Skip to main content

@backstage/plugin-permission-node

Home > @backstage/plugin-permission-node

Common permission and authorization utilities for backend plugins

Classes

Class

Description

ServerPermissionClient

A thin wrapper around PermissionClient that allows all service-to-service requests.

Functions

Function

Description

createConditionAuthorizer(rules)

Takes some permission conditions and returns a definitive authorization result on the resource to which they apply.

createConditionExports(options)

Creates the recommended condition-related exports for a given plugin based on the built-in PermissionRules it supports.

createConditionFactory(rule)

Creates a condition factory function for a given authorization rule and parameter types.

createConditionTransformer(permissionRules)

A higher-order helper function which accepts an array of PermissionRules, and returns a ConditionTransformer which transforms input conditions into equivalent plugin-specific query fragments using the supplied rules.

createPermissionIntegrationRouter(options)

Create an express Router which provides an authorization route to allow integration between the permission backend and other Backstage backend plugins. Plugin owners that wish to support conditional authorization for their resources should add the router created by this function to their express app inside their createRouter implementation.

In case the permissions option is provided, the router also provides a route that exposes permissions and routes of a plugin.

In case resources is provided, the routes can handle permissions for multiple resource types.

createPermissionRule(rule)

Helper function to ensure that PermissionRule definitions are typed correctly.

isAndCriteria(criteria)

Utility function used to parse a PermissionCriteria

isNotCriteria(criteria)

Utility function used to parse a PermissionCriteria

isOrCriteria(criteria)

Utility function used to parse a PermissionCriteria of type

makeCreatePermissionRule()

Helper for making plugin-specific createPermissionRule functions, that have the TResource and TQuery type parameters populated but infer the params from the supplied rule. This helps ensure that rules created for this plugin use consistent types for the resource and query.

Interfaces

Interface

Description

PermissionPolicy

A policy to evaluate authorization requests for any permissioned action performed in Backstage.

Type Aliases

Type Alias

Description

ApplyConditionsRequest

A batch of ApplyConditionsRequestEntry objects.

ApplyConditionsRequestEntry

A request to load the referenced resource and apply conditions in order to finalize a conditional authorization response.

ApplyConditionsResponse

A batch of ApplyConditionsResponseEntry objects.

ApplyConditionsResponseEntry

The result of applying the conditions, expressed as a definitive authorize result of ALLOW or DENY.

Condition

A utility type for mapping a single PermissionRule to its corresponding PermissionCondition.

Conditions

A utility type for mapping PermissionRules to their corresponding PermissionConditions.

ConditionTransformer

A function which accepts PermissionConditions logically grouped in a PermissionCriteria object, and transforms the PermissionConditions into plugin specific query fragments while retaining the enclosing criteria shape.

CreatePermissionIntegrationRouterResourceOptions

Options for creating a permission integration router specific for a particular resource type.

MetadataResponse

Response type for the .metadata endpoint.

MetadataResponseSerializedRule

Serialized permission rules, with the paramsSchema converted from a ZodSchema to a JsonSchema.

PermissionIntegrationRouterOptions

Options for creating a permission integration router exposing permissions and rules from multiple resource types.

PermissionRule

A conditional rule that can be provided in an response to an authorization request.

PolicyQuery

A query to be evaluated by the PermissionPolicy.

PolicyQueryUser

The context within which a policy query is evaluated.