Description
Workspace
rbac
📜 Description
When enabling RBAC is there anyway to have a policy for non signed in users - I am trying to use the catalog api and 'ALLOW' guest users to read the API?
I also tried using a legacy-secret but that did not work as I was not providing a user.
Previously non signed in users were able to READ the catalog - trying to work out if this is a policy i need to add or a likely decision that RBAC means all API calls will need an identity+token?
👍 Expected behavior
Trying to clarify how to use Backstage APIs with RBAC as I dont have a user entity for tooling using the API and just providing a legacy-secret did not appear to work
👎 Actual Behavior with Screenshots
The log reports this:
permission info user without entity is DENY for permission 'catalog.entity.read', resource type 'catalog-entity' and action 'read' actor={"actorId":"user without entity"} meta={"userEntityRef":"user without entity","permissionName":"catalog.entity.read","action":"read","resourceType":"catalog-entity","decision":{"result":"DENY"}} request=undefined isAuditLog=true response=undefined eventName="PermissionEvaluationCompleted" stage="evaluatePermissionAccess" status="succeeded"
When queried like this:
curl -v -X GET http://localhost:7007/api/catalog/entities/by-name/component/default/test-component -H "Authorization: Bearer <legacy-token-from config>"
👟 Reproduction steps
curl -v -X GET http://localhost:7007/api/catalog/entities/by-name/component/default/test-component -H "Authorization: Bearer <legacy-token-from config>"
📃 Provide the context for the Bug.
Trying to allow internal machine users to use the API without converting to use user identity + token.
👀 Have you spent some time to check if this bug has been raised before?
- I checked and didn't find similar issue
🏢 Have you read the Code of Conduct?
- I have read the Code of Conduct
Are you willing to submit PR?
None