Restrict Application Creation/Modification in Spinnaker
Before version Spinnaker 1.17, there was no way to prevent application creation in it. When configuring permissions, you must explicitly configure permissions for each user role. The default for a user role is no-permissions, which means it cannot perform any actions.
Explanation
Fiat is the authorization (authz) microservice of Spinnaker, which looks for the permissions from different sources. In spinnaker version 1.17, new sources were added, providing more flexibility for applying for permissions. This page focuses on the prefix source to control permissions for any applications whose name starts with a given prefix. To use this functionality, you need to enable Fiat to use the new sources and set prefixes as one of the sources. auth.permissions.source.application.prefix.
Note: We need to enable authz then only we can use application-level restrictions.
Perform the following steps:
- In fiat-local.yml add the value mentioned here
auth.permissions.provider.application: aggregate
2. Based on the prefix concept we are going to achieve the application level restriction. Add the following line to ~./hal/default/profiles/fiat-local.yml
auth.permissions.provider.application.prefix:
enabled: true
3. Based on the roles we have provided we are going to provide access to users of those groups.
-prefix: <<application_prefix>>
Permissions:
READ:
- <Role1>
- <Role2>
WRITE:
- <Role3>
- <Role4>
EXECUTE:
- <Role2>
- <Role4>
Note: Currently, the prefix source is the only source that supports the CREATE permission.
Sample ~./hal/default/profiles/fiat-local.yml file looks like:
fiat.restrictApplicationCreation: true
auth.permissions.provider.application: aggregate
auth.permissions.source.application.prefix:
enabled: true
prefixes:
- prefix: "*"
permissions:
CREATE:
- "rwxgroup"
READ:
- "rogroup"
- "spin-rxgroup"
WRITE:
- "rwxgroup"
EXECUTE:
- "rxgroup"
The above example assigns CREATE permission to users with the rwxgroup role. Users without the rwxgroup role cannot create any applications in Spinnaker because only rwxgroup has CREATE permission.
Finally, apply your configuration changes to Spinnaker by running the following command: hal deploy apply.
Reference:
https://spinnaker.io/community/releases/versions/1-17-6-changelog#more-flexible-authorization-model
If you want to know more about OpsMx Enterprise for Spinnaker or request a demonstration, please book a meeting with us.
OpsMx is a leading provider of Continuous Delivery solutions that help enterprises safely deliver software at scale and without any human intervention. We help engineering teams take the risk and manual effort out of releasing innovations at the speed of modern business. For additional information, contact us.