From bb645ab399bf712c1535f2ac92d447d074fda7ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Thu, 30 Apr 2026 10:29:56 +0200 Subject: [PATCH 1/4] [RHIDP-8584]: Document Extensions RBAC permissions for CSV file Add Extensions permissions reference table and CSV procedure to the authorization title, with HAS_NAME and HAS_ANNOTATION conditional policy examples. Cross-reference from existing Web UI procedure. Co-Authored-By: Claude Opus 4.6 --- ...uthorizations-by-using-external-files.adoc | 2 + ...ssembly-permission-policies-reference.adoc | 4 +- ...extensions-by-using-the-rbac-csv-file.adoc | 77 +++++++++++++++++++ ...c-configure-rbac-to-manage-extensions.adoc | 4 + ...ef-conditional-policy-plugin-examples.adoc | 22 +++++- .../shared/ref-extensions-permissions.adoc | 25 ++++++ 6 files changed, 132 insertions(+), 2 deletions(-) create mode 100644 modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc create mode 100644 modules/shared/ref-extensions-permissions.adoc diff --git a/assemblies/shared/assembly-manage-authorizations-by-using-external-files.adoc b/assemblies/shared/assembly-manage-authorizations-by-using-external-files.adoc index f990ed8670e..be604303e39 100644 --- a/assemblies/shared/assembly-manage-authorizations-by-using-external-files.adoc +++ b/assemblies/shared/assembly-manage-authorizations-by-using-external-files.adoc @@ -16,5 +16,7 @@ include::../modules/shared/proc-define-authorizations-in-external-files-by-using include::../modules/shared/proc-define-authorizations-in-external-files-by-using-helm.adoc[leveloffset=+1] +include::../modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc[leveloffset=+1] + ifdef::parent-context[:context: {parent-context}] ifndef::parent-context[:!context:] diff --git a/assemblies/shared/assembly-permission-policies-reference.adoc b/assemblies/shared/assembly-permission-policies-reference.adoc index cc41a421987..fa8fd878118 100644 --- a/assemblies/shared/assembly-permission-policies-reference.adoc +++ b/assemblies/shared/assembly-permission-policies-reference.adoc @@ -7,7 +7,7 @@ ifdef::context[:parent-context: {context}] :context: permission-policies-reference [role="_abstract"] -Reference information about permission policy types and available permissions for catalog, scaffolder, RBAC, Kubernetes, and plugin resources. +Reference information about permission policy types and available permissions for catalog, scaffolder, RBAC, Kubernetes, Extensions, and plugin resources. {product-short} supports permission policies for controlling access to resources and functionalities. The following reference modules describe the available permission types and permissions for each plugin category. @@ -34,5 +34,7 @@ include::../modules/shared/ref-argocd-permissions.adoc[leveloffset=+1] include::../modules/shared/ref-quay-permissions.adoc[leveloffset=+1] +include::../modules/shared/ref-extensions-permissions.adoc[leveloffset=+1] + ifdef::parent-context[:context: {parent-context}] ifndef::parent-context[:!context:] diff --git a/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc b/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc new file mode 100644 index 00000000000..c211a2a883f --- /dev/null +++ b/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc @@ -0,0 +1,77 @@ +:_mod-docs-content-type: PROCEDURE + +[id="configure-rbac-for-extensions-by-using-the-rbac-csv-file_{context}"] += Configure RBAC for Extensions by using the RBAC CSV file + +[role="_abstract"] +You can grant access to Extensions plugin management by adding permission policies to your RBAC CSV file. + +.Prerequisites + +* You have {authorization-book-link}#enabling-and-giving-access-to-rbac_title-authorization[enabled RBAC and assigned a policy administrator role]. +* You have added `extensions` to the list of authorized plugins under your `permission.rbac.pluginsWithPermission` configuration. + +.Procedure + +. Add the following policies to your CSV file to allow users to view and manage plugins in Extensions: ++ +[source,csv,subs="+quotes"] +---- +g, user:default/__, role:default/extensions-admin +p, role:default/extensions-admin, extensions.plugin.configuration.read, read, allow +p, role:default/extensions-admin, extensions.plugin.configuration.write, create, allow +p, role:default/extensions-admin, catalog.entity.read, read, allow +---- ++ +See xref:extensions-permissions_permission-policies-reference[Extensions permissions]. + +. Optional: Restrict access to specific plugins by defining a conditional policy in the `rbac-conditional-policies.yaml` file as described in {authorization-book-link}#managing-authorizations-by-using-external-files[Defining conditional policies]: ++ +[source,yaml,subs="+attributes,+quotes"] +---- +result: CONDITIONAL +roleEntityRef: "role:default/extensions-admin" +pluginId: extensions +resourceType: extensions-plugin +permissionMapping: + - create +conditions: + rule: HAS_NAME + resourceType: extensions-plugin + params: + pluginNames: [__] +---- ++ +where: + +`pluginNames`:: Enter the plugin name or title for user access. ++ +This policy allows users to install or update only the specified plugins and restricts access to all other plugins. + +. Optional: Restrict access by annotation by defining a conditional policy: ++ +[source,yaml,subs="+attributes,+quotes"] +---- +result: CONDITIONAL +roleEntityRef: "role:default/extensions-admin" +pluginId: extensions +resourceType: extensions-plugin +permissionMapping: + - create +conditions: + rule: HAS_ANNOTATION + resourceType: extensions-plugin + params: + annotation: "extensions.backstage.io/certified-by" + value: "Red Hat" +---- ++ +This policy allows users to install or update only the plugins that have the specified annotation. + +.Verification + +* Verify that the user can view and manage plugins in Extensions. + +.Additional resources +* xref:extensions-permissions_permission-policies-reference[Extensions permissions] +* {installing-and-viewing-plugins-book-link}#configure-rbac-to-manage-extensions_extensions-in-rhdh[Configure RBAC to manage Extensions] diff --git a/modules/shared/proc-configure-rbac-to-manage-extensions.adoc b/modules/shared/proc-configure-rbac-to-manage-extensions.adoc index 2b57b005314..4ece3f09a2a 100644 --- a/modules/shared/proc-configure-rbac-to-manage-extensions.adoc +++ b/modules/shared/proc-configure-rbac-to-manage-extensions.adoc @@ -25,3 +25,7 @@ image::extend_installing-and-viewing-plugins-in-rhdh/extensions-rbac-role-create .Verification After you refresh the {product-very-short} application, when you select a plugin, the *Actions* drop-down is active. When you click the *Actions* drop-down, you can edit the plugin configuration, and enable or disable the plugin. + +.Additional resources +* {authorization-book-link}#configure-rbac-for-extensions-by-using-the-rbac-csv-file_manage-authorizations-by-using-external-files[Configure RBAC for Extensions by using the RBAC CSV file] +* {authorization-book-link}#extensions-permissions_permission-policies-reference[Extensions permissions] diff --git a/modules/shared/ref-conditional-policy-plugin-examples.adoc b/modules/shared/ref-conditional-policy-plugin-examples.adoc index 252e10d86d3..39425ee555d 100644 --- a/modules/shared/ref-conditional-policy-plugin-examples.adoc +++ b/modules/shared/ref-conditional-policy-plugin-examples.adoc @@ -4,7 +4,7 @@ = Conditional policy plugin examples [role="_abstract"] -Reference information about conditional policy examples for Keycloak and Quay plugins demonstrating access control patterns. +Reference information about conditional policy examples for Keycloak, Quay, and Extensions plugins demonstrating access control patterns. The following examples can be used with {product-short} plugins. These examples can help you determine how to define conditional policies: @@ -59,5 +59,25 @@ Conditional policy defined for Quay plugin: The previous example of Quay plugin prevents the role `role:default/developer` from using the Quay scaffolder action. Note that `permissionMapping` contains `use`, signifying that `scaffolder-action` resource type permission does not have a permission policy. +Conditional policy defined for Extensions plugin: + +[source,json] +---- +{ + "result": "CONDITIONAL", + "roleEntityRef": "role:default/extensions-admin", + "pluginId": "extensions", + "resourceType": "extensions-plugin", + "permissionMapping": ["create"], + "conditions": { + "rule": "HAS_NAME", + "resourceType": "extensions-plugin", + "params": { "pluginNames": [""] } + } +} +---- + +The previous example of Extensions plugin restricts users in the `role:default/extensions-admin` to only installing or updating the specified plugin. + .Additional resources * xref:permission-policies-reference_authorization-in-rhdh[] diff --git a/modules/shared/ref-extensions-permissions.adoc b/modules/shared/ref-extensions-permissions.adoc new file mode 100644 index 00000000000..b3623c4c978 --- /dev/null +++ b/modules/shared/ref-extensions-permissions.adoc @@ -0,0 +1,25 @@ +:_mod-docs-content-type: REFERENCE + +[id="extensions-permissions_{context}"] += Extensions permissions + +[role="_abstract"] +Reference information about available Extensions permissions for reading and writing plugin configurations. + +[cols="15%,25%,15%,45%", frame="all", options="header"] +|=== +|Name +|Resource type +|Policy +|Description + +|`extensions.plugin.configuration.read` +|`extensions-plugin` +|`read` +|Enables a user or role to view plugin configurations in Extensions + +|`extensions.plugin.configuration.write` +|`extensions-plugin` +|`create` +|Enables a user or role to install, update, enable, or disable plugins by using Extensions +|=== From 50ee605ef51759dba29fd746db31d4a41f47a799 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 11 May 2026 09:47:45 +0200 Subject: [PATCH 2/4] Apply suggestion from @PatAKnight Co-authored-by: Patrick Knight --- ...configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc b/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc index c211a2a883f..f5c27fa2f45 100644 --- a/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc +++ b/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc @@ -20,6 +20,7 @@ You can grant access to Extensions plugin management by adding permission polici g, user:default/__, role:default/extensions-admin p, role:default/extensions-admin, extensions.plugin.configuration.read, read, allow p, role:default/extensions-admin, extensions.plugin.configuration.write, create, allow +p, role:default/extensions-admin, extensions.plugin.configuration.delete, delete, allow p, role:default/extensions-admin, catalog.entity.read, read, allow ---- + From dabf06eb93ef966a12bcfe2f44541527d9402d28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 11 May 2026 09:58:13 +0200 Subject: [PATCH 3/4] Apply suggestion from @themr0c --- ...configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc b/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc index f5c27fa2f45..38455e1b019 100644 --- a/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc +++ b/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc @@ -9,6 +9,7 @@ You can grant access to Extensions plugin management by adding permission polici .Prerequisites * You have {authorization-book-link}#enabling-and-giving-access-to-rbac_title-authorization[enabled RBAC and assigned a policy administrator role]. +* You {authorization-book-link}#manage-authorizations-by-using-external-files_authorization-in-rhdh[manage authorizations by using external files]. * You have added `extensions` to the list of authorized plugins under your `permission.rbac.pluginsWithPermission` configuration. .Procedure From 5f3b3eff4e3e563273ea19bf63c1a4243cfcb45b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabrice=20Flore-Th=C3=A9bault?= Date: Mon, 11 May 2026 10:02:07 +0200 Subject: [PATCH 4/4] Update modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc --- ...configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc b/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc index 38455e1b019..12f1f7742c3 100644 --- a/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc +++ b/modules/shared/proc-configure-rbac-for-extensions-by-using-the-rbac-csv-file.adoc @@ -21,7 +21,6 @@ You can grant access to Extensions plugin management by adding permission polici g, user:default/__, role:default/extensions-admin p, role:default/extensions-admin, extensions.plugin.configuration.read, read, allow p, role:default/extensions-admin, extensions.plugin.configuration.write, create, allow -p, role:default/extensions-admin, extensions.plugin.configuration.delete, delete, allow p, role:default/extensions-admin, catalog.entity.read, read, allow ---- +