Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version.Chapter 4. Role-Based Access Control (RBAC) in Red Hat Developer Hub
Role-Based Access Control is a security paradigm that restricts access to authorized users. This feature includes defining roles with specific permissions and then assigning those roles to the users.
The Red Hat Developer Hub uses RBAC to improve the permission system within the platform. The RBAC feature in Developer Hub introduces an administrator role and leverages the organizational structure including teams, groups, and users by facilitating efficient access control.
4.1. Permission policies configuration
There are two approaches to configure the permission policies in Red Hat Developer Hub, including:
- Configuration of permission policies administrators
- Configuration of permission policies defined in an external file
4.1.1. Configuration of permission policies administrators
The permission policies for users and groups in the Developer Hub are managed by permission policy administrators. Only permission policy administrators can access the Role-Based Access Control REST API.
The purpose of configuring policy administrators is to enable a specific, restricted number of authenticated users to access the RBAC REST API. The permission policies are defined in a policy.csv file, which is referenced in the app-config-rhdh ConfigMap. OpenShift platform administrators or cluster administrators can perform this task with access to the namespace where Red Hat Developer Hub is deployed.
You can set the credentials of a permission policy administrator in the app-config.yaml file as follows:
4.1.2. Configuration of permission policies defined in an external file
You can follow this approach of configuring the permission policies before starting the Red Hat Developer Hub. If permission policies are defined in an external file, then you can import the same file in the Developer Hub. The permission policies need to be defined in Casbin rules format. For information about the Casbin rules format, see Basics of Casbin rules.
The following is an example of permission policies configuration:
p, role:default/guests, catalog-entity, read, deny
p, role:default/guests, catalog.entity.create, create, deny
g, user:default/<USER_TO_ROLE>, role:default/guests
If a defined permission does not contain an action associated with it, then add use as a policy. See the following example:
p, role:default/guests, kubernetes.proxy, use, deny
You can define the policy.csv file path in the app-config.yaml file:
permission:
enabled: true
rbac:
policies-csv-file: /some/path/rbac-policy.csv
permission:
enabled: true
rbac:
policies-csv-file: /some/path/rbac-policy.csv4.1.2.1. Mounting policy.csv file to the Developer Hub Helm Chart
When the Red Hat Developer Hub is deployed with the Helm Chart, then you must define the policy.csv file by mounting it to the Developer Hub Helm Chart.
You can add your policy.csv file to the Developer Hub Helm Chart by creating a configMap and mounting it.
Prerequisites
- You are logged in to the OCP using the OpenShift web console.
Red Hat Developer Hub is installed and deployed using Helm Chart.
For more information about installing the Red Hat Developer Hub using Helm Chart, see Chapter 2, Installing Red Hat Developer Hub using Helm Chart.
Procedure
In Red Hat OpenShift, create a ConfigMap to hold the policies as shown in the following example:
Example
ConfigMapCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
In the Developer Hub Helm Chart, go to Root Schema
Backstage chart schema Backstage parameters Backstage container additional volume mounts. Select Add Backstage container additional volume mounts and add the following values:
-
mountPath:
opt/app-root/src/rbac -
Name:
rbac-policy
-
mountPath:
Add the RBAC policy to the Backstage container additional volumes in the Developer Hub Helm Chart:
-
name:
rbac-policy configMap
-
defaultMode:
420 -
name:
rbac-policy
-
defaultMode:
-
name:
Update the policy path in the
app-config.yamlfile as follows:Example
app-config.yamlfilepermission: enabled: true rbac: policies-csv-file: ./rbac/rbac-policy.csvpermission: enabled: true rbac: policies-csv-file: ./rbac/rbac-policy.csvCopy to Clipboard Copied! Toggle word wrap Toggle overflow
4.1.3. Permission policies in Red Hat Developer Hub
Permission policies in Red Hat Developer Hub are a set of rules to govern access to resources or functionalities. These policies state the authorization level that is granted to users based on their roles. The permission policies are implemented to maintain security and confidentiality within a given environment.
The following permission policies are supported in the Developer Hub:
- Catalog permissions
| Name | Resource type | Policy | Description |
|---|---|---|---|
|
|
| read | Allows user or role to read from the catalog |
|
| create | Allows user or role to create catalog entities, including registering an existing component in the catalog | |
|
|
| update | Allows user or role to refresh a single or multiple entities from the catalog |
|
|
| delete | Allows user or role to delete a single or multiple entities from the catalog |
|
| read | Allows user or role to read a single or multiple locations from the catalog | |
|
| create | Allows user or role to create locations within the catalog | |
|
| delete | Allows user or role to delete locations from the catalog |
- Scaffolder permissions
| Name | Resource type | Policy | Description |
|---|---|---|---|
|
|
| Allows the execution of an action from a template | |
|
|
| read | Allows user or role to read a single or multiple one parameters from a template |
|
|
| read | Allows user or role to read a single or multiple steps from a template |
- RBAC permissions
| Name | Resource type | Policy | Description |
|---|---|---|---|
|
|
| read | Allows user or role to read permission policies and roles |
|
|
| create | Allows user or role to create a single or multiple permission policies and roles |
|
|
| update | Allows user or role to update a single or multiple permission policies and roles |
|
|
| delete | Allows user or role to delete a single or multiple permission policies and roles |
- Kubernetes permissions
| Name | Resource type | Policy | Description |
|---|---|---|---|
|
| Allows user or role to access the proxy endpoint |
4.2. Role-based Access Control (RBAC) REST API
Red Hat Developer Hub provides RBAC REST API that you can use to manage the permissions and roles in the Developer Hub. This API supports you to facilitate and automate the maintenance of Developer Hub permission policies and roles.
Using the RBAC REST API, you can perform the following actions:
- Retrieve information about all permission policies or specific permission policies, or roles
- Create, update, or delete a permission policy or a role
- Retrieve permission policy information about static plugins
The RBAC REST API requires the following components:
Authorization
The RBAC REST API requires Bearer token authorization for the permitted user role. For development purposes, you can access a web console in a browser. When you refresh a token request in the list of network requests, you find the token in the response JSON.
Authorization: Bearer $token
For example, on the Homepage of the Developer Hub, you can navigate to the Network tab and search for the query?term= network call. Alternatively, you can go to the Catalog page and select any network call with entity-facets to acquire the Bearer token.
HTTP methods
The RBAC REST API supports the following HTTP methods for API requests:
-
GET: Retrieves specified information from a specified resource endpoint -
POST: Creates or updates a resource -
PUT: Updates a resource -
DELETE: Deletes a resource
Base URL
The base URL for RBAC REST API requests is http://SERVER:PORT/api/permission/policies, such as http://localhost:7007/api/permission/policies.
Endpoints
RBAC REST API endpoints, such as /api/permission/policies/[kind]/[namespace]/[name] for specified kind, namespace, and username, are the URI that you append to the base URL to access the corresponding resource.
Example request URL for /api/permission/policies/[kind]/[namespace]/[name] endpoint is:
http://localhost:7007/api/permission/policies/user/default/johndoe
If at least one permission is assigned to user:default/johndoe, then the example request URL mentioned previously returns a result if sent in a GET response with a valid authorization token. However, if permission is only assigned to roles, then the example request URL does not return an output.
Request data
HTTP POST requests in the RBAC REST API may require a JSON request body with data to accompany the request.
Example POST request URL and JSON request body data for http://localhost:7007/api/permission/policies:
HTTP status codes
The RBAC REST API supports the following HTTP status codes to return as responses:
-
200OK: The request was successful. -
201Created: The request resulted in a new resource being successfully created. -
204No Content: The request was successful, but there is no additional content to send in the response payload. -
400Bad Request: input error with the request -
401Unauthorized: lacks valid authentication for the requested resource -
403Forbidden: refusal to authorize request -
404Not Found: could not find requested resource -
409Conflict: request conflict with the current state and the target resource
4.2.1. Sending requests with the RBAC REST API using a REST client or curl utility
The RBAC REST API enables you to interact with the permission policies and roles in Developer Hub without using the user interface. You can send RBAC REST API requests using any REST client or curl utility.
Prerequisites
- Red Hat Developer Hub is installed and running. For more information about installing Red Hat Developer Hub, see Chapter 2, Installing Red Hat Developer Hub using Helm Chart. .
- You have access to the Developer Hub.
Procedure
Identify a relevant API endpoint to which you want to send a request, such as
POST /api/permission/policies. Adjust any request details according to your use case.For REST client:
- Authorization: Enter the generated token from the web console.
-
HTTP method: Set to
POST. -
URL: Enter the RBAC REST API base URL and endpoint such as
http://localhost:7007/api/permission/policies.
For curl utility:
-
-X: Set toPOST -H: Set the following header:Content-type: application/jsonAuthorization: Bearer $token$tokenis the requested token from the web console in a browser.-
URL: Enter the following RBAC REST API base URL endpoint, such as
http://localhost:7007/api/permission/policies -
-d: Add a request JSON body
Example request:
curl -X POST "http://localhost:7007/api/permission/policies" -d '{"entityReference":"role:default/test", "permission": "catalog-entity", "policy": "read", "effect":"allow"}' -H "Content-Type: application/json" -H "Authorization: Bearer $token" -v- Execute the request and review the response.
4.2.2. Supported RBAC REST API endpoints
The RBAC REST API provides the following endpoints for managing permission policies and roles in the Developer Hub and for retrieving information about the policies and roles.
4.2.2.1. Permission policies
The RBAC REST API supports the following endpoints for managing permission policies in the Red Hat Developer Hub.
- [GET] /api/permission/policies
Returns permission policies list for all users.
Example response (JSON)
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - [GET] /api/permission/policies/{kind}/{namespace}/{name}
Returns permission policies related to the specified entity reference.
Expand Table 4.1. Request parameters Name Description Type Requirement kindKind of the entity
String
Required
namespaceNamespace of the entity
String
Required
nameUsername related to the entity
String
Required
Example response (JSON)
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - [POST] /api/permission/policies
Creates a permission policy for a specified entity.
Expand Table 4.2. Request parameters Name Description Type Requirement entityReferenceReference values of an entity including namespace and name
String
Required
permissionType of the permission
String
Required
policyRead or write policy to the permission
String
Required
effectIndication of allowing or not allowing the policy
String
Required
Example request body (JSON)
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example response
201 Created
201 CreatedCopy to Clipboard Copied! Toggle word wrap Toggle overflow - [PUT] /api/permission/policies/{kind}/{namespace}/{name}
Updates a permission policy for a specified entity.
Request parameters
The request body contains the
oldPolicyandnewPolicyobjects:Expand Name Description Type Requirement permissionType of the permission
String
Required
policyRead or write policy to the permission
String
Required
effectIndication of allowing or not allowing the policy
String
Required
Example request body (JSON)
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example response
200
200Copy to Clipboard Copied! Toggle word wrap Toggle overflow - [DELETE] /api/permission/policies/{kind}/{namespace}/{name}?permission={value1}&policy={value2}&effect={value3}
Deletes a permission policy added to the specified entity.
Expand Table 4.3. Request parameters Name Description Type Requirement kindKind of the entity
String
Required
namespaceNamespace of the entity
String
Required
nameUsername related to the entity
String
Required
permissionType of the permission
String
Required
policyRead or write policy to the permission
String
Required
effectIndication of allowing or not allowing the policy
String
Required
Example response
204 No Content
204 No ContentCopy to Clipboard Copied! Toggle word wrap Toggle overflow - [GET] /api/permission/plugins/policies
Returns permission policies for all static plugins.
Example response (JSON)
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
4.2.2.2. Roles
The RBAC REST API supports the following endpoints for managing roles in the Red Hat Developer Hub.
- [GET] /api/permission/roles
Returns all roles in Developer Hub.
Example response (JSON)
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - [GET] /api/permission/roles/{kind}/{namespace}/{name}
Creates a role in Developer Hub.
Expand Table 4.4. Request parameters Name Description Type Requirement bodyThe
memberReferences,group,namespace, andnamethe new role to be created.Request body
Required
Example request body (JSON)
{ "memberReferences": ["group:default/test"], "name": "role:default/test_admin" }{ "memberReferences": ["group:default/test"], "name": "role:default/test_admin" }Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example response
201 Created
201 CreatedCopy to Clipboard Copied! Toggle word wrap Toggle overflow - [PUT] /api/permission/roles/{kind}/{namespace}/{name}
Updates
memberReferences,kind,namespace, ornamefor a role in Developer Hub.Request parameters
The request body contains the
oldRoleandnewRoleobjects:Expand Name Description Type Requirement bodyThe
memberReferences,group,namespace, andnamethe new role to be created.Request body
Required
Example request body (JSON)
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example response
200 OK
200 OKCopy to Clipboard Copied! Toggle word wrap Toggle overflow - [DELETE] /api/permission/roles/{kind}/{namespace}/{name}?memberReferences=<VALUE>
Deletes the specified user or group from a role in Developer Hub.
Expand Table 4.5. Request parameters Name Description Type Requirement kindKind of the entity
String
Required
namespaceNamespace of the entity
String
Required
nameUsername related to the entity
String
Required
memberReferencesAssociated group information
String
Required
Example response
204
204Copy to Clipboard Copied! Toggle word wrap Toggle overflow - [DELETE] /api/permission/roles/{kind}/{namespace}/{name}
Deletes a specified role from Developer Hub.
Expand Table 4.6. Request parameters Name Description Type Requirement kindKind of the entity
String
Required
namespaceNamespace of the entity
String
Required
nameUsername related to the entity
String
Required
Example response
204
204Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}