授权参数、步骤和行动
Scaffolder 插件与Backstage集成许可框架,它允许您根据执行模板的用户来控制对模板中某些参数和步骤的访问。
授权参数和步骤
要将特定参数或步骤标记为需要权限,可添加backstage:permissions例如,将一个或多个标记作为参数或步骤的属性:
apiVersion: scaffolder.backstage.io/v1beta3
kind: Template
metadata:
name: my_custom_template
parameters:
- title: Provide some simple information
properties:
title:
title: Title
type: string
- title: Extra information
properties:
description:
title: Description
type: string
backstage:permissions:
tags:
- secret
steps:
- id: step1
name: First log
action: debug:log
input:
message: hello
- id: step2
name: Log message
action: debug:log
input:
message: hello
backstage:permissions:
tags:
- secret
在这个例子中,description参数和step2步骤标有secret标签
根据用户执行模板的情况,有条件地授权参数和步骤、编辑您的许可政策通过针对templateParameterReadPermission和templateStepReadPermission例如
packages/backend/src/plugins/permission.ts
import {
templateParameterReadPermission,
templateStepReadPermission,
} from '@backstage/plugin-scaffolder-common/alpha';
import {
createScaffolderActionConditionalDecision,
scaffolderTemplateConditions,
} from '@backstage/plugin-scaffolder-backend/alpha';
class ExamplePermissionPolicy implements PermissionPolicy {
async handle(
request: PolicyQuery,
user?: BackstageIdentityResponse,
): Promise<PolicyDecision> {
if (
isPermission(request.permission, templateParameterReadPermission) ||
isPermission(request.permission, templateStepReadPermission)
) {
if (user?.identity.userEntityRef === 'user:default/spiderman')
return createScaffolderTemplateConditionalDecision(request.permission, {
not: scaffolderTemplateConditions.hasTag({ tag: 'secret' }),
});
}
return {
result: AuthorizeResult.ALLOW,
};
}
}
在本例中,用户spiderman的参数或步骤。secret标签
通过将此功能与我们的威胁模型中建议的限制目录中模板的摄取相结合,您可以创建一个可靠的系统来限制某些操作。
授权行动
与参数和步骤类似,脚手架插件也提供权限,以限制对某些操作的访问。 如果您想确保模板的安全,这一点非常有用。
要限制对特定操作的访问,可以按如下方式修改权限策略:
packages/backend/src/plugins/permission.ts
import { actionExecutePermission } from '@backstage/plugin-scaffolder-common/alpha';
import {
createScaffolderActionConditionalDecision,
scaffolderActionConditions,
} from '@backstage/plugin-scaffolder-backend/alpha';
class ExamplePermissionPolicy implements PermissionPolicy {
async handle(
request: PolicyQuery,
user?: BackstageIdentityResponse,
): Promise<PolicyDecision> {
if (isPermission(request.permission, actionExecutePermission)) {
if (user?.identity.userEntityRef === 'user:default/spiderman') {
return createScaffolderActionConditionalDecision(request.permission, {
not: scaffolderActionConditions.hasActionId({
actionId: 'debug:log',
}),
});
}
}
return {
result: AuthorizeResult.ALLOW,
};
}
}
有了这种权限策略,用户spiderman将无法执行debug:log行动。
您还可以通过组合多个规则来限制提供给操作的输入。 在下面的示例中、spiderman将无法执行debug:log当通过{ "message": "not-this!" }作为行动输入:
packages/backend/src/plugins/permission.ts
import { actionExecutePermission } from '@backstage/plugin-scaffolder-common/alpha';
import {
createScaffolderActionConditionalDecision,
scaffolderActionConditions,
} from '@backstage/plugin-scaffolder-backend/alpha';
class ExamplePermissionPolicy implements PermissionPolicy {
async handle(
request: PolicyQuery,
user?: BackstageIdentityResponse,
): Promise<PolicyDecision> {
if (isPermission(request.permission, actionExecutePermission)) {
if (user?.identity.userEntityRef === 'user:default/spiderman') {
return createScaffolderActionConditionalDecision(request.permission, {
not: {
allOf: [
scaffolderActionConditions.hasActionId({ actionId: 'debug:log' }),
scaffolderActionConditions.hasProperty({
key: 'message',
value: 'not-this!',
}),
],
},
});
}
}
return {
result: AuthorizeResult.ALLOW,
};
}
}
虽然脚手架输出的规则很简单,但将它们组合起来可以帮助你实现更复杂的情况。