Simplify Permissions with OPA in Backstage

tip

Does NOT require the backstage-opa-backend plugin!

Integrate dynamic policy management into your Backstage instance with the OPA Permissions Wrapper Module. This tool leverages Open Policy Agent (OPA) for flexible, easy-to-update permissions management within the Backstage Permission Framework.

• Dynamic Policy Management: Use OPA's Rego language for creating and managing policies without hardcoding them.
• Instant Updates: Modify your OPA policies on the fly without needing to redeploy your Backstage instance.
• Empower Teams: Allow teams to manage their own policies easily, without deep knowledge of TypeScript or Backstage internals.

For more details, check out:

• Quick-start Guide
• Local Development Guide

How It Works

This plugin allows you to do two things, the first and foremost is to use it as a way to "wrap" around the Backstage Permission Framework and use the OPA client to evaluate policies. It will send a request to OPA with the permission and identity information, OPA will then evaluate the policy and return a decision, which is then passed back to the Permission Framework, in this scenario you don't need to do anything fancy, just install it and follow the configuration steps.

• Permissions are created in the plugin in which they need to be enforced.
• The plugin will send a request to the Permission Framework backend with the permission and identity information.
• The Permission Framework backend will then forward the request to OPA with the permission and identity information.
• OPA will evaluate the the information against the policy and return a decision.

Join The Community

This project is a part of the broader Backstage and Open Policy Agent ecosystems. Explore more about these communities:

• Backstage Community
• Open Policy Agent Community
• Join OPA on Slack
• Backstage Discord

Learn More

• Blog: Going Backstage with OPA
• Talk: Building Fine-Grained Access Control for Backstage with OPA

Get Involved

Your contributions can make this plugin even better. Fork the repository, make your changes, and submit a PR! If you have questions or ideas, reach out on Mastodon.

Ecosystem

• PlaTT Policy Template contains policy templates that will work with the this plugin!

License

Licensed under the Apache 2.0 License.