🐛 rbac: Inconsistent API responses from /roles and /policies

[mcintoac-aws]

Plugin Name

rbac

📜 Description

Using the rbac plugin UI, viewing the RbacPage component is supposed to list the roles available to view, edit, etc. View the "Network" tab, I can see the front-end is continuously calling the following api endpoints:

• api/permission/roles
• api/permission/policies

and if roles does not return empty

• api/permission/conditions?entityRef=...

About 50% of the time, the response from the roles and policies API does not include my custom role. The other times it does. Resulting in the role appearing and disappearing from the UI. If viewing the role page itself, this causes a display error in place of the role info when not found, and the list of members and relations to appear and disappear as well.

👍 Expected behavior

The /roles and /policies endpoints should always return all roles and policies consistently.

👎 Actual Behavior with Screenshots

The roles and policies calls are fluctuating between returning and not returning custom roles and policies.

1. roles api returns nothing (note left side of screen for 5 API calls observed in sequence)

   

2. policies api returns default admin policies

   

3. roles api now returns my role

   

4. policies api now returns the two custom policies attached to the role

   

5. conditions call is now triggers since role was returned

   

👟 Reproduction steps

Deploy a Backstage instance with the rbac and rbac-backend plugin enabled following the README provided by each plugin.

Notes:

• Use the RbacPage and Administration components for the frontend
• Assign a superuser you will login with. Use the superuser to view the RBAC page.
• Inspect the Network tab

📃 Provide the context for the Bug.

I am attempting to integrate RBAC for a Backstage use-case through AWS by utilizing the rbac plugin.

👀 Have you spent some time to check if this bug has been raised before?

• [X] I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• [X] I have read the Code of Conduct

Are you willing to submit PR?

Yes I am willing to submit a PR!

[BethGriggs]

cc: @AndrienkoAleksandr @divyanshiGupta @PatAKnight as plugin owners

[AndrienkoAleksandr]

Hi @mcintoac-aws, How many deployment replicas do you use? Two? If so, you've encountered a known issue:: https://issues.redhat.com/browse/RHIDP-4734. We landed a fix for it today: https://github.com/backstage/community-plugins/pull/2040

[mcintoac-aws]

@BethGriggs , thanks for pointing this ticket in the right direction. And @AndrienkoAleksandr thank you for the quick response.

For some more context, our deployment is using ECS with Fargate to host and run a Backstage image. We have a central storage for the catalog configured through Amazon Aurora Serverless v2 w/ Postgres. We don't have any form of caching manually implemented for our deployment model, but perhaps this is being handled automatically for us, I would have to dive a little deeper to be sure.

That being said, we have 2 Fargate tasks with the same task-definition, container, and image, with load split between them round-robin style. I am assuming that this is equivalent enough to the described use case in the ticket, with the 3 pod + redis cache deployment model using RHDH, to experience the same issue.

I pulled the latest rbac-backend and rbac versions with the fix from this morning and did a new deploy and that seems to have fixed the issue.

Thanks again for your help, and let me know if you'd like any more information from me on this. Otherwise, feel free to close.