This repository contains a collection of plugins for Backstage that integrate with Open Policy Agent.
Integrating Open Policy Agent (OPA) with Backstage allows you to decouple policy from your code. This brings several benefits:
- Fine-Grained Access Control: Define complex RBAC and ABAC policies that go beyond standard permission systems.
- Centralized Policy Management: Manage policies for Backstage alongside your other infrastructure policies.
- Dynamic Policy Updates: Update policies without redeploying your Backstage instance.
- Consistency: Ensure consistent policy enforcement across your entire platform.
The plugins integrate with Backstage and OPA in two main ways.
When using the permission-backend-module-opa-wrapper, the flow relies on the Backstage Permissions Framework:
graph LR
User([User]) --> Frontend[Backstage Frontend]
Frontend -->|Permission Request| PermBackend[Permission Backend]
PermBackend -->|Delegate| OPAWrapper[OPA Wrapper]
OPAWrapper <-->|Policy Decision| OPA[OPA Server]
style User fill:#f9f,stroke:#333,stroke-width:2px
style OPA fill:#ff9,stroke:#333,stroke-width:2px
Other plugins interact with OPA for specific functionality, either by proxying through the backend or checking policies directly from a backend service.
graph LR
User([User]) --> Frontend[Backstage Frontend]
%% Flow 1: Frontend Authz (opa-authz-react)
Frontend -- "Authz Request" --> OPABackend[OPA Backend Plugin]
OPABackend -- "Policy Eval" --> OPA[OPA Server]
%% Flow 2: Backend Node Service (opa-node)
AnyBackend[Any Backend Plugin] -- "opa-node" --> OPA
style User fill:#f9f,stroke:#333,stroke-width:2px
style OPA fill:#ff9,stroke:#333,stroke-width:2px
To use these plugins, you need:
- A running Backstage instance.
- A running Open Policy Agent (OPA) server.
You can deploy OPA in any way that suits your infrastructure (Docker, Kubernetes, Managed Service, etc.). Please refer to the official OPA deployment documentation.
backstage-opa-backend - A Backend Plugin that the
backstage-opa-entity-checkerandbackstage-opa-authz-reactplugins consume to evaluate policies.permission-backend-module-opa-wrapper - A Backstage backend module that integrates Open Policy Agent (OPA) with the Backstage Permission Framework for policy-based authorization.
backstage-plugin-opa-entity-checker-processor - A standalone Backstage catalog processor that automatically validates entity metadata during catalog ingestion using OPA policies and adds validation status annotations.
backstage-opa-entity-checker - A frontend plugin that provides a component card that displays if an entity has the expected entity metadata according to an opa policy.
backstage-opa-policies - A frontend component designed to be added to entity pages to fetch and display the OPA policy that entity uses based on a URL provided in an annotation in the
catalog-info.yamlfile.backstage-opa-authz-react - A frontend plugin that allows you to control the visibility of components based on the result of an OPA policy evaluation.
backstage-plugin-opa-common - Common types and functionality for the OPA plugins.
backstage-plugin-opa-node - Provides a Node.js service for integrating Open Policy Agent (OPA) with Backstage backend modules and plugins. It allows you to secure your backend routes using OPA by providing a simple API for sending policy inputs and receiving policy results.
The OPA plugins use two separate configuration sections in your app-config.yaml:
permission:
opa:
baseUrl: 'http://localhost:8181'
policies:
permissions:
policyEntryPoint: 'rbac_policy/decision'
policyFallback: 'allow' # 'allow' or 'deny' (optional)openPolicyAgent:
baseUrl: 'http://localhost:8181'
entityChecker:
enabled: true # Default: false
policyEntryPoint: 'entity_checker/violation'
entityCheckerProcessor:
enabled: true # Default: false
policyEntryPoint: 'entity_checker/violation'
policyViewer:
enabled: true # Default: falseImportant: All OPA backend features are disabled by default. You must explicitly set
enabled: truefor each feature you want to use. This allows selective loading of only the functionality you need.
Each Plugin has its own documentation in the Plugins Folder, I am however, slowly moving things to Github pages. Feel free to help out!
Step by step guide to developing locally:
- Clone this repository
- Create an
app-config.local.yamlfile in the root of the repository copying the contents fromapp-config.yaml - Create a PAT (Personal Access Token) for your GitHub account with these scopes:
read:org,read:user,user:email. This token should be placed underintegrations.github.tokenin theapp-config.local.yamlfile. - Run
yarn install --immutablein the root of the repository - Use
docker-compose up -dto start the OPA server and postgres database (this will also load the two policies in theexample-opa-policiesfolder automatically) - Update the OPA rbac policy in here rbac_policy.rego, or use your own! If you want to use the default policy, you'll have to update
is_admin if "group:twocodersbrewing/maintainers" in claimsto what ever your user entity claims are. - Run
yarn devoryarn debugin the root of the repository to start the Backstage app (use debug if you want to see what is happening in the OPA plugin)
- PlaTT Policy Template contains policy templates that will work with the plugin-permission-backend-module-opa-wrapper plugin!
Contributions are welcome! However, still figuring out the best approach as this does require user and group entities to be in the system.
Please open an issue or a pull request. You can also contact me on mastodon at @parcifal.
Please remember to sign your commits with git commit -s so that your commits are signed!