Comments (3)
freben
commented on May 31, 2024
1
This implementation would change, to read the user info out of a new database table instead, keyed by the userEntityRef. The auth backend token issuance code should be updated to store all important user info upon each sign in (or rather, each token issuance?). At least the ownership refs, but in the future maybe more than that. And leave them out of the token itself.
Regarding the number of refs though: Even if you got rid of the token size issue, you'd still be paying a hefty cost for making these lists massive. In permissions checks etc these get translated to increasingly complex queries that affect the catalog etc.
While building this user info feature, would it instead be useful to return those "special" permissions strings as auxiliary data that the user info services retrieves, and which isn't mingled with the ownership claims themselves and their semantics? The vehicle for that could be custom token claims that just get stripped out and stored in the db, but perhaps the data types could instead be changed around the interaction surfaces here (the ctx methods and the sign in resolver etc) to make explicit room for the new user info mechanism?
from backstage.
Rugvip
commented on May 31, 2024
We've implemented the starting point for fixing this more permanently through the new UserInfoService which moves this information out of the user token, https://github.com/backstage/backstage/tree/master/beps/0003-auth-architecture-evolution#userinfoservice-interface. It needs more implementation in the auth backend though, which isn't on our immediate roadmap.
Short term I'd recommend that you limit the number of ownership entity refs, although I'd also recommend this as a long-term goal too. The ownership entity refs are intended to point to groups that exist in your org that are able to own entities in the catalog, which entities then point to using the owner field and relation.
from backstage.
kuangp
commented on May 31, 2024
It needs more implementation in the auth backend though, which isn't on our immediate roadmap.
Kind of bummed to hear that this is not going to be finished being flushed out as part of the original BEP 😞
This is significantly affecting us as well and was really looking forward to being able to re-enable auth for techdocs ...
The ownership entity refs are intended to point to groups that exist in your org that are able to own entities in the catalog, which entities then point to using the owner field and relation.
This wasn't viable for us and probably for some other adopters too since we rely on these ownership claims to drive permissions for various plugins even if these groups themselves aren't owners of any entities in the catalog
@Rugvip do you mind laying out what's left to be implemented to get this fully working? I might take a stab at this when I have some spare time
from backstage.
Related Issues (20)
- Techdocs generation problem with permissions enabled
- 🐛 Bug Report: oidc auth provider
- 🐛 Bug Report: Getting error with yarn workspace backend build HOT 3
- 🐛 Bug Report: Getting an error when creating a new project HOT 2
- 🚀 Feature: Describe how to add permissions framework with the new backend system HOT 5
- 🚀 Feature: Datadog without public URLs
- 🐛 Bug Report: Always get error from API when using proxy from backstage HOT 1
- 🐛 Bug Report: published @backstage/plugin-catalog-backend-module-gitlab v0.3.16 doesn't contain the GitlabOrgEntityProvider fix HOT 3
- 🚀 Feature: Allow Configuration options for catalog-backend-module-msgraph to be modified dynamically HOT 4
- 🚀 Feature: how to modify Catalog Entity's name length restriction. HOT 1
- 🐛 Bug Report: Search bar on techdocs is not working HOT 2
- 🚀 Feature: Hide "View Techdocs" button in component details
- 🐛 Bug Report: Adding Notifications Plugin to Backstage leads to TypeError
- 🚀 Feature: Documentation Request: Update "Input Examples" in 'Software Templates' section showing how to use placeholders HOT 1
- 💬 RFC: Catalog plugin: `spec.type` attribute on all entity kinds
- 🚀 Feature: Retrieve loading state from StorageApi HOT 2
- 🚀 Feature: Add signals support for UserSettingsStorage
- 🐛 Bug Report: Filtering of entites using the filter provided in the CatalogIndexPage
- 🐛 Bug Report: oauth2Proxy auth provider can't find its configured sign-in resolvers HOT 1
- 🐛 Bug Report: by using static token, I can call any APIs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from backstage.