This topic gives you an overview of the Backstage permission framework and tells you how to enable it for Tanzu Developer Portal. For more information, see the Backstage documentation.
Caution The permission framework functions are in alpha. It is not recommended for use in production environment.
The permission framework enables Tanzu Application Platform operators to enforce policies that limit visibility of certain parts of Tanzu Developer Portal.
The current release features the alpha version of this function and only applies to the
Software Catalog entities. owner-of is the only policy available and it is embedded in the GUI.
owner-of enables the operator to define which admin groups and users have unrestricted visibility
of the Software Catalog entities. If a user is not listed as an admin or part of the admin group,
that user can see only the Software Catalog entities that are owned by their teams.
Important The permission framework is deactivated by default. The built-in
owner-ofpolicy is primarily applied to the component entities of the software catalog. Accelerators (templates) in Application Accelerator become invisible if the permission framework is enabled.
To enable the permission framework and limit Software Catalog entities' visibility to owners,
allowlist users, allowlist groups, and catalog admins, add the following parameters to the
tap_gui.app_config section:
permission:
enabled: true
adminRefs:
- user:NAMESPACE/NAME
- group:NAMESPACE/NAMEWhere:
NAMESPACEis usuallydefaultunless defined otherwise in the definition fileNAMEis the name of the group or user
The adminRefs section lists all users and groups to grant access to. Each user and group is defined
by the NAMESPACE and the NAME.
You can view your user entity in the Settings/General section in your Tanzu Application Platform
GUI, or in the YAML definition file of the user or group.
For example:
- user:default/admin
- group:test-namespace/operatorsAfter you have updated your configuration file, reinstall your Tanzu Developer Portal package by following the steps in Upgrade Tanzu Application Platform.
After the updated values configuration file is applied in Tanzu Developer Portal, the permission framework is enabled.
Important After the permission framework is enabled, all Software Catalog entities without proper annotations are invisible to all users except admins.
With the permission framework enabled, annotate entities in your Software Catalog to make the
relevant users or groups, who are not the owner of the entity, visible.
To do this, add annotations to the metadata.annotations section of the entity's definition file:
metadata:
annotations:
backstage.tanzu.vmware.com/GROUP-OR-USER.NAMESPACE.NAME: 'COMMA-SEPARATED-PERMISSIONS'Where:
GROUP-OR-USERis either agroupto describe a group or auserto describe an individual userNAMESPACEis the namespace that the group or user is attributed to. If this value is not specified, it isdefault.NAMEis the name of the user or groupCOMMA-SEPARATED-PERMISSIONSis the list of comma-delimited permissions for the specified user or group. Valid catalog entity permissions include:catalog.entity.readcatalog.entity.updatecatalog.entity.delete
Note
catalog.entity.createis another permission that is valid for the permission framework, but it is not meaningful for the Software Catalog entities that have already been created.
You can add several groups or users by adding new annotations with their respective comma-delimited permissions, for example:
metadata:
annotations:
backstage.tanzu.vmware.com/user.default.user-a: 'catalog.entities.read'
backstage.tanzu.vmware.com/user.default.user-b: 'catalog.entities.read,catalog.entities.update'For example, this annotation enables users that are part of group-a to read and delete
component-a:
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: component-a
annotations:
backstage.tanzu.vmware.com/group.test-namespace.group-a: 'catalog.entity.read, catalog.entity.delete'If a group is granted ownership or access to an entity, all users within that group automatically inherit the same access. But it does not work for nested group ownerships, when a group is listed as a member of another group.
Caution When the permission plug-in is turned on with the default permission policy, API Auto Registration no longer works due to the lack of user identities. Requests against the Catalog API will no longer work as before. For more information, see the known issues in the release notes.