Buscar
ApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 2. Permission policies in Red Hat Developer Hub

download PDF

Permission policies in Red Hat Developer Hub are a set of rules to govern access to resources or functionalities. These policies state the authorization level that is granted to users based on their roles. The permission policies are implemented to maintain security and confidentiality within a given environment.

You can define the following types of permissions in Developer Hub:

  • resource type
  • basic

The distinction between the two permission types depend on whether a permission includes a defined resource type.

You can define the resource type permission using either the associated resource type or the permission name as shown in the following example:

Example resource type permission definition

p, role:default/myrole, catalog.entity.read, read, allow
g, user:default/myuser, role:default/myrole

p, role:default/another-role, catalog-entity, read, allow
g, user:default/another-user, role:default/another-role

You can define the basic permission in Developer Hub using the permission name as shown in the following example:

Example basic permission definition

p, role:default/myrole, catalog.entity.create, create, allow
g, user:default/myuser, role:default/myrole

The following permission policies are supported in the Developer Hub:

Catalog permissions
NameResource typePolicyDescription

catalog.entity.read

catalog-entity

read

Allows user or role to read from the catalog

catalog.entity.create

 

create

Allows user or role to create catalog entities, including registering an existing component in the catalog

catalog.entity.refresh

catalog-entity

update

Allows user or role to refresh a single or multiple entities from the catalog

catalog.entity.delete

catalog-entity

delete

Allows user or role to delete a single or multiple entities from the catalog

catalog.location.read

 

read

Allows user or role to read a single or multiple locations from the catalog

catalog.location.create

 

create

Allows user or role to create locations within the catalog

catalog.location.delete

 

delete

Allows user or role to delete locations from the catalog

Bulk import permissions
NameResource typePolicyDescription

bulk.import

bulk-import

 

Allows the user to access the bulk import endpoints, such as listing all repositories and organizations accessible by all GitHub integrations and managing the import requests.

Scaffolder permissions
NameResource typePolicyDescription

scaffolder.action.execute

scaffolder-action

 

Allows the execution of an action from a template

scaffolder.template.parameter.read

scaffolder-template

read

Allows user or role to read a single or multiple one parameters from a template

scaffolder.template.step.read

scaffolder-template

read

Allows user or role to read a single or multiple steps from a template

scaffolder.task.create

 

create

Allows the user or role to trigger software templates which create new scaffolder tasks

scaffolder.task.cancel

  

Allows the user or role to cancel currently running scaffolder tasks

scaffolder.task.read

 

read

Allows user or role to read all scaffolder tasks and their associated events and logs

RBAC permissions
NameResource typePolicyDescription

policy.entity.read

policy-entity

read

Allows user or role to read permission policies and roles

policy.entity.create

policy-entity

create

Allows user or role to create a single or multiple permission policies and roles

policy.entity.update

policy-entity

update

Allows user or role to update a single or multiple permission policies and roles

policy.entity.delete

policy-entity

delete

Allows user or role to delete a single or multiple permission policies and roles

Kubernetes permissions
NameResource typePolicyDescription

kubernetes.proxy

  

Allows user or role to access the proxy endpoint

OCM permissions
NameResource typePolicyDescription

ocm.entity.read

 

read

Allows user or role to read from the OCM plugin

ocm.cluster.read

 

read

Allows user or role to read the cluster information in the OCM plugin

Topology permissions
NameResource typePolicyDescription

topology.view.read

 

read

Allows user or role to view the topology plugin

kubernetes.proxy

  

Allows user or role to access the proxy endpoint, allowing them to read pod logs and events within RHDH

2.1. Permission policies configuration

There are two approaches to configure the permission policies in Red Hat Developer Hub, including:

  • Configuration of permission policies administrators
  • Configuration of permission policies defined in an external file

2.1.1. Configuration of permission policies administrators

The permission policies for users and groups in the Developer Hub are managed by permission policy administrators. Only permission policy administrators can access the Role-Based Access Control REST API.

The purpose of configuring policy administrators is to enable a specific, restricted number of authenticated users to access the RBAC REST API. The permission policies are defined in a policy.csv file, which is referenced in the app-config-rhdh ConfigMap. OpenShift platform administrators or cluster administrators can perform this task with access to the namespace where Red Hat Developer Hub is deployed.

You can enable a permission policy administrator by configuring the app-config.yaml file as follows: 

permission:
  enabled: true
  rbac:
    admin:
      users:
        - name: user:default/joeuser

The permission policy role (role:default/rbac_admin) is a default role in Developer Hub and includes some permissions upon creation, such as creating, reading, updating, and deleting permission policies/roles, as well as reading from the catalog.

If the default permissions are not adequate for your requirements, you can define a new administrator role tailored to your requirements using relevant permission policies. Alternatively, you can use the optional superUsers configuration value, which grants unrestricted permissions across Developer Hub.

You can set the superUsers in the app-config.yaml file as follows: 

# ...
permission:
  enabled: true
  rbac:
    admin:
      superUsers:
        - name: user:default/joeuser
        # ...

2.1.2. Configuration of permission policies defined in an external file

You can configure the permission policies before starting the Red Hat Developer Hub. If permission policies are defined in an external file, then you can import the same file in the Developer Hub. You must define the permission policies using the following Casbin rules format: 

---
`p, <ROLE>, <PERMISSION_NAME or PERMISSION_RESOURCE_TYPE>, <PERMISSION_POLICY_ACTION>, <ALLOW or DENY>`
---

You can define roles using the following Casbin rules format: 

---
`g, <USER or GROUP>, <ROLE>`
---
Note

For information about the Casbin rules format, see Basics of Casbin rules.

The following is an example of permission policies configuration: 

---
`p, role:default/guests, catalog-entity, read, allow`

p, role:default/guests, catalog.entity.create, create, allow

g, user:default/<USER_TO_ROLE>, role:default/guests

g, group:default/<GROUP_TO_ROLE>, role:default/guests ---

If a defined permission does not contain an action associated with it, then add use as a policy. See the following example: 

---
`p, role:default/guests, kubernetes.proxy, use, allow`
---

You can define the policy.csv file path in the app-config.yaml file: 

permission:
  enabled: true
  rbac:
    policies-csv-file: /some/path/rbac-policy.csv

You can use an optional configuration value that enables reloading the CSV file without restarting the Developer Hub instance.

Set the value of the policyFileReload option in the app-config.yaml file: 

# ...
permission:
  enabled: true
  rbac:
    policies-csv-file: /some/path/rbac-policy.csv
    policyFileReload: true
    # ...

2.1.2.1. Mounting policy.csv file using the Developer Hub Operator

When the Red Hat Developer Hub is deployed with the Operator, you can add your policy.csv file using the Developer Hub Operator by creating a ConfigMap and mounting it through your Custom Resource (CR).

Prerequisites

  • You are logged in to your OpenShift Container Platform account using the OpenShift Container Platform web console.
  • Red Hat Developer Hub is installed and deployed using the Operator.
  • You have added a custom configuration file to OpenShift Container Platform. For more information, see Adding a custom configuration file to OpenShift Container Platform.

Procedure

  1. In OpenShift Container Platform, create a ConfigMap to hold the policies as shown in the following example:

    Example ConfigMap

    kind: ConfigMap
apiVersion: v1
metadata:
  name: rbac-policy
data:
  rbac-policy.csv: |
    p, role:default/guests, catalog-entity, read, allow
    p, role:default/guests, catalog.entity.create, create, allow

    g, user:default/<YOUR_USER>, role:default/guests

  2. Update the policy path in your custom app-config.yaml ConfigMap as follows:

    Example app-config.yaml file

    permission:
  enabled: true
  rbac:
    policies-csv-file: ./rbac-policy.csv

  3. From the Developer perspective in the OpenShift Container Platform web console, select the Topology view.
  4. Click the overflow menu for the Red Hat Developer Hub instance that you want to use and select Edit Backstage to load the YAML view of the Red Hat Developer Hub instance.

  5. In the CR, enter the name of the custom rbac-policy ConfigMap as the value for the spec.application.extraFiles.configMaps field. For example:

    Example custom resource

    apiVersion: v1
kind: ConfigMap
metadata:
  name: example
spec:
  application:
    appConfig:
      mountPath: /opt/app-root/src
      configMaps:
        - name: app-config-rhdh
    extraEnvs:
      secrets:
        - name: secrets-rhdh
    extraFiles:
      mountPath: /opt/app-root/src
      configMaps:
        - name: rbac-policy
    replicas: 1
    route:
      enabled: true
  database:
    enableLocalDb: true

  6. Click Save.

Verification

  1. Navigate back to the Topology view and wait for the Red Hat Developer Hub pod to start.
  2. Click the Open URL icon to access the Red Hat Developer Hub platform with the updated configuration settings.

2.1.2.2. Mounting policy.csv file to the Developer Hub Helm chart

When the Red Hat Developer Hub is deployed with the Helm chart, you must define the policy.csv file by mounting it to the Developer Hub Helm chart.

You can add your policy.csv file to the Developer Hub Helm Chart by creating a configMap and mounting it.

Prerequisites

  • You are logged in to your OpenShift Container Platform account using the OpenShift Container Platform web console.
  • Red Hat Developer Hub is installed and deployed using Helm Chart.

Procedure

  1. In OpenShift Container Platform, create a ConfigMap to hold the policies as shown in the following example:

    Example ConfigMap

    kind: ConfigMap
apiVersion: v1
metadata:
  name: rbac-policy
  namespace: rhdh
data:
  rbac-policy.csv: |
    p, role:default/guests, catalog-entity, read, allow
    p, role:default/guests, catalog.entity.create, create, allow

    g, user:default/<YOUR_USER>, role:default/guests

  2. In the Developer Hub Helm Chart, go to Root Schema Backstage chart schema Backstage parameters Backstage container additional volume mounts.

  3. Select Add Backstage container additional volume mounts and add the following values:

    • mountPath: opt/app-root/src/rbac
    • Name: rbac-policy

  4. Add the RBAC policy to the Backstage container additional volumes in the Developer Hub Helm Chart:

    • name: rbac-policy

    • configMap

      • defaultMode: 420
      • name: rbac-policy

  5. Update the policy path in the app-config.yaml file as follows:

    Example app-config.yaml file

    permission:
  enabled: true
  rbac:
    policies-csv-file: ./rbac/rbac-policy.csv

Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.