How To Enable External Sources Authorization in Spinnaker

Before spinnaker 1.17.1, there were no restrictions in creating applications by users. It is important now to restrict creating applications for enterprises to enforce enterprise policies in onboarding applications.

From 1.17.x, users can restrict application creation by setting the flag ‘fiat.restrictApplicationCreation’ to true. Permissions provided in the application will be ignored now and permissions provided in the external source are applied.

Fiat now accepts permissions from external sources for creating applications. By default, application permissions are stored in the front50. This article will help you create applications from external sources.

Below mentioned fields are explained in detail which help in creating applications from external sources.

 

Field Values Explanation
fiat.restrictApplicationCreation true/false false: Default legacy application permissions are applied.

true: User can restrict application creation. This field value(true) is mandatory for creating applications through external sources.

auth.permissions.provider.application default/aggregate default: Default legacy application permissions are applied.

aggregate: Adds permissions from external sources.

auth.permissions.source.application.prefix.resolutionStrategy AGGREGATE/MOST_SPECIFIC AGGREGATE: Permissions will be aggregated from all matching prefixes.

MOST_SPECIFIC: Permissions will be applied from the most specific prefix.

 

User Roles
opsmxemp1 dev,qa,emp,mgr

Sample Configuration:

.hal/default/profiles/fiat-local.yml

fiat.restrictApplicationCreation: true
auth.permissions.provider.application: aggregate
auth.permissions.source.application.prefix.resolutionStrategy: AGGREGATE 
auth.permissions.source.application.prefix:
enabled: true
 prefixes:
  - prefix: "fooapp"
  permissions:
READ: 
   - "dev"
    WRITE:
   - "qa"
    EXECUTE:
   - "emp"
 - prefix: "fooapp12"
 permissions:
  CREATE:
  - "dev"
 - prefix: "testapp"
   permissions:
CREATE:
   - "finance"
  - prefix: "bar*"
  permissions:
CREATE:
 - "mgr"
   - prefix: "barapp*"
permissions:
   READ:
  - "dev"

Test cases:

*fiat.restrictApplicationCreation: true
*auth.permissions.provider.application: aggregate

Field Application name Comments
auth.permissions.source.application.prefix.resolutionStrategy: AGGREGATE  bar Application created successfully.
barapp Application created successfully.
barap Application created successfully.
barapp001 Application created successfully.
fooapp12 Application created successfully.
fooapp Could not create application
testapp Could not create application
auth.permissions.source.application.prefix.resolutionStrategy: MOST_SPECIFIC  bar Application created successfully.
barapp Could not create application
barap Application created successfully.
barapp001 Could not create application
fooapp12 Application created successfully.
fooapp Could not create application
testapp Could not create application

* mandatory configuration fields

 

Tagged

Leave a Reply

Your email address will not be published. Required fields are marked *