Awesome
Welcome to the OPA Plugins Repository for Backstage
This repository contains a collection of plugins for Backstage that integrate with Open Policy Agent.
Blogs
Talks
Plugins
- backstage-opa-backend - A Backend Plugin that the backstage-opa-entity-checker consumes to evaluate policies.
- plugin-permission-backend-module-opa-wrapper - An isolated OPA Client and a Policy Evaluator that integrates with the Backstage permissions framework and uses OPA to evaluate policies, making it possible to use OPA for permissions (like RBAC). Does not require the
backstage-opa-backend
plugin! - backstage-opa-entity-checker - A frontend plugin that provides a component card that displays if an entity has the expected entity metadata according to an opa policy.
- backstage-opa-policies - A frontend component designed to be added to entity pages to fetch and display the OPA policy that entity uses based on a URL provided in an annotation in the
catalog-info.yaml
file.
Beta Plugins
Authz
- backstage-opa-authz-react - A frontend plugin that allows you to control the visibility of components based on the result of an OPA policy evaluation.
- backstage-opa-authz - A node library that includes an OPA client and middleware to evaluate policies, allowing you to control authorization in your backstage backend plugins using OPA.
Entity Checker Processor
- catalog-backend-module-opa-entity-checker-processor - A Backstage catalog processor that validates entities at ingestion time using the
backstage-opa-backend
plugin and adds an annotation based on the OPA policy evaluation result which can beerror
,warning
orinfo
Policies
- backstage-opa-policies-templates - A collection of policies that can be used with the plugins in this repository. (WIP)
Additional Documentation
Each Plugin has its own documentation in the Plugins Folder, I am however, slowly moving things to Github pages. Feel free to help out!
Local Development
Step by step guide to developing locally:
- Clone this repository
- Create an
app-config.local.yaml
file in the root of the repository copying the contents fromapp-config.yaml
- Create a PAT (Personal Access Token) for your GitHub account with these scopes:
read:org
,read:user
,user:email
. This token should be placed underintegrations.github.token
in theapp-config.local.yaml
file. - Run
yarn install --immutable
in the root of the repository - Use
docker-compose up -d
to start the OPA server and postgres database (this will also load the two policies in theexample-opa-policies
folder automatically) - Update the OPA rbac policy in here rbac_policy.rego, or use your own! If you want to use the default policy, you'll have to update
is_admin if "group:twocodersbrewing/maintainers" in claims
to what ever your user entity claims are. - Run
yarn dev
oryarn debug
in the root of the repository to start the Backstage app (use debug if you want to see what is happening in the OPA plugin)
Ecosystem
- PlaTT Policy Template contains policy templates that will work with the plugin-permission-backend-module-opa-wrapper plugin!
Contributing
Contributions are welcome! However, still figuring out the best approach as this does require user and group entities to be in the system.
Please open an issue or a pull request. You can also contact me on mastodon at @parcifal.
Please remember to sign your commits with git commit -s
so that your commits are signed!