Using the Open Policy Agent with Backstage!

Hello! 👋

I'm Peter, a software engineer who's spent the last few years working with OPA (Open Policy Agent) and Backstage in my spare time (and now at work!).

Bringing the two together felt natural, as I have a deep appreciation for OPA—it was my first open-source project contribution, and the support from the maintainers was invaluable in building my confidence to continue contributing and building in Open Source.

The Need For Authorization

While many organizations treat everything within their Backstage application as 'public'—meaning accessible to anyone internally—the reality, especially in regulated industries, is that we may need to control visibility more selectively across the organization.

Backstage comes with an in-built permissions framework for cases like the above, for rarely changing, static authorization policy the built-in permissions framework might be enough.

So Why Use OPA With Backstage?

A key motivation for developing the plugins to integrate OPA with Backstage was to avoid the need to rebuild and redeploy the application for each permission change.

For instance, if a user needed to be added or removed, or a group updated, I wanted to eliminate those urgent "drop everything and edit this permission" moments.

And so, the OPA Permissions Wrapper Plugin was born! With the recent updates to the Backstage backend, this is technically an "extension" of the permissions framework. It forwards all authorization requests to OPA, where decisions are made based on defined policies—allowing for more dynamic control!

What Does This Solve?

• Instead of coding policies directly into your Backstage instance with TypeScript, create, edit and manage your policies with OPA!
• Manage your policies in a more flexible way, you can use OPA's Rego language to write your policies.
• No need to redeploy your Backstage instance to update your permission policies, simply update your OPA policies and you are good to go!
• Enable teams to manage their own policies, without needing to know TypeScript or the Backstage codebase!

Other Reading Material

• Going Backstage With OPA
• Can It Be Done? Building Fine-Grained Access Control for Backstage with OPA

To Be Continued?

This is an introduction to spread the word. If you're interested in a deeper, technical write-up of these plugins, let me know and I’ll continue!

I’m also working on an implementation that fully uses OPA, bypassing the permissions framework for custom Backstage plugins—and I am more than happy to write about it!

Thanks for reading!

Peter