🚀 Vault: Add support for Permissions framework

Question

🚀 Vault: Add support for Permissions framework

jrtaylorJH opened this issue a month ago · comments

Plugin Name

Vault

🔖 Feature description

I would like to be able to control who is able to view the Vault entity card associated with relevant components in the service catalog by adding support for the permissions framework to the Vault plugin.

🎤 Context

As a Backstage administrator, I would like to be able to show Vault secrets for items in the Service Catalog only to the owners of the component. It is generally considered best practice that this potentially sensitive information would be shown on a need-to-know basis and in line with security recommendations.

✌️ Possible Implementation

https://backstage.io/docs/permissions/plugin-authors/02-adding-a-basic-permission-check

I believe this is a relatively well-trodden path with a clear implementation guide courtesy of Backstage.

I hope to find time to explore adding the framework integration myself, but in the meantime I hope for this issue to serve as a spot to track and discuss.

👀 Have you spent some time to check if this feature request has been raised before?

I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

I have read the Code of Conduct

Are you willing to submit PR?

Yes I am willing to submit a PR!

Jake Taylor · Answer 1 · Tue May 14 2024 04:16:41 GMT+0800 (China Standard Time)

@ivangonzalezacuna Just wanted to bring you in on this as the plugin author to see if you have any thoughts!

Iván González Acuña · Answer 2 · Tue May 14 2024 14:57:42 GMT+0800 (China Standard Time)

Hey @jrtaylorJH. Yes, the permissions topic was something we have thought about when designing this plugin, but we decided not to do it at that time because because it would make it much complicated, and honestly, my experience with the permissions was a bit limited by then 😄
Having, at least, a tiny conditional permission to allow getting the data whether you're the owner or not sounds like a nice thing to have, honestly. Feel free to give it a try if you like, I'm not sure if I'll have the time to work on it at the moment, but I'm happy to review it afterwards.
If it helps as inspiration, we've also implemented a more complex permission framework in another plugin we own in the company: https://github.com/spreadshirt/backstage-plugin-s3, might be helpful to see a real example apart from the docs

Jake Taylor · Answer 3 · Tue May 14 2024 22:54:13 GMT+0800 (China Standard Time)

@ivangonzalezacuna I'll definitely see what I can do about contributing to it in the coming weeks. I'm a complete novice to the permissions framework, so based on it sounding like it may have been a complex implementation when designing the plugin I'll be curious to see if I can make it work. Thank you for the response!

Vincenzo Scamporlino · Answer 4 · Wed May 15 2024 18:14:04 GMT+0800 (China Standard Time)

It isn't that hard @jrtaylorJH if you want to try and we are happy to support you. There is also a possibility to reuse all the conditional rules exposed by catalog, so that you don't have to re-implement them. Essentially this is all you have to do 😅

https://github.com/backstage/community-plugins/blob/main/workspaces/azure-sites/plugins/azure-sites-common/src/permissions.ts#L22-L26

https://github.com/backstage/community-plugins/blob/main/workspaces/azure-sites/plugins/azure-sites-backend/src/service/router.ts#L106-L121

Jake Taylor · Answer 5 · Tue Jun 04 2024 23:44:42 GMT+0800 (China Standard Time)

@vinzscam Started taking a look, not having a lot of luck given the permission system docs are out of date for the new backend system, but I'm trying to grok your code there all the way bottom to top and see if I can get it in there