Simplify Permissions with OPA in Backstage

[!ATTENTION|style:flat] Does NOT require the backstage-opa-backend plugin!

Integrate dynamic policy management into your Backstage instance with the OPA Permissions Wrapper Module. This tool leverages Open Policy Agent (OPA) for flexible, easy-to-update permissions management within the Backstage Permission Framework.

• Dynamic Policy Management: Use OPA's Rego language for creating and managing policies without hardcoding them.
• Instant Updates: Modify your OPA policies on the fly without needing to redeploy your Backstage instance.
• Empower Teams: Allow teams to manage their own policies easily, without deep knowledge of TypeScript or Backstage internals.

For more details, check out:

• Quick-start Guide
• Local Development Guide

How It Works

This plugin allows you to do two things, the first and foremost is to use it as a way to "wrap" around the Backstage Permission Framework and use the OPA client to evaluate policies. It will send a request to OPA with the permission and identity information, OPA will then evaluate the policy and return a decision, which is then passed back to the Permission Framework, in this scenario you don't need to do anything fancy, just install it and follow the configuration steps.

• Permissions are created in the plugin in which they need to be enforced.
• The plugin will send a request to the Permission Framework backend with the permission and identity information.
• The Permission Framework backend will then forward the request to OPA with the permission and identity information.
• OPA will evaluate the the information against the policy and return a decision.

You can also use the evaluatePolicy (see here) function in your backend plugins to evaluate policies. This is useful if you want a bit more flexibility in how you pass the information to OPA and evaluate the policy. You can see an example of this in the backend demo plugin.

Join The Community

This project is a part of the broader Backstage and Open Policy Agent ecosystems. Explore more about these communities:

• Backstage Community
• Open Policy Agent Community
• Styra
• Join OPA on Slack
• Backstage Discord

Learn More

• Blog: Going Backstage with OPA
• Talk: Building Fine-Grained Access Control for Backstage with OPA

Get Involved

Your contributions can make this plugin even better. Fork the repository, make your changes, and submit a PR! If you have questions or ideas, reach out on Mastodon.

Ecosystem

• PlaTT Policy Template contains policy templates that will work with the this plugin!

License

Licensed under the Apache 2.0 License.