This repository contains a collection of plugins for Backstage that integrate with Open Policy Agent.
- backstage-opa-backend - A Backend Plugin that the backstage-opa-entity-checker consumes to evaluate policies.
- plugin-permission-backend-module-opa-wrapper - An isolated OPA Client and a Policy Evaluator that integrates with the Backstage permissions framework and uses OPA to evaluate policies, making it possible to use OPA for permissions (like RBAC). Does not require the
backstage-opa-backend
plugin! - backstage-opa-entity-checker - A frontend plugin that provides a component card that displays if an entity has the expected entity metadata according to an opa policy.
- backstage-opa-policies - A frontend component designed to be added to entity pages to fetch and display the OPA policy that entity uses based on a URL provided in an annotation in the
catalog-info.yaml
file.
- backstage-opa-authz-react - A frontend plugin that allows you to control the visibility of components based on the result of an OPA policy evaluation.
- backstage-opa-authz - A node library that includes an OPA client and middleware to evaluate policies, allowing you to control authorization in your backstage backend plugins using OPA.
- catalog-backend-module-opa-entity-checker-processor - A Backstage catalog processor that validates entities at ingestion time using the
backstage-opa-backend
plugin and adds an annotation based on the OPA policy evaluation result which can beerror
,warning
orinfo
- backstage-opa-policies-templates - A collection of policies that can be used with the plugins in this repository. (WIP)
Each Plugin has its own documentation in the Plugins Folder, I am however, slowly moving things to Github pages. Feel free to help out!
Step by step guide to developing locally:
- Clone this repository
- Create an
app-config.local.yaml
file in the root of the repository copying the contents fromapp-config.yaml
- Create a PAT (Personal Access Token) for your GitHub account with these scopes:
read:org
,read:user
,user:email
. This token should be placed underintegrations.github.token
in theapp-config.local.yaml
file. - Run
yarn install --immutable
in the root of the repository - Use
docker-compose up -d
to start the OPA server and postgres database (this will also load the two policies in theexample-opa-policies
folder automatically) - Update the OPA rbac policy in here rbac_policy.rego, or use your own! If you want to use the default policy, you'll have to update
is_admin if "group:twocodersbrewing/maintainers" in claims
to what ever your user entity claims are. - Run
yarn dev
oryarn debug
in the root of the repository to start the Backstage app (use debug if you want to see what is happening in the OPA plugin)
- PlaTT Policy Template contains policy templates that will work with the plugin-permission-backend-module-opa-wrapper plugin!
Contributions are welcome! However, still figuring out the best approach as this does require user and group entities to be in the system.
Please open an issue or a pull request. You can also contact me on mastodon at @parcifal.
Please remember to sign your commits with git commit -s
so that your commits are signed!