feat(RHIDP-9864): add real world RBAC config and new POLICY (realistic) (#297)

* feat(RHIDP-9864): add real world RBAC config and new POLICY(realistic)

Signed-off-by: skestwal <skestwal@redhat.com>

* feat(RHIDP-9864): add new file for orchestrator RBAC for realistic policy

Signed-off-by: skestwal <skestwal@redhat.com>

---------

Signed-off-by: skestwal <skestwal@redhat.com>

Author: skestwal

ci-scripts/rhdh-setup/create_resource.sh

@@ -338,6 +338,7 @@ export RBAC_POLICY_ALL_GROUPS_ADMIN="all_groups_admin" #default
 export RBAC_POLICY_STATIC="static"
 export RBAC_POLICY_USER_IN_MULTIPLE_GROUPS="user_in_multiple_groups"
 export RBAC_POLICY_NESTED_GROUPS="nested_groups"
+export RBAC_POLICY_REALISTIC="realistic"
 
 create_rbac_policy() {
   policy="${1:-$RBAC_POLICY_ALL_GROUPS_ADMIN}"
@@ -382,6 +383,13 @@ create_rbac_policy() {
       fi
     done
     ;;
+  "$RBAC_POLICY_REALISTIC")
+    ROLES=("platform_admin" "engineering_lead" "senior_engineer" "backend_engineer" "frontend_engineer" "product_manager" "QA_engineer" "external_contractor" "compliance_security" "on_call_team")
+    ROLES_LEN=${#ROLES[@]}
+    for i in $(seq 1 "$GROUP_COUNT"); do
+      echo "    g, group:default/g${i}, role:default/${ROLES[$(((i - 1) % ROLES_LEN))]}" >>"$TMP_DIR/group-rbac.yaml"
+    done
+    ;;
   \?)
     log_error "Invalid RBAC policy: ${policy}"
     exit 1
@@ -412,7 +420,7 @@ create_user() {
   [[ $grp -eq 0 ]] && grp=${GROUP_COUNT}
   groups="["
   case $RBAC_POLICY in
-  "$RBAC_POLICY_ALL_GROUPS_ADMIN" | "$RBAC_POLICY_STATIC")
+  "$RBAC_POLICY_ALL_GROUPS_ADMIN" | "$RBAC_POLICY_STATIC" | "$RBAC_POLICY_REALISTIC")
     groups="$groups\"g${grp}\""
     ;;
   "$RBAC_POLICY_NESTED_GROUPS")

ci-scripts/rhdh-setup/deploy.sh

@@ -342,10 +342,16 @@ backstage_install() {
     until $clin create configmap app-config-rhdh --from-file "app-config.rhdh.yaml=$TMP_DIR/app-config.yaml"; do $clin delete configmap app-config-rhdh --ignore-not-found=true; done
     if ${ENABLE_RBAC}; then
         cp template/backstage/rbac-config.yaml "${TMP_DIR}/rbac-config.yaml"
+        if [[ $RBAC_POLICY == "$RBAC_POLICY_REALISTIC" ]]; then
+            cat template/backstage/realistic-rbac-config.yaml >> "${TMP_DIR}/rbac-config.yaml"
+        fi
         create_rbac_policy "$RBAC_POLICY"
         cat "$TMP_DIR/group-rbac.yaml" >>"$TMP_DIR/rbac-config.yaml"
         if [[ "$INSTALL_METHOD" == "helm" ]] && ${ENABLE_ORCHESTRATOR}; then
             cat template/backstage/helm/orchestrator-rbac-patch.yaml >>"$TMP_DIR/rbac-config.yaml"
+            if [[ $RBAC_POLICY == "$RBAC_POLICY_REALISTIC" ]]; then
+                cat template/backstage/helm/realistic-orchestrator-rbac-patch.yaml>>"${TMP_DIR}/rbac-config.yaml"
+            fi
         fi
         until $clin create -f "$TMP_DIR/rbac-config.yaml"; do $clin delete configmap rbac-policy --ignore-not-found=true; done
     fi
@@ -363,7 +369,8 @@ backstage_install() {
     fi
     date -u -Ins >"${TMP_DIR}/populate-before"
     # shellcheck disable=SC2064
-    trap "date -u -Ins >'${TMP_DIR}/populate-after'" EXIT
+    trap "date -u -Ins >'${TMP_DIR}/populate-after'" RETURN EXIT
+
     if ${RHDH_METRIC}; then
         log_info "Setting up RHDH metrics"
         if [ "${AUTH_PROVIDER}" == "keycloak" ]; then

ci-scripts/rhdh-setup/template/backstage/helm/realistic-orchestrator-rbac-patch.yaml

@@ -0,0 +1,7 @@
+    p, role:default/platform_admin, orchestrator.workflow, read, allow
+    p, role:default/platform_admin, orchestrator.workflow.use, update, allow
+    p, role:default/platform_admin, orchestrator.workflowAdminView, read, allow
+    p, role:default/engineering_lead, orchestrator.workflow, read, allow
+    p, role:default/engineering_lead, orchestrator.workflow.use, update, allow
+    p, role:default/senior_engineer, orchestrator.workflow, read, allow
+    p, role:default/senior_engineer, orchestrator.workflow.use, update, allow

ci-scripts/rhdh-setup/template/backstage/realistic-rbac-config.yaml

@@ -0,0 +1,80 @@
+    p, role:default/platform_admin, catalog-entity, read, allow
+    p, role:default/platform_admin, catalog.entity.create, create, allow
+    p, role:default/platform_admin, catalog.entity.update, update, allow
+    p, role:default/platform_admin, catalog.entity.delete, delete, allow
+    p, role:default/platform_admin, catalog.location.create, create, allow
+    p, role:default/platform_admin, catalog.location.read, read, allow
+    p, role:default/platform_admin, catalog.location.update, update, allow
+    p, role:default/platform_admin, catalog.location.delete, delete, allow
+    p, role:default/platform_admin, scaffolder.action.execute, use, allow
+    p, role:default/platform_admin, scaffolder.task.create, create, allow
+    p, role:default/platform_admin, scaffolder.task.read, read, allow
+    p, role:default/platform_admin, kubernetes.proxy, use, allow
+    p, role:default/platform_admin, techdocs.entity.read, read, allow
+    p, role:default/platform_admin, techdocs.entity.create, create, allow
+    p, role:default/platform_admin, rbac.policy.entity.read, read, allow
+    p, role:default/platform_admin, rbac.policy.entity.create, create, allow
+    p, role:default/platform_admin, rbac.policy.entity.update, update, allow
+    p, role:default/platform_admin, rbac.policy.entity.delete, delete, allow
+    p, role:default/engineering_lead, catalog-entity, read, allow
+    p, role:default/engineering_lead, catalog.entity.create, create, allow
+    p, role:default/engineering_lead, catalog.entity.update, update, allow
+    p, role:default/engineering_lead, catalog.entity.delete, delete, allow
+    p, role:default/engineering_lead, catalog.location.create, create, allow
+    p, role:default/engineering_lead, catalog.location.read, read, allow
+    p, role:default/engineering_lead, catalog.location.update, update, allow
+    p, role:default/engineering_lead, catalog.location.delete, delete, allow
+    p, role:default/engineering_lead, scaffolder.action.execute, use, allow
+    p, role:default/engineering_lead, scaffolder.task.create, create, allow
+    p, role:default/engineering_lead, scaffolder.task.read, read, allow
+    p, role:default/engineering_lead, kubernetes.proxy, use, allow
+    p, role:default/engineering_lead, techdocs.entity.read, read, allow
+    p, role:default/engineering_lead, techdocs.entity.create, create, allow
+    p, role:default/senior_engineer, catalog-entity, read, allow
+    p, role:default/senior_engineer, catalog.entity.create, create, allow
+    p, role:default/senior_engineer, catalog.entity.update, update, allow
+    p, role:default/senior_engineer, catalog.entity.delete, delete, allow
+    p, role:default/senior_engineer, catalog.location.create, create, allow
+    p, role:default/senior_engineer, catalog.location.read, read, allow
+    p, role:default/senior_engineer, scaffolder.action.execute, use, allow
+    p, role:default/senior_engineer, scaffolder.task.create, create, allow
+    p, role:default/senior_engineer, scaffolder.task.read, read, allow
+    p, role:default/senior_engineer, kubernetes.proxy, use, allow
+    p, role:default/senior_engineer, techdocs.entity.read, read, allow
+    p, role:default/backend_engineer, catalog-entity, read, allow
+    p, role:default/backend_engineer, catalog.entity.create, create, allow
+    p, role:default/backend_engineer, catalog.entity.update, update, allow
+    p, role:default/backend_engineer, catalog.location.create, create, allow
+    p, role:default/backend_engineer, catalog.location.read, read, allow
+    p, role:default/backend_engineer, scaffolder.action.execute, use, allow
+    p, role:default/backend_engineer, scaffolder.task.create, create, allow
+    p, role:default/backend_engineer, scaffolder.task.read, read, allow
+    p, role:default/backend_engineer, kubernetes.proxy, use, allow
+    p, role:default/backend_engineer, techdocs.entity.read, read, allow
+    p, role:default/frontend_engineer, catalog-entity, read, allow
+    p, role:default/frontend_engineer, catalog.entity.create, create, allow
+    p, role:default/frontend_engineer, catalog.entity.update, update, allow
+    p, role:default/frontend_engineer, catalog.location.create, create, allow
+    p, role:default/frontend_engineer, catalog.location.read, read, allow
+    p, role:default/frontend_engineer, scaffolder.action.execute, use, allow
+    p, role:default/frontend_engineer, scaffolder.task.create, create, allow
+    p, role:default/frontend_engineer, scaffolder.task.read, read, allow
+    p, role:default/frontend_engineer, kubernetes.proxy, use, allow
+    p, role:default/frontend_engineer, techdocs.entity.read, read, allow
+    p, role:default/product_manager, catalog-entity, read, allow
+    p, role:default/product_manager, catalog.location.read, read, allow
+    p, role:default/product_manager, techdocs.entity.read, read, allow
+    p, role:default/QA_engineer, catalog-entity, read, allow
+    p, role:default/QA_engineer, catalog.location.read, read, allow
+    p, role:default/QA_engineer, kubernetes.proxy, use, allow
+    p, role:default/QA_engineer, techdocs.entity.read, read, allow
+    p, role:default/external_contractor, catalog-entity, read, allow
+    p, role:default/external_contractor, techdocs.entity.read, read, allow
+    p, role:default/compliance_security, catalog-entity, read, allow
+    p, role:default/compliance_security, catalog.location.read, read, allow
+    p, role:default/compliance_security, rbac.policy.entity.read, read, allow
+    p, role:default/on_call_team, catalog-entity, read, allow
+    p, role:default/on_call_team, catalog.entity.update, update, allow
+    p, role:default/on_call_team, catalog.location.read, read, allow
+    p, role:default/on_call_team, kubernetes.proxy, use, allow
+    p, role:default/on_call_team, techdocs.entity.read, read, allow