RBAC
Security is a core responsibility of any internal developer portal (IDP). After GitLab users and teams appear in the catalog, you must control who can run self-service actions, view sensitive data, and administer the platform.
Role-based access control (RBAC)
maps users and groups to permissions on Red Hat Developer Hub resources.
RBAC rules let platform teams grant the right level of access per team—for example, allowing team-a to scaffold components
while restricting team-b—without giving every user the same capabilities. In this module you enable the Permissions framework,
load CSV policy files, and validate that different GitLab users see different self-service options.
Enable permissions by updating app-config-rhdh ConfigMap:
permission:
enabled: true
rbac:
admin:
users:
- name: user:default/root
policies-csv-file: /opt/app-root/src/rbac-policy.csv
conditionalPoliciesFile: /opt/app-root/src/rbac/rbac-conditional-policies.yaml
policyFileReload: trueMount the new file in the Backstage manifests:
extraFiles:
mountPath: /opt/app-root/src/rbac
configMaps:
- name: rbac-policyCreate a new permission file rbac-policy-configmap-5.yaml file.
There is a dynamic plugin to allow manage the RBAC rules directly in the UI. This plugin is added in the list of the dynamic plugins to add into Red Hat Developer Hub.
oc apply -f ./content/modules/ROOT/examples/exercises/dynamic-plugins-5.yaml -n rhdh-gitlab
oc apply -f ./content/modules/ROOT/examples/exercises/rbac-policy-configmap-5.yaml -n rhdh-gitlab
oc apply -f ./content/modules/ROOT/examples/exercises/rhdh-app-configmap-5.yaml -n rhdh-gitlab
oc apply -f ./content/modules/ROOT/examples/exercises/rhdh-instance-5.yaml -n rhdh-gitlabOpen an incognito window, or just logout, and login with user2 (password: @abc1cde2) to confirm
that this user can’t create anything. This user has not any Self-Service button enabled.
If you login with the root user, you will be able to edit the RBAC policies from the Administration page.
|