How To Enable External Sources Authorization in Spinnaker
Before spinnaker 1.17.1, there were no restrictions in creating applications by users. It is important now to restrict creating applications for enterprises to enforce enterprise policies in onboarding applications.
From 1.17.x, users can restrict application creation by setting the flag ‘fiat.restrictApplicationCreation’ to true. Permissions provided in the application will be ignored now and permissions provided in the external source are applied.
Fiat now accepts permissions from external sources for creating applications. By default, application permissions are stored in the front50. This article will help you create applications from external sources.
Below mentioned fields are explained in detail which help in creating applications from external sources.
| Field | Values | Explanation |
| fiat.restrictApplicationCreation | true/false | false: Default legacy application permissions are applied.
true: User can restrict application creation. This field value(true) is mandatory for creating applications through external sources. |
| auth.permissions.provider.application | default/aggregate | default: Default legacy application permissions are applied.
aggregate: Adds permissions from external sources. |
| auth.permissions.source.application.prefix.resolutionStrategy | AGGREGATE/MOST_SPECIFIC | AGGREGATE: Permissions will be aggregated from all matching prefixes.
MOST_SPECIFIC: Permissions will be applied from the most specific prefix. |
| User | Roles |
| opsmxemp1 | dev,qa,emp,mgr |
Sample Configuration:
.hal/default/profiles/fiat-local.yml fiat.restrictApplicationCreation: true auth.permissions.provider.application: aggregate auth.permissions.source.application.prefix.resolutionStrategy: AGGREGATE auth.permissions.source.application.prefix: enabled: true prefixes: - prefix: "fooapp" permissions: READ: - "dev" WRITE: - "qa" EXECUTE: - "emp" - prefix: "fooapp12" permissions: CREATE: - "dev" - prefix: "testapp" permissions: CREATE: - "finance" - prefix: "bar*" permissions: CREATE: - "mgr" - prefix: "barapp*" permissions: READ: - "dev"
Test cases:
*fiat.restrictApplicationCreation: true
*auth.permissions.provider.application: aggregate
| Field | Application name | Comments |
| auth.permissions.source.application.prefix.resolutionStrategy: AGGREGATE | bar | Application created successfully. |
| barapp | Application created successfully. | |
| barap | Application created successfully. | |
| barapp001 | Application created successfully. | |
| fooapp12 | Application created successfully. | |
| fooapp | Could not create application | |
| testapp | Could not create application | |
| auth.permissions.source.application.prefix.resolutionStrategy: MOST_SPECIFIC | bar | Application created successfully. |
| barapp | Could not create application | |
| barap | Application created successfully. | |
| barapp001 | Could not create application | |
| fooapp12 | Application created successfully. | |
| fooapp | Could not create application | |
| testapp | Could not create application |
* mandatory configuration fields