feat: add permission

[holiiveira]

A new plugin (infrawallet-common) has been created with the aim of adding common features, types and permissions to the infrawallet plugin.

Initially, 5 permissions were created:

export const permissions = {
  infraWalletReportRead,
  infraWalletMetricSettingsRead,
  infraWalletMetricSettingsCreate,
  infraWalletMetricSettingsUpdate,
  infraWalletMetricSettingsDelete,
};

To use these permissions, you need to configure permissions in the backend. (ex: packages/srd/permissonPolicy.ts):

import { createBackendModule } from '@backstage/backend-plugin-api';
import { BackstageIdentityResponse } from '@backstage/plugin-auth-node';
import { AuthorizeResult, isPermission, PolicyDecision } from '@backstage/plugin-permission-common';
import { PermissionPolicy, PolicyQuery } from '@backstage/plugin-permission-node';
import { policyExtensionPoint } from '@backstage/plugin-permission-node/alpha';
import { infraWalletReportRead, infraWalletMetricSettingsDelete } from '@electrolux-oss/plugin-infrawallet-common';

class DefaultPermissionPolicy implements PermissionPolicy {
  async handle(request: PolicyQuery, _user?: BackstageIdentityResponse): Promise<PolicyDecision> {

    // Example deny read report
    if (isPermission(request.permission, infraWalletReportRead)) {
      return { result: AuthorizeResult.DENY };
    }
    ...

The default behavior if you do not configure any permissions is to allow all access.

BREAKING: This update may break Backstage in cases where the legacy Backstage backend system plugin is used.

What needs to be updated in this case:
Editing a file called infrawallet.ts in folder packages/backend/src/plugins/ with the following content:

import { createRouter } from '@electrolux-oss/plugin-infrawallet-backend';
import { Router } from 'express';
import { PluginEnvironment } from './types';

export default async function createPlugin(env: PluginEnvironment): Promise<Router> {
  return await createRouter({
    logger: env.logger,
    config: env.config,
    cache: env.cache.getClient(),
    database: env.database,
+   discovery: env.discovery,
+   permissions: env.permissions
  });
}

TODO:

• Add documentation
• Custom error page

fix: #42

[holiiveira]

Hi @gluckzhang, I believe you can do some evaluation with this PR. By default permissions evaluation is disabled, consider adding the following to your app-config.local.yaml:

...
permission:
  enabled: true
...

To evaluate the permission possibilities, consider the file: packages/backend/src/permissionPolicyModule.ts.

[gluckzhang]

Hi @holiiveira, got it, thank you for the PR. I will give it a try later this week. Due to my current workload, I might come back with some questions and comments next week :)

Just a quick question first, both the legacy backend and the new Backstage backend can have this permission backend enabled, right?

[holiiveira]

Just a quick question first, both the legacy backend and the new Backstage backend can have this permission backend enabled, right?

Yes, for those who use a new backend, there is nothing to be done, but for those who use a legacy backend, this change will break the plugin, as it is necessary to change the infrawallet.ts file in the packages/backend/src/plugins/ folder, as I mentioned in the PR.

[gluckzhang]

Just a quick question first, both the legacy backend and the new Backstage backend can have this permission backend enabled, right?

Yes, for those who use a new backend, there is nothing to be done, but for those who use a legacy backend, this change will break the plugin, as it is necessary to change the infrawallet.ts file in the packages/backend/src/plugins/ folder, as I mentioned in the PR.

I see, thanks!

[gluckzhang]

Hi @holiiveira, I have gone through the code and tried your PR branch locally. Overall I think it looks pretty good. The code follows Backstage's official tutorial and the permissions cover all the existing APIs. I have a question for now:

Do you think we should add resourceType for the permissions? In this way, it becomes easier to grant a set of permissions to some users or groups: https://backstage.io/docs/permissions/plugin-authors/03-adding-a-resource-permission-check#creating-the-update-permission

After hearing your comments on the question above, and also getting the documentation done, I think we are good to go. It is fine to skip the custom error page for now, as Backstage default alerts work well already.

Soon we will enable users to create their own wallets in the plugin (each wallet contains configurable pre-defined filters and maybe some other settings), and then the owner of a wallet should have all the permissions to this wallet. I think after having this feature, we will need to improve the permission setup and have conditional permissions by that time. What do you think?

[gluckzhang]

As this PR contains some breaking changes, and the documentation is not ready yet, we decided to merge some other PRs first and release a new version. I think we can have this feature after that new release. It is just possible that you may need to pull/rebase the main branch, though there should be no messy conflicts.

Thanks and looking forward to your thoughts :)

[holiiveira]

Hi @gluckzhang, I think it's interesting to add this, especially because you mentioned that users can create their own wallets. I think it's better to wait for this functionality to be added before we proceed with permissioning, what do you think?

[gluckzhang]

Hi @gluckzhang, I think it's interesting to add this, especially because you mentioned that users can create their own wallets. I think it's better to wait for this functionality to be added before we proceed with permissioning, what do you think?

Yes, it makes lots of sense. I think we can pause this PR and get back to it later when we have the wallet feature.

[nia-potato]

hi @gluckzhang @holiiveira thanks for working on this,

i think permissions is a pretty important feature, since not everyone is supposed to see orgwide cost data.

I understand that this is currently paused right now, but what wallet feature are we waiting for? do we have a estimate of when the wallet feature will be out?

[gluckzhang]

Hi @nia-potato, yeah, I fully understand. Unfortunately, we don't have an ETA for the wallet feature for now.

Quick questions: the permissions defined in this PR are at the plugin level, so a user will either access all the cost reports in InfraWallet, or will have zero access to the data. Does this meet your requirements? Then speaking of the EntityInfraWalletCard in #85, how would you like to control the access?

[nia-potato]

hi @gluckzhang no worries on the ETA, i think once the basic permissions are implemented, il see if i can incorporate permissions to the entityCard as well.

for now i can just make the infrawallet just show entity cards, but still leave the route to infrawallet main plugin, just dont add it to the sidebar for everyone to see.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud