Skip to main content

createPermissionIntegrationRouter()

Home > @backstage/plugin-permission-node > createPermissionIntegrationRouter

Create an express Router which provides an authorization route to allow integration between the permission backend and other Backstage backend plugins. Plugin owners that wish to support conditional authorization for their resources should add the router created by this function to their express app inside their createRouter implementation.

In case the permissions option is provided, the router also provides a route that exposes permissions and routes of a plugin.

In case resources is provided, the routes can handle permissions for multiple resource types.

Signature:

function createPermissionIntegrationRouter<TResourceType1 extends string, TResource1, TResourceType2 extends string, TResource2, TResourceType3 extends string, TResource3>(options: {
    permissions: Array<Permission>;
} | CreatePermissionIntegrationRouterResourceOptions<TResourceType1, TResource1> | PermissionIntegrationRouterOptions<TResourceType1, TResource1, TResourceType2, TResource2, TResourceType3, TResource3>): express.Router;

Parameters

ParameterTypeDescription
options{ permissions: Array<Permission>; } | CreatePermissionIntegrationRouterResourceOptions<TResourceType1, TResource1> | PermissionIntegrationRouterOptions<TResourceType1, TResource1, TResourceType2, TResource2, TResourceType3, TResource3>

Returns:

express.Router

Remarks

To make this concrete, we can use the Backstage software catalog as an example. The catalog has conditional rules around access to specific _entities_ in the catalog. The _type_ of resource is captured here as resourceType, a string identifier (catalog-entity in this example) that can be provided with permission definitions. This is merely a _type_ to verify that conditions in an authorization policy are constructed correctly, not a reference to a specific resource.

The rules parameter is an array of PermissionRules that introduce conditional filtering logic for resources; for the catalog, these are things like isEntityOwner or hasAnnotation. Rules describe how to filter a list of resources, and the conditions returned allow these rules to be applied with specific parameters (such as 'group:default/team-a', or 'backstage.io/edit-url').

The getResources argument should load resources based on a reference identifier. For the catalog, this is an . For other plugins, this can be any serialized format. This is used to construct the createPermissionIntegrationRouter, a function to add an authorization route to your backend plugin. This function will be called by the permission-backend when authorization conditions relating to this plugin need to be evaluated.