Skip to content

feat: add DevTools plugin gated to cloud-engineering/admins#130

Merged
quiiver merged 7 commits into
mainfrom
feat/devtools-plugin-admin-permission
Jul 13, 2026
Merged

feat: add DevTools plugin gated to cloud-engineering/admins#130
quiiver merged 7 commits into
mainfrom
feat/devtools-plugin-admin-permission

Conversation

@quiiver

@quiiver quiiver commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

What

Adds the Backstage DevTools plugin (frontend page + backend) and restricts it
to members of the cloud-engineering/admins workgroup subgroup via a custom
permission policy.

  • Backend: @backstage/plugin-devtools-backend; a custom PermissionPolicy
    (permissionPolicyDevToolsAdmin) replacing the allow-all policy — returns ALLOW
    for everything except DevTools permissions, which require
    group:workgroups/cloud-engineering-admins in the caller's ownershipEntityRefs.
    Gates the stable devToolsPermissions aggregate plus the alpha
    Scheduled-Tasks permissions.
  • Frontend: @backstage/plugin-devtools (new frontend system) added to the
    features array; a RequirePermission-gated sidebar entry (hidden for non-admins).
  • Config: devTools.scheduledTasks.plugins: [catalog] to surface the catalog
    plugin's scheduled tasks.

Depends on

Account-linking (#129, merged) — that work is what makes a signed-in
cloud-engineering/admins member's ownershipEntityRefs actually contain the
group, so the gate can pass. Without it the gate is inert.

Notes

  • The Scheduled-Tasks tab's read/trigger/cancel hit the catalog plugin's core
    .backstage/scheduler/v1/tasks API, which isn't permission-integrated in the
    pinned versions — the gate there is frontend/defense-in-depth, not a hard lock.
  • Suggest squash-merge (history contains an intermediate wip: commit).

Verification

Backend policy unit tests (14) green; tsc, lint, prettier clean. Merged current
main (incl. account-linking) into the branch.

quiiver added 7 commits July 1, 2026 16:53
…n policy

Replaces the allow-all permission policy with DevToolsAdminPermissionPolicy,
which allows every permission except the four DevTools permissions, which
now require the caller's ownership refs to include
group:workgroups/cloud-engineering-admin. Removes the now-unused
@backstage/plugin-permission-backend-module-allow-all-policy dependency.
…admin-permission

# Conflicts:
#	packages/backend/package.json
#	yarn.lock
@quiiver
quiiver merged commit aebc258 into main Jul 13, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant