janus-idp / backstage-plugins

Plugins for Backstage
https://janus-idp.io
Apache License 2.0
151 stars 148 forks source link

RBAC: Could not fetch catalog entities. Request failed with 403 Forbidden. #1538

Closed c4rth closed 6 months ago

c4rth commented 6 months ago

Describe the bug

I'm using Backstage 1.26.0 with the new backend system. The authentication is done with '@backstage/plugin-auth-backend-module-microsoft-provider' The organization data ingestion is done with '@backstage/plugin-catalog-backend-module-msgraph/alpha' So far no problem, I can log in, the users/groups are present and access to everything. I enabled the '@backstage/plugin-permission-backend/alpha' and added a simple policy without problem. For convenience and because it offers great features, I installed the janus-idp rbac plugins in the front end and the back end as mentioned in the documentation. I can still log in, but I cannot access to anything (e.g. the catalog), even if my user is defined as admin. I think I have everything configured correctly (front, backend, service-to-service secret keys, rbac, ...) By accessing the catalog, I get an error 'Error: Could not fetch catalog entities.' 'ResponseError: Request failed with 403 Forbidden' In logging, some 403 errors with 'POST /api/permission/authorize'

[1] 2024-04-22T15:55:36.302Z permission info Policy check for user:default/xyz for permission catalog.entity.create 
[1] 2024-04-22T15:55:36.302Z permission info user:default/xyz is ALLOW for permission 'catalog.entity.create' and action create 
[1] 2024-04-22T15:55:36.303Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 200 74 "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
[1] 2024-04-22T15:55:36.308Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
[1] 2024-04-22T15:55:36.309Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=kind HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
[1] 2024-04-22T15:55:36.310Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
[1] 2024-04-22T15:55:36.311Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
[1] 2024-04-22T15:55:36.312Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
[1] 2024-04-22T15:55:36.312Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=spec.lifecycle HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
[1] 2024-04-22T15:55:36.313Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=metadata.tags HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
[1] 2024-04-22T15:55:36.313Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entity-facets?facet=metadata.namespace HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest
[1] 2024-04-22T15:55:36.338Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "POST /api/permission/authorize HTTP/1.1" 403 676 "-" "node-fetch/1.0 (+https://github.com/bitinn/node-fetch)" type=incomingRequest
[1] 2024-04-22T15:55:36.339Z rootHttpRouter info ::1 - - [22/Apr/2024:15:55:36 +0000] "GET /api/catalog/entities?filter=kind%3Dcomponent HTTP/1.1" 403 - "http://localhost:3000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0" type=incomingRequest

Expected Behavior

The logged use can access the catalog

What are the steps to reproduce this bug?

  1. Create a backstage app v1.26.x
  2. Add @backstage/plugin-auth-backend-module-microsoft-provider and @backstage/plugin-catalog-backend-module-msgraph/alpha
  3. Authenticate
  4. Access the catalog

Repository available : https://github.com/c4rth/backstage-playground rem: some values are in app-config.local.yaml and therefore not pushed.

Versions of software used and environment

organization: name: Acme

backend: baseUrl: http://localhost:7007 auth: externalAccess:

MarkPorohnja commented 6 months ago

why didn't you add permission.ts plugin to plugins folder? as per new backend migration docs legacy plugins should be added like this:

import { legacyPlugin } from '@backstage/backend-common';
backend.add(legacyPlugin('todo', import('./plugins/todo')));

anyway it doesn't work for me... image

c4rth commented 6 months ago

@MarkPorohnja Because there is already a createPlugin in https://github.com/janus-idp/backstage-plugins/blob/main/plugins/rbac-backend/src/plugin.ts So this should be sufficient

backend.add(import('@janus-idp/backstage-plugin-rbac-backend'));
c4rth commented 6 months ago

Thanks for the fix !

c4rth commented 6 months ago

Hi Mark,

It works fine for me. You receive the error because in the index.ts, you add 2 permission plugins: plugin-permission-backend and backstage-plugin-rbac-backend. Comment the 1st one should do the trick.

// permission plugin // @./plugin-permission-backend/alpha')); // backend.add( // @./plugin-permission-backend-module-allow-all-policy'), // ); @.***/backstage-plugin-rbac-backend')); Best Regards,

Thierry

On Tue, 7 May 2024 at 14:06, Mark Porohnja @.***> wrote:

@c4rth https://github.com/c4rth could you please verify that recent plugin update works for you? I am using version 2.7.1 of backstage-plugin-rbac-backend and it gives following error:

Error: Plugin 'permission' is already registered at BackendInitializer.doStart_fn @./backend-app-api/dist/index.cjs.js:1739:17) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async BackendInitializer.start @./backend-app-api/dist/index.cjs.js:1626:5) at async BackstageBackend.start @.***/backend-app-api/dist/index.cjs.js:1894:5)

my index.ts

import { createBackend } from @./backend-defaults'; const backend = createBackend(); @*.**@*.**@*.**@*./plugin-techdocs-backend/alpha')); // auth @*.**@*./plugin-auth-backend-module-microsoft-provider'));// See https://backstage.io/docs/backend-system/building-backends/migrating#the-auth-plugin // catalog @./plugin-catalog-backend/alpha'));backend.add( @.**@./plugin-catalog-backend-module-msgraph/alpha')); // permission @./plugin-permission-backend/alpha'));// backend.add(// @./plugin-permission-backend-module-allow-all-policy'),// @./backstage-plugin-rbac-backend')); // search @*.**@*.**@./plugin-search-backend-module-techdocs/alpha')); backend.start();

— Reply to this email directly, view it on GitHub https://github.com/janus-idp/backstage-plugins/issues/1538#issuecomment-2098250952, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACA4SGMUQKF3OE4RRMJDR4TZBC7S7AVCNFSM6AAAAABGVGZZFSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJYGI2TAOJVGI . You are receiving this because you were mentioned.Message ID: @.***>

MarkPorohnja commented 6 months ago

yep, figured it out already. Everything works. Thanks guys <3