Chapter 3. Permission policies in Red Hat Developer Hub
Permission policies in Red Hat Developer Hub are a set of rules to govern access to resources or functionalities. These policies state the authorization level that is granted to users based on their roles. The permission policies are implemented to maintain security and confidentiality within a given environment.
You can define the following types of permissions in Developer Hub:
- resource type
- basic
The distinction between the two permission types depend on whether a permission includes a defined resource type.
You can define the resource type permission using either the associated resource type or the permission name as shown in the following example:
Example resource type permission definition
p, role:default/myrole, catalog.entity.read, read, allow g, user:default/myuser, role:default/myrole p, role:default/another-role, catalog-entity, read, allow g, user:default/another-user, role:default/another-role
You can define the basic permission in Developer Hub using the permission name as shown in the following example:
Example basic permission definition
p, role:default/myrole, catalog.entity.create, create, allow g, user:default/myuser, role:default/myrole
The following permission policies are supported in the Developer Hub:
- Catalog permissions
Name | Resource type | Policy | Description |
---|---|---|---|
|
| read | Allows user or role to read from the catalog |
| create | Allows user or role to create catalog entities, including registering an existing component in the catalog | |
|
| update | Allows user or role to refresh a single or multiple entities from the catalog |
|
| delete | Allows user or role to delete a single or multiple entities from the catalog |
| read | Allows user or role to read a single or multiple locations from the catalog | |
| create | Allows user or role to create locations within the catalog | |
| delete | Allows user or role to delete locations from the catalog |
- Bulk import permissions
Name | Resource type | Policy | Description |
---|---|---|---|
|
| Allows the user to access the bulk import endpoints, such as listing all repositories and organizations accessible by all GitHub integrations and managing the import requests. |
- Scaffolder permissions
Name | Resource type | Policy | Description |
---|---|---|---|
|
| Allows the execution of an action from a template | |
|
| read | Allows user or role to read a single or multiple one parameters from a template |
|
| read | Allows user or role to read a single or multiple steps from a template |
| create | Allows the user or role to trigger software templates which create new scaffolder tasks | |
| Allows the user or role to cancel currently running scaffolder tasks | ||
| read | Allows user or role to read all scaffolder tasks and their associated events and logs |
- RBAC permissions
Name | Resource type | Policy | Description |
---|---|---|---|
|
| read | Allows user or role to read permission policies and roles |
|
| create | Allows user or role to create a single or multiple permission policies and roles |
|
| update | Allows user or role to update a single or multiple permission policies and roles |
|
| delete | Allows user or role to delete a single or multiple permission policies and roles |
- Kubernetes permissions
Name | Resource type | Policy | Description |
---|---|---|---|
| Allows user or role to access the proxy endpoint |
- OCM permissions
Name | Resource type | Policy | Description |
---|---|---|---|
| read | Allows user or role to read from the OCM plugin | |
| read | Allows user or role to read the cluster information in the OCM plugin |
- Topology permissions
Name | Resource type | Policy | Description |
---|---|---|---|
| read | Allows user or role to view the topology plugin | |
| Allows user or role to access the proxy endpoint, allowing them to read pod logs and events within RHDH |
3.1. Permission policies configuration
There are two approaches to configure the permission policies in Red Hat Developer Hub, including:
- Configuration of permission policies administrators
- Configuration of permission policies defined in an external file
3.1.1. Configuration of permission policies defined in an external file
You can configure the permission policies before starting the Red Hat Developer Hub. If permission policies are defined in an external file, then you can import the same file in the Developer Hub. You must define the permission policies using the following Casbin rules format:
--- `p, <ROLE>, <PERMISSION_NAME or PERMISSION_RESOURCE_TYPE>, <PERMISSION_POLICY_ACTION>, <ALLOW or DENY>` ---
You can define roles using the following Casbin rules format:
--- `g, <USER or GROUP>, <ROLE>` ---
For information about the Casbin rules format, see Basics of Casbin rules.
The following is an example of permission policies configuration:
--- `p, role:default/guests, catalog-entity, read, allow`
p, role:default/guests, catalog.entity.create, create, allow
g, user:default/<USER_TO_ROLE>, role:default/guests
g, group:default/<GROUP_TO_ROLE>, role:default/guests
---
If a defined permission does not contain an action associated with it, then add use
as a policy. See the following example:
--- `p, role:default/guests, kubernetes.proxy, use, allow` ---
You can define the policy.csv
file path in the app-config.yaml
file:
permission: enabled: true rbac: policies-csv-file: /some/path/rbac-policy.csv
You can use an optional configuration value that enables reloading the CSV file without restarting the Developer Hub instance.
Set the value of the policyFileReload
option in the app-config.yaml
file:
# ... permission: enabled: true rbac: policies-csv-file: /some/path/rbac-policy.csv policyFileReload: true # ...
3.1.1.1. Mounting policy.csv
file using the Developer Hub Operator
When the Red Hat Developer Hub is deployed with the Operator, you can add your policy.csv
file using the Developer Hub Operator by creating a ConfigMap
and mounting it through your Custom Resource (CR).
Prerequisites
- You are logged in to your OpenShift Container Platform account using the OpenShift Container Platform web console.
- Red Hat Developer Hub is installed and deployed using the Operator.
You have added a custom configuration file to OpenShift Container Platform. For more information, see Adding a custom configuration file to OpenShift Container Platform.
For more information, see Installing Red Hat Developer Hub on OpenShift Container Platform with the Operator.
Procedure
In OpenShift Container Platform, create a ConfigMap to hold the policies as shown in the following example:
Example
ConfigMap
kind: ConfigMap apiVersion: v1 metadata: name: rbac-policy data: rbac-policy.csv: | p, role:default/guests, catalog-entity, read, allow p, role:default/guests, catalog.entity.create, create, allow g, user:default/<YOUR_USER>, role:default/guests
Update the policy path in your custom
app-config.yaml
ConfigMap as follows:Example
app-config.yaml
filepermission: enabled: true rbac: policies-csv-file: ./rbac-policy.csv
- From the Developer perspective in the OpenShift Container Platform web console, select the Topology view.
- Click the overflow menu for the Red Hat Developer Hub instance that you want to use and select Edit Backstage to load the YAML view of the Red Hat Developer Hub instance.
In the CR, enter the name of the custom
rbac-policy
ConfigMap as the value for thespec.application.extraFiles.configMaps
field. For example:Example custom resource
apiVersion: rhdh.redhat.com/v1alpha1 kind: Backstage metadata: name: example spec: application: appConfig: mountPath: /opt/app-root/src configMaps: - name: app-config-rhdh extraEnvs: secrets: - name: secrets-rhdh extraFiles: mountPath: /opt/app-root/src configMaps: - name: rbac-policy replicas: 1 route: enabled: true database: enableLocalDb: true
- Click Save.
Verification
- Navigate back to the Topology view and wait for the Red Hat Developer Hub pod to start.
- Click the Open URL icon to access the Red Hat Developer Hub platform with the updated configuration settings.
3.1.1.2. Mounting policy.csv
file to the Developer Hub Helm chart
When the Red Hat Developer Hub is deployed with the Helm chart, you must define the policy.csv
file by mounting it to the Developer Hub Helm chart.
You can add your policy.csv
file to the Developer Hub Helm Chart by creating a configMap
and mounting it.
Prerequisites
- You are logged in to your OpenShift Container Platform account using the OpenShift Container Platform web console.
Red Hat Developer Hub is installed and deployed using Helm Chart.
For more information, see Installing Red Hat Developer Hub on OpenShift Container Platform with the Helm chart.
Procedure
In OpenShift Container Platform, create a ConfigMap to hold the policies as shown in the following example:
Example
ConfigMap
kind: ConfigMap apiVersion: v1 metadata: name: rbac-policy namespace: rhdh data: rbac-policy.csv: | p, role:default/guests, catalog-entity, read, allow p, role:default/guests, catalog.entity.create, create, allow g, user:default/<YOUR_USER>, role:default/guests
-
In the Developer Hub Helm Chart, go to Root Schema
Backstage chart schema Backstage parameters Backstage container additional volume mounts. Select Add Backstage container additional volume mounts and add the following values:
-
mountPath:
opt/app-root/src/rbac
-
Name:
rbac-policy
-
mountPath:
Add the RBAC policy to the Backstage container additional volumes in the Developer Hub Helm Chart:
-
name:
rbac-policy
configMap
-
defaultMode:
420
-
name:
rbac-policy
-
defaultMode:
-
name:
Update the policy path in the
app-config.yaml
file as follows:Example
app-config.yaml
filepermission: enabled: true rbac: policies-csv-file: ./rbac/rbac-policy.csv