Configuring groups from a file in Spinnaker with restricted permissions for cloud services
While deploying Spinnaker in the cloud, often we have a situation in the production environments where-in all the developers, QA, and DevOps team members belong to the same group in LDAP (Lightweight Directory Access Protocol). But ideally, every team member should not have the authorization to create/deploy applications. There is a way by which we can prevent people without proper authorization from creating/deploying applications. This can be achieved in two steps:
- Create groups from a file, instead of LDAP. We can continue using LDAP for authN.
- Use restrictions to prevent others, who are not in these groups from creating applications
In the following example, we will create two groups “baz” and “bar”. The baz group members can only read and execute the application, while the “bar” group members can create, read, write, and execute the application. Users may belong to any one of the groups or both.
In Spinnaker, Fiat is the microservice responsible for authorization. (Read more about Spinnaker architecture here.)
So we will need to modify the configurations in fiat files to achieve the scenario as described above.
STEP-1:
Go to the Fiat-local.yml file in the .hal/defaults/profile folder and insert the configurations as given below:
auth:
groupMembership:
service: file
file:
path: /opt/spinnaker/config/fiat-permissions.yml
In the same directory (.hal/default/profiles), create a file called fiat-permissions.yml, and insert the configurations as given below:
users:
- username: user1
roles:
- bar
- baz
- username: user2
roles:
- baz
Note: Here user1 has two groups bar and baz while user2 only has baz.
STEP-2:
Restricting application creation: (supported in Spinnaker 1.17 onwards)
Go to the fiat-local.yml file in (.hal/defaults/profile) folder and insert the configurations as given below:
fiat.restrictApplicationCreation: true
auth.permissions.provider.application: aggregate
auth.permissions.source.application.prefix:
enabled: true
prefixes:
- prefix: "*" # “all” applications. it is possible to restrict application creation based on regex
permissions:
CREATE:
- "bar" #Only users who belong to “bar” can create an application
READ:
- "bar"
- "baz" #baz users can read and execute if allowed by the application permissions
WRITE:
- "bar"
EXECUTE:
- "bar"
- "baz"
Now we can generalize that:
- User1 can create an application, create a pipeline, edit and execute
- User2 cannot create an application but can view and execute the pipeline (as baz was given read-only access in the application)
- User3, who is not present anywhere, can log in but cannot see any application or create one.
- Any application, where roles are not set, cannot be changed without WRITE permission.
If you want to know more about the Spinnaker application or request a demonstration, please book a meeting with us.
OpsMx is a leading provider of Continuous Delivery solutions that help enterprises safely deliver software at scale and without any human intervention. We help engineering teams take the risk and manual effort out of releasing innovations at the speed of modern business. For additional information, contact us
References:
- File-based user roles provider:
https://github.com/ksrinimba/fiat/blob/master/fiat-file/src/main/java/com/netflix/spinnaker/fiat/roles/file/FileBasedUserRolesProvider.java - Flexible authorization model:
https://spinnaker.io/community/releases/versions/1-17-6-changelog#more-flexible-authorization-model - Resource group permissions:
https://github.com/spinnaker/fiat/blob/8beac88176c9910e4fa4dda2303fdbdc5ae44080/README.md#resource-group-permissions