createPermissionIntegrationRouter()
Home > @backstage/plugin-permission-node
> createPermissionIntegrationRouter
Create an express Router which provides an authorization route to allow integration between the permission backend and other Backstage backend plugins. Plugin owners that wish to support conditional authorization for their resources should add the router created by this function to their express app inside their createRouter
implementation.
In case the permissions
option is provided, the router also provides a route that exposes permissions and routes of a plugin.
In case resources is provided, the routes can handle permissions for multiple resource types.
Signature:
function createPermissionIntegrationRouter<TResourceType1 extends string, TResource1, TResourceType2 extends string, TResource2, TResourceType3 extends string, TResource3>(options: {
permissions: Array<Permission>;
} | CreatePermissionIntegrationRouterResourceOptions<TResourceType1, TResource1> | PermissionIntegrationRouterOptions<TResourceType1, TResource1, TResourceType2, TResource2, TResourceType3, TResource3>): express.Router;
Parameters
Parameter |
Type |
Description |
---|---|---|
options |
{ permissions: Array<Permission>; } | CreatePermissionIntegrationRouterResourceOptions<TResourceType1, TResource1> | PermissionIntegrationRouterOptions<TResourceType1, TResource1, TResourceType2, TResource2, TResourceType3, TResource3> |
express.Router
Remarks
To make this concrete, we can use the Backstage software catalog as an example. The catalog has conditional rules around access to specific _entities_ in the catalog. The _type_ of resource is captured here as resourceType
, a string identifier (catalog-entity
in this example) that can be provided with permission definitions. This is merely a _type_ to verify that conditions in an authorization policy are constructed correctly, not a reference to a specific resource.
The rules
parameter is an array of PermissionRules that introduce conditional filtering logic for resources; for the catalog, these are things like isEntityOwner
or hasAnnotation
. Rules describe how to filter a list of resources, and the conditions
returned allow these rules to be applied with specific parameters (such as 'group:default/team-a', or 'backstage.io/edit-url').
The getResources
argument should load resources based on a reference identifier. For the catalog, this is an . For other plugins, this can be any serialized format. This is used to construct the createPermissionIntegrationRouter
, a function to add an authorization route to your backend plugin. This function will be called by the permission-backend
when authorization conditions relating to this plugin need to be evaluated.