Skip to content

docs(augment): add OpenSpec proposal for fine-grained Backstage permissions#3331

Open
gabemontero wants to merge 4 commits into
redhat-developer:mainfrom
gabemontero:finer-grained-permissions-proposal
Open

docs(augment): add OpenSpec proposal for fine-grained Backstage permissions#3331
gabemontero wants to merge 4 commits into
redhat-developer:mainfrom
gabemontero:finer-grained-permissions-proposal

Conversation

@gabemontero

Copy link
Copy Markdown
Contributor

Hey, I just made a Pull Request!

Add OpenSpec artifacts for the fine-grained-backstage-permissions change, which replaces 12+ inline route-level authorization guards with proper Backstage fine-grained permissions, enabling deployers to configure RBAC policies for agent and tool lifecycle governance.

Artifacts created:

  • proposal.md: motivation, 3 capabilities (permission-definitions, authorization-middleware, route-authorization), impact across 12 files
  • design.md: 5 architectural decisions covering resource types, two-tier fallback, self-approval defense-in-depth, visibility filtering, and rule patterns
  • specs/permission-definitions/spec.md: 11 requirements (2 resource types, 16 permissions, 3 permission rules with ownership/stage/self-approval)
  • specs/authorization-middleware/spec.md: 5 requirements (two-tier auth, conditional evaluation, RouteContext integration)
  • specs/route-authorization/spec.md: 14 requirements covering all agent, tool, and Kagenti route authorization replacements with backward compat
  • tasks.md: 7 task groups, 30 implementation tasks ordered by dependency

Includes the preliminary implementation plan used as source material.

✔️ Checklist

  • [n/a] A changeset describing the change and affected packages. (more info)
  • [/] Added or Updated documentation
  • [/] Tests for new functionality and regression tests for bug fixes
  • [/] Screenshots attached (for UI changes)

@codecov

codecov Bot commented Jun 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.28%. Comparing base (2903d71) to head (46344d2).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #3331   +/-   ##
=======================================
  Coverage   50.28%   50.28%           
=======================================
  Files        2260     2260           
  Lines       85603    85603           
  Branches    24211    24211           
=======================================
  Hits        43044    43044           
  Misses      42058    42058           
  Partials      501      501           
Flag Coverage Δ *Carryforward flag
adoption-insights 83.70% <ø> (ø) Carriedforward from 2903d71
ai-integrations 67.95% <ø> (ø) Carriedforward from 2903d71
app-defaults 69.79% <ø> (ø) Carriedforward from 2903d71
augment 46.39% <ø> (ø)
boost 74.64% <ø> (ø) Carriedforward from 2903d71
bulk-import 72.46% <ø> (ø) Carriedforward from 2903d71
cost-management 14.10% <ø> (ø) Carriedforward from 2903d71
dcm 61.79% <ø> (ø) Carriedforward from 2903d71
extensions 61.53% <ø> (ø) Carriedforward from 2903d71
global-floating-action-button 71.18% <ø> (ø) Carriedforward from 2903d71
global-header 59.71% <ø> (ø) Carriedforward from 2903d71
homepage 49.84% <ø> (ø) Carriedforward from 2903d71
install-dynamic-plugins 56.23% <ø> (ø) Carriedforward from 2903d71
konflux 91.49% <ø> (ø) Carriedforward from 2903d71
lightspeed 68.57% <ø> (ø) Carriedforward from 2903d71
mcp-integrations 85.46% <ø> (ø) Carriedforward from 2903d71
orchestrator 37.79% <ø> (ø) Carriedforward from 2903d71
quickstart 63.76% <ø> (ø) Carriedforward from 2903d71
sandbox 79.56% <ø> (ø) Carriedforward from 2903d71
scorecard 83.96% <ø> (ø) Carriedforward from 2903d71
theme 61.26% <ø> (ø) Carriedforward from 2903d71
translations 7.25% <ø> (ø) Carriedforward from 2903d71
x2a 13.78% <ø> (ø) Carriedforward from 2903d71

*This pull request uses carry forward flags. Click here to find out more.


Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2903d71...46344d2. Read the comment docs.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Comment thread workspaces/augment/openspec/changes/fine-grained-backstage-permissions/design.md Outdated
@gabemontero

Copy link
Copy Markdown
Contributor Author

thanks again for the thorough review @pkliczewski

I've pushed a new commit with my updates ... and left the comment threads unresolved

@pkliczewski

Copy link
Copy Markdown

@gabemontero thanks, resolved most of the comments

@gabemontero

Copy link
Copy Markdown
Contributor Author

@gabemontero thanks, resolved most of the comments

likewise thanks @pkliczewski

I've posted replies to the remaining review threads and pushed a new commit with updates for those remaining threads

@gabemontero gabemontero force-pushed the finer-grained-permissions-proposal branch from 21529ea to 013d0ce Compare June 10, 2026 19:18
@pkliczewski

Copy link
Copy Markdown

/lgtm

@gabemontero

Copy link
Copy Markdown
Contributor Author

fyi @pkliczewski I've gotten agreement from @PatAKnight to review this proposal as well

@gabemontero gabemontero marked this pull request as ready for review June 12, 2026 15:32
@gabemontero gabemontero requested review from a team and durandom as code owners June 12, 2026 15:32
@rhdh-qodo-merge

rhdh-qodo-merge Bot commented Jun 12, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX issues (0) 🔗 Cross-repo conflicts (0)

Grey Divider


Action required

1. Permission specs inconsistent 🐞 Bug ≡ Correctness
Description
The proposal/tasks/implementation plan repeatedly state there are 16 new permissions, but the
behavioral specs require 21 (including 5 infrastructure permissions like
augment.vectorstore.manage). This mismatch can cause an implementation that follows the task list
to omit required permissions/registration and leave infra routes incorrectly authorized.
Code

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/proposal.md[R7-14]

+## What Changes
+
+- 16 new fine-grained permissions across agent, tool, and Kagenti infrastructure domains — each mapping to a specific authorization decision currently handled by inline code
+- 2 new resource types (`augment-agent`, `augment-tool`) enabling conditional permission rules scoped to individual resources
+- 3 permission rules (`IS_OWNER`, `IS_NOT_CREATOR`, `HAS_LIFECYCLE_STAGE`) for ownership, self-approval prevention, and stage-gated operations
+- New authorization abstraction (`authorizeLifecycleAction`) implementing a two-tier check: fine-grained permission first, fallback to `augment.admin` for backward compatibility
+- Refactoring of all 12+ inline authorization decisions in route handlers to use the permission framework
+- Permission integration router registered with both resource types and all rules
Relevance

⭐⭐⭐ High

Team has accepted fixing internal doc/spec inconsistencies in OpenSpec artifacts (e.g., PR #3292).

PR-#3292

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The proposal/tasks/plan state "16 new permissions", while the permission-definitions and
route-authorization specs define additional infrastructure permissions and explicitly require
registering "All 21 new permissions"; these cannot both be true and will lead to an incomplete
implementation if the tasks are followed as-written.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/proposal.md[7-14]
workspaces/augment/openspec/changes/fine-grained-backstage-permissions/proposal.md[26-40]
workspaces/augment/openspec/changes/fine-grained-backstage-permissions/tasks.md[3-11]
workspaces/augment/openspec/changes/fine-grained-backstage-permissions/tasks.md[47-52]
workspaces/augment/openspec/changes/fine-grained-backstage-permissions/fine-grained-permissions-prelim-implementation-plan.md[78-114]
workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/permission-definitions/spec.md[87-114]
workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/route-authorization/spec.md[173-231]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Multiple OpenSpec artifacts disagree on how many new permissions are part of this change (16 vs 21) and which ones must be defined/registered. This will cause implementers to follow the tasks/impact section and accidentally skip the 5 infrastructure permissions that the specs require.

## Issue Context
- Proposal/tasks/plan talk about “16 new permissions”, but the specs define and require 5 additional infrastructure permissions (`augment.vectorstore.manage`, `augment.document.manage`, `augment.mcp.manage`, `augment.prompt.manage`, `augment.model.manage`) and explicitly say “All 21 new permissions” must be registered.

## Fix Focus Areas
Update the docs so all artifacts agree on the same set and count of new permissions, and ensure the task list includes implementation steps for the infrastructure permissions if they are in-scope.

- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/proposal.md[7-14]
- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/proposal.md[26-40]
- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/tasks.md[3-11]
- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/tasks.md[47-52]
- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/fine-grained-permissions-prelim-implementation-plan.md[78-114]
- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/permission-definitions/spec.md[87-114]
- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/route-authorization/spec.md[173-231]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. Unpublish permission ambiguous 🐞 Bug ⚙ Maintainability
Description
The route-authorization spec gates PUT unpublish with augment.agent.publish while separately
defining augment.agent.unpublish for request-unpublish, creating a confusing/ambiguous permission
model for deployers and implementers. This ambiguity increases the risk of wiring the wrong
permission to the unpublish operation or writing RBAC policies that don’t match runtime behavior.
Code

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/route-authorization/spec.md[R72-75]

+### Requirement: Agent publish and unpublish authorization
+
+The PUT publish, PUT unpublish, and PUT bulk-publish routes SHALL use `augment.agent.publish`, replacing `requireAdminAccess`. When `permissions.legacyAdminFallback` is enabled, DENY falls back to checking `augment.admin`.
+
Relevance

⭐⭐⭐ High

Repo reviewers often fix ambiguous/incorrect permission mappings/naming for clarity/security (PRs
#2581, #2620).

PR-#2581
PR-#2620

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The route-authorization spec explicitly assigns PUT unpublish to augment.agent.publish, while both
the permission-definition spec and the tasks/plan define augment.agent.unpublish and use it for
request-unpublish; this creates a non-intuitive split and ambiguous semantics for the unpublish
permission ID.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/route-authorization/spec.md[72-89]
workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/permission-definitions/spec.md[32-48]
workspaces/augment/openspec/changes/fine-grained-backstage-permissions/tasks.md[31-38]
workspaces/augment/openspec/changes/fine-grained-backstage-permissions/fine-grained-permissions-prelim-implementation-plan.md[159-172]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The docs currently say the admin-only PUT unpublish route uses `augment.agent.publish`, while `augment.agent.unpublish` is defined and used for PUT request-unpublish. This makes the meaning of `augment.agent.unpublish` non-obvious and encourages policy mistakes.

## Issue Context
- If the intent is “publish-permission controls publication state changes (publish + unpublish)”, the permission ID/name should reflect that (or the docs should explicitly call it out in the permission definitions table).
- If the intent is “unpublish is its own operation”, then PUT unpublish should use `augment.agent.unpublish`, and PUT request-unpublish should use a different permission (e.g., `augment.agent.requestUnpublish`).

## Fix Focus Areas
Pick one consistent model and update all places that mention these permissions.

- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/route-authorization/spec.md[72-89]
- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/permission-definitions/spec.md[32-48]
- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/fine-grained-permissions-prelim-implementation-plan.md[159-172]
- workspaces/augment/openspec/changes/fine-grained-backstage-permissions/tasks.md[31-38]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

@gabemontero

Copy link
Copy Markdown
Contributor Author

/assign @PatAKnight

@rhdh-qodo-merge

Copy link
Copy Markdown

PR Summary by Qodo

docs(augment): add OpenSpec proposal for fine-grained Backstage permissions
📝 Documentation ⚙️ Configuration changes 🕐 20-40 Minutes

Grey Divider

Walkthroughs

Description
• Add OpenSpec proposal/design/specs for fine-grained Augment RBAC over agents and tools.
• Specify two-tier authorization with opt-in augment.admin fallback and audit logging
  requirements.
• Provide route-to-permission mapping and an ordered implementation task plan for migration.
Diagram
graph TD
  A["OpenSpec change set"] --> B["proposal.md"] --> G["Augment implementation"]
  A --> C["design.md"] --> G
  A --> D["specs/*.md"] --> G
  A --> E["tasks.md"] --> G
  G --> H["Backstage permissions"]
Loading
High-Level Assessment

The PR’s approach is appropriate for a docs/spec-first change: it cleanly separates proposal, design decisions, normative specs, and an execution plan. Alternatives like collapsing the prelim plan into tasks/specs or using ADR-only documentation were considered but would reduce traceability or actionable sequencing; keeping the artifacts distinct improves review and implementation clarity.

Grey Divider

File Changes

Documentation (7)
design.md Document architectural decisions and trade-offs +69/-0

Document architectural decisions and trade-offs

• Defines goals/non-goals and five key decisions (resource types, opt-in legacy fallback, self-approval defense-in-depth, list visibility strategy, and rule patterns). Captures risks such as migration complexity and conditional-evaluation overhead.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/design.md


fine-grained-permissions-prelim-implementation-plan.md Add preliminary implementation plan and mapping tables +243/-0

Add preliminary implementation plan and mapping tables

• Provides a detailed plan covering the motivation, permission inventory, rule definitions, affected files, and a per-route authorization mapping. Includes backward-compatibility examples and an implementation order checklist used as source material.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/fine-grained-permissions-prelim-implementation-plan.md


proposal.md Add high-level proposal for fine-grained permissions +40/-0

Add high-level proposal for fine-grained permissions

• Summarizes why the change is needed and what capabilities will be added (permission definitions, authorization middleware, route authorization). Lists impacted code areas and clarifies separation from provider-level authorization.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/proposal.md


spec.md Specify two-tier authorization middleware and audit logging +120/-0

Specify two-tier authorization middleware and audit logging

• Defines requirements for 'authorizeLifecycleAction' and 'authorizeBasicWithFallback', including opt-in 'augment.admin' fallback semantics and conditional evaluation behavior. Adds RouteContext integration requirements and mandates structured audit logs for all authorization outcomes.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/authorization-middleware/spec.md


spec.md Define resource types, permissions, and rule requirements +169/-0

Define resource types, permissions, and rule requirements

• Specifies two resource types ('augment-agent', 'augment-tool'), the agent/tool permission sets, and basic permissions for infrastructure domains (vector stores, documents, MCP, prompts, models). Defines requirements for the 'IS_OWNER', 'IS_NOT_CREATOR', and 'HAS_LIFECYCLE_STAGE' rules and preserves existing 'augment.access'/'augment.admin' semantics.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/permission-definitions/spec.md


spec.md Map Augment routes to permissions and fallback behavior +249/-0

Map Augment routes to permissions and fallback behavior

• Provides a route-by-route mapping from current inline guards to fine-grained permissions and conditions (ownership, stage gating, self-approval). Specifies behavior for list visibility filtering, bulk operations, and opt-in fallback via 'permissions.legacyAdminFallback'.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/specs/route-authorization/spec.md


tasks.md Add ordered implementation task breakdown +59/-0

Add ordered implementation task breakdown

• Introduces a phased task list spanning permission definitions, new backend permission rules/utilities, middleware abstraction, route refactors, plugin wiring, and verification steps. Organizes tasks by dependency order to guide implementation.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/tasks.md


Other (1)
.openspec.yaml Register OpenSpec change metadata +2/-0

Register OpenSpec change metadata

• Adds OpenSpec metadata indicating a spec-driven change set and its creation date. This file anchors the new OpenSpec artifact folder.

workspaces/augment/openspec/changes/fine-grained-backstage-permissions/.openspec.yaml


Grey Divider

Qodo Logo

@rhdh-qodo-merge rhdh-qodo-merge Bot added the documentation Improvements or additions to documentation label Jun 12, 2026
Comment thread workspaces/augment/openspec/changes/fine-grained-backstage-permissions/design.md Outdated
gabemontero added a commit to gabemontero/rhdh-plugins that referenced this pull request Jun 15, 2026
…posal

Address all 7 review comments from PatAKnight on PR redhat-developer#3331:

- Namespace config under augment.permissions.legacyAdminFallback
- Reword conditional evaluation to filter semantics (conditions are
  filters not boolean checks), with catalog plugin reference
- Remove audit logging requirement (RBAC plugin handles this)
- Make augment.agent.register a basic permission (no resource type,
  since the resource doesn't exist yet at create time)
- Redesign augment.agent.list as resource-based with 3-tier evaluation
  (ALLOW/DENY/CONDITIONAL) for deployer-configurable visibility rules,
  aligning with orchestrator's CONDITIONAL policy patterns
- Replace deprecated createPermissionIntegrationRouter with
  PermissionsRegistryService and permissionsRegistry.addResourceType
- Add addResourceType to plugin wiring tasks

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: gabemontero <gmontero@redhat.com>
@openshift-ci openshift-ci Bot removed the lgtm label Jun 15, 2026
@openshift-ci

openshift-ci Bot commented Jun 15, 2026

Copy link
Copy Markdown

New changes are detected. LGTM label has been removed.

@gabemontero

Copy link
Copy Markdown
Contributor Author

thanks for the expert review @PatAKnight

claude and I have attempted to make updates around all your comments .... pushed as a separate commit ... PTAL when you have the chance

thanks again

@PatAKnight PatAKnight left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gabemontero

Copy link
Copy Markdown
Contributor Author

LGTM

awesome / thanks @PatAKnight

gabemontero and others added 4 commits June 22, 2026 11:19
…ssions

Add OpenSpec artifacts for the fine-grained-backstage-permissions change,
which replaces 12+ inline route-level authorization guards with proper
Backstage fine-grained permissions, enabling deployers to configure RBAC
policies for agent and tool lifecycle governance.

Artifacts created:
- proposal.md: motivation, 3 capabilities (permission-definitions,
  authorization-middleware, route-authorization), impact across 12 files
- design.md: 5 architectural decisions covering resource types, two-tier
  fallback, self-approval defense-in-depth, visibility filtering, and
  rule patterns
- specs/permission-definitions/spec.md: 11 requirements (2 resource types,
  16 permissions, 3 permission rules with ownership/stage/self-approval)
- specs/authorization-middleware/spec.md: 5 requirements (two-tier auth,
  conditional evaluation, RouteContext integration)
- specs/route-authorization/spec.md: 14 requirements covering all agent,
  tool, and Kagenti route authorization replacements with backward compat
- tasks.md: 7 task groups, 30 implementation tasks ordered by dependency

Includes the preliminary implementation plan used as source material.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: gabemontero <gmontero@redhat.com>
… proposal

- Clarify authorization-middleware is augment-specific integration layer,
  not RBAC reimplementation; document relationship to existing
  augment.access and augment.admin permissions
- Scope permission-definitions to agents/tools first with rationale;
  other admin operations remain under augment.admin for now
- Clarify route-authorization spec maps augment routes to permissions,
  not RBAC policy evaluation
- Add audit logging as a goal and spec requirement, recording user,
  action, resource, outcome, and whether fallback was used
- Document backward compatibility rationale for two-tier fallback:
  external consumers already use augment.access + augment.admin policies

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: gabemontero <gmontero@redhat.com>
Address second round of PR review feedback on fine-grained permissions proposal:

- Add 5 infrastructure resource permissions (vectorstore, document, mcp, prompt,
  model) as basic permissions, expanding total from 16 to 21. These enable
  deployers to grant targeted access instead of all-or-nothing augment.admin.

- Add corresponding route authorization requirements for all 5 infrastructure
  categories, including closing the gap where MCP tool creation was ungated.

- Change augment.admin fallback from default-on to opt-in via
  permissions.legacyAdminFallback config flag. Dev preview means no backward
  compatibility guarantees — opt-in avoids the "temporary becomes permanent"
  problem where removing the fallback later becomes the breaking change it was
  meant to prevent. Existing deployments can enable the flag during migration.

- Update authorization-middleware spec with fallback-disabled scenarios and
  config-gated fallback behavior in authorizeLifecycleAction and
  authorizeBasicWithFallback.

- Update design.md context, goals, Decision 2, and risk mitigations to reflect
  broader scope and opt-in fallback rationale.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: gabemontero <gmontero@redhat.com>
…posal

Address all 7 review comments from PatAKnight on PR redhat-developer#3331:

- Namespace config under augment.permissions.legacyAdminFallback
- Reword conditional evaluation to filter semantics (conditions are
  filters not boolean checks), with catalog plugin reference
- Remove audit logging requirement (RBAC plugin handles this)
- Make augment.agent.register a basic permission (no resource type,
  since the resource doesn't exist yet at create time)
- Redesign augment.agent.list as resource-based with 3-tier evaluation
  (ALLOW/DENY/CONDITIONAL) for deployer-configurable visibility rules,
  aligning with orchestrator's CONDITIONAL policy patterns
- Replace deprecated createPermissionIntegrationRouter with
  PermissionsRegistryService and permissionsRegistry.addResourceType
- Add addResourceType to plugin wiring tasks

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: gabemontero <gmontero@redhat.com>
@gabemontero gabemontero force-pushed the finer-grained-permissions-proposal branch from 6f6b88c to 46344d2 Compare June 22, 2026 15:19
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation workspace/augment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants