src/App.tsx
+import { OpenfgaPage } from '@infosys_ltd/openfga-plugin-backstage';


<FlatRoutes>
  <Route path="/catalog" element={<CatalogIndexPage />} />
  <Route path="/catalog/:namespace/:kind/:name" element={<CatalogEntityPage />}>
    {entityPage}
  </Route>
+  <Route path="/openfga" element={<OpenfgaPage/>} />
  ...
</FlatRoutes>
```

Make the following changes to the `packages/backend/src/index.ts` file in your Backstage project.

```diff
import { createBackend } from '@backstage/backend-defaults';

const backend = createBackend();
backend.add(import('@backstage/plugin-app-backend/alpha'));
backend.add(import('@backstage/plugin-auth-backend'));
// ..... other plugins

comment following line:

// permission plugin
backend.add(import('@backstage/plugin-permission-backend/alpha'));
// backend.add(
//   import('@backstage/plugin-permission-backend-module-allow-all-policy'),
// );

backend.add(import('@infosys_ltd/backstage-plugin-permission-backend-module-openfga-policy'));

Configuration

The OPENFGA client requires configuration to connect to the OPENFGA server. You need to provide a baseUrl , storeId, authorizationModelId for the OPENFGA server in your Backstage app-config.yaml file:

proxyconfig

openfgaconfig

Example Catalog Permission policy using openFGA

Lets take a scenario a role based access for backstage catalog delete/ungersitering an entity

Rules:

  • A user who have OWNER access can read and delete the entity
  • A user who have VIEWER access can only read the entity not delete the entity

CREATE A MODEL IN OPENFGA PLAYGROUND

playgroundmodel

RUNNING OPENFGA SERVER AND SETUP

TO run a openfga in your local please follow below steps

OpenFGA is available on Dockerhub, so you can quickly start it using the in-memory datastore by running the following commands:

docker pull openfga/openfga
docker run -p 8080:8080 -p 4000:4000 openfga/openfga run

ACCESSING OPENFGA FEATURES

OPENFGA Model and Features can be accessable with many ways please visit

In this following example OPENFGA API is used

STEP 1: CREATE A STORE

REQUEST TYPE : POST

URL :  http://localhost:8080/stores

REQUEST BODY:

{
  "name": "backstage"
}

EXAMPLE RESPONSE BODY:
{
"id": "01J289TDYQ1WH9RTMQD46K7ANC",
"name": "backstage",
"created_at": "2024-07-08T04:32:20.951446991Z",
"updated_at": "2024-07-08T04:32:20.951446991Z"
}

STEP 2 : GET A STORE

REQUEST TYPE : GET

URL : http://localhost:8080/stores

EXAMPLE RESPONSE BODY:

{
"stores":[
{
"id": "01J289TDYQ1WH9RTMQD46K7ANC",
"name": "backstage",
"created_at": "2024-07-08T04:32:20.951446991Z",
"updated_at": "2024-07-08T04:32:20.951446991Z",
"deleted_at": null
}
],
"continuation_token": ""
}

STEP 3 : ADDING AUTHORIZATION MODEL FOR CATALOG DELETE

REQUEST TYPE : POST

URL: http://localhost:8080/stores/{store_id}/authorization-models

REQUEST BODY:

{
  "schema_version": "1.1",
  "type_definitions": [
    {
      "type": "user",
      "relations": {},
      "metadata": null
    },
    {
      "type": "catalog_entity",
      "relations": {
        "owner": {
          "this": {}
        },
        "viewer": {
          "this": {}
        },
        "catalog_entity_read": {
          "union": {
            "child": [
              {
                "computedUserset": {
                  "relation": "viewer"
                }
              },
              {
                "computedUserset": {
                  "relation": "owner"
                }
              }
            ]
          }
        },
        "catalog_entity_delete": {
          "computedUserset": {
            "relation": "owner"
          }
        }
      },
      "metadata": {
        "relations": {
          "owner": {
            "directly_related_user_types": [
              {
                "type": "user"
              }
            ]
          },
          "viewer": {
            "directly_related_user_types": [
              {
                "type": "user"
              }
            ]
          },
          "catalog_entity_read": {
            "directly_related_user_types": []
          },
          "catalog_entity_delete": {
            "directly_related_user_types": []
          }
        }
      }
    }
  ]
}

EXAMPLE RESPONSE BODY:

{
"authorization_model_id": "01J289WKKTE286M800HJBGYX5K"
}

USING OPENFGA FRONT END PLUGIN

HOME SCREEN:

homepage

BEFORE APPLYING POLICY:

A guest user not able to unregister a entity

unregisterentity

ADD POLICY:

addpolicy

APPLY POLICY:

applypolicy

AFTER APPLYING POLICY:

A guest user able to unregister a entity

afterpolicyentity

REVOKE POLICY:

revokepolicy

backstageopenfgapermissionsRBAC
@backstage/core-components@backstage/core-plugin-api@backstage/theme@material-ui/core@material-ui/icons@material-ui/lab@infosys_ltd/backstage-plugin-openfga-common@infosys_ltd/backstage-plugin-permission-backend-module-openfga-policyreact-use
1.2.2

1 year ago

1.2.1

1 year ago

1.2.0

1 year ago

1.1.2

1 year ago

1.1.1

1 year ago

1.1.0

1 year ago

1.0.2

1 year ago

1.0.1

1 year ago

1.0.0

1 year ago