Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add permission #53

Draft
wants to merge 8 commits into
base: main
Choose a base branch
from

Conversation

holiiveira
Copy link
Contributor

@holiiveira holiiveira commented Aug 20, 2024

A new plugin (infrawallet-common) has been created with the aim of adding common features, types and permissions to the infrawallet plugin.

Initially, 5 permissions were created:

export const permissions = {
  infraWalletReportRead,
  infraWalletMetricSettingsRead,
  infraWalletMetricSettingsCreate,
  infraWalletMetricSettingsUpdate,
  infraWalletMetricSettingsDelete,
};

To use these permissions, you need to configure permissions in the backend. (ex: packages/srd/permissonPolicy.ts):

import { createBackendModule } from '@backstage/backend-plugin-api';
import { BackstageIdentityResponse } from '@backstage/plugin-auth-node';
import { AuthorizeResult, isPermission, PolicyDecision } from '@backstage/plugin-permission-common';
import { PermissionPolicy, PolicyQuery } from '@backstage/plugin-permission-node';
import { policyExtensionPoint } from '@backstage/plugin-permission-node/alpha';
import { infraWalletReportRead, infraWalletMetricSettingsDelete } from '@electrolux-oss/plugin-infrawallet-common';

class DefaultPermissionPolicy implements PermissionPolicy {
  async handle(request: PolicyQuery, _user?: BackstageIdentityResponse): Promise<PolicyDecision> {

    // Example deny read report
    if (isPermission(request.permission, infraWalletReportRead)) {
      return { result: AuthorizeResult.DENY };
    }
    ...

The default behavior if you do not configure any permissions is to allow all access.

BREAKING: This update may break Backstage in cases where the legacy Backstage backend system plugin is used.

What needs to be updated in this case:
Editing a file called infrawallet.ts in folder packages/backend/src/plugins/ with the following content:

import { createRouter } from '@electrolux-oss/plugin-infrawallet-backend';
import { Router } from 'express';
import { PluginEnvironment } from './types';

export default async function createPlugin(env: PluginEnvironment): Promise<Router> {
  return await createRouter({
    logger: env.logger,
    config: env.config,
    cache: env.cache.getClient(),
    database: env.database,
+   discovery: env.discovery,
+   permissions: env.permissions
  });
}

TODO:

  • Add documentation
  • Custom error page

fix: #42

@holiiveira
Copy link
Contributor Author

Hi @gluckzhang, I believe you can do some evaluation with this PR. By default permissions evaluation is disabled, consider adding the following to your app-config.local.yaml:

...
permission:
  enabled: true
...

To evaluate the permission possibilities, consider the file: packages/backend/src/permissionPolicyModule.ts.

@gluckzhang
Copy link
Member

Hi @holiiveira, got it, thank you for the PR. I will give it a try later this week. Due to my current workload, I might come back with some questions and comments next week :)

Just a quick question first, both the legacy backend and the new Backstage backend can have this permission backend enabled, right?

@holiiveira
Copy link
Contributor Author

Just a quick question first, both the legacy backend and the new Backstage backend can have this permission backend enabled, right?

Yes, for those who use a new backend, there is nothing to be done, but for those who use a legacy backend, this change will break the plugin, as it is necessary to change the infrawallet.ts file in the packages/backend/src/plugins/ folder, as I mentioned in the PR.

@gluckzhang
Copy link
Member

Just a quick question first, both the legacy backend and the new Backstage backend can have this permission backend enabled, right?

Yes, for those who use a new backend, there is nothing to be done, but for those who use a legacy backend, this change will break the plugin, as it is necessary to change the infrawallet.ts file in the packages/backend/src/plugins/ folder, as I mentioned in the PR.

I see, thanks!

@gluckzhang
Copy link
Member

Hi @holiiveira, I have gone through the code and tried your PR branch locally. Overall I think it looks pretty good. The code follows Backstage's official tutorial and the permissions cover all the existing APIs. I have a question for now:

Do you think we should add resourceType for the permissions? In this way, it becomes easier to grant a set of permissions to some users or groups: https://backstage.io/docs/permissions/plugin-authors/03-adding-a-resource-permission-check#creating-the-update-permission

After hearing your comments on the question above, and also getting the documentation done, I think we are good to go. It is fine to skip the custom error page for now, as Backstage default alerts work well already.

Soon we will enable users to create their own wallets in the plugin (each wallet contains configurable pre-defined filters and maybe some other settings), and then the owner of a wallet should have all the permissions to this wallet. I think after having this feature, we will need to improve the permission setup and have conditional permissions by that time. What do you think?

@gluckzhang
Copy link
Member

As this PR contains some breaking changes, and the documentation is not ready yet, we decided to merge some other PRs first and release a new version. I think we can have this feature after that new release. It is just possible that you may need to pull/rebase the main branch, though there should be no messy conflicts.

Thanks and looking forward to your thoughts :)

@holiiveira
Copy link
Contributor Author

Hi @gluckzhang, I think it's interesting to add this, especially because you mentioned that users can create their own wallets. I think it's better to wait for this functionality to be added before we proceed with permissioning, what do you think?

@gluckzhang
Copy link
Member

Hi @gluckzhang, I think it's interesting to add this, especially because you mentioned that users can create their own wallets. I think it's better to wait for this functionality to be added before we proceed with permissioning, what do you think?

Yes, it makes lots of sense. I think we can pause this PR and get back to it later when we have the wallet feature.

@nia-potato
Copy link
Contributor

hi @gluckzhang @holiiveira thanks for working on this,

i think permissions is a pretty important feature, since not everyone is supposed to see orgwide cost data.

I understand that this is currently paused right now, but what wallet feature are we waiting for? do we have a estimate of when the wallet feature will be out?

@gluckzhang
Copy link
Member

Hi @nia-potato, yeah, I fully understand. Unfortunately, we don't have an ETA for the wallet feature for now.

Quick questions: the permissions defined in this PR are at the plugin level, so a user will either access all the cost reports in InfraWallet, or will have zero access to the data. Does this meet your requirements? Then speaking of the EntityInfraWalletCard in #85, how would you like to control the access?

@nia-potato
Copy link
Contributor

hi @gluckzhang no worries on the ETA, i think once the basic permissions are implemented, il see if i can incorporate permissions to the entityCard as well.

for now i can just make the infrawallet just show entity cards, but still leave the route to infrawallet main plugin, just dont add it to the sidebar for everyone to see.

Copy link

sonarqubecloud bot commented Oct 1, 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add permissions for plugin
3 participants