11 software delivery problems solved by intelligence software delivery platform  Download
Select Page
Share

While deploying Spinnaker in the cloud, often we have a situation in the production environments where-in all the developers, QA, and DevOps team members belong to the same group in LDAP (Lightweight Directory Access Protocol). But ideally, every team member should not have the authorization to create/deploy applications. There is a way by which we can prevent people without proper authorization from creating/deploying applications. This can be achieved in two steps:

  1. Create groups from a file, instead of LDAP. We can continue using LDAP for authN.
  2. Use restrictions to prevent others, who are not in these groups from creating applications

In the following example, we will create two groups “baz” and “bar”. The baz group members can only read and execute the application, while the “bar” group members can create, read, write, and execute the application. Users may belong to any one of the groups or both.

In Spinnaker, Fiat is the microservice responsible for authorization. (Read more about Spinnaker architecture here.)

So we will need to modify the configurations in fiat files to achieve the scenario as described above. 

STEP-1:

Go to the Fiat-local.yml file in the .hal/defaults/profile folder and insert the configurations as given below:

				
					auth:
  groupMembership:
    service: file
    file:
      path: /opt/spinnaker/config/fiat-permissions.yml
				
			

In the same directory (.hal/default/profiles), create a file called fiat-permissions.yml, and insert the configurations as given below:

				
					users:
 - username: user1
   roles:
   - bar
   - baz
 - username: user2
   roles:
   - baz
				
			

Note: Here user1 has two groups bar and baz while user2 only has baz.

STEP-2:

Restricting application creation: (supported in Spinnaker 1.17 onwards)

Go to the fiat-local.yml file in (.hal/defaults/profile) folder and insert the configurations as given below:

				
					fiat.restrictApplicationCreation: true
auth.permissions.provider.application: aggregate
auth.permissions.source.application.prefix:
   enabled: true
   prefixes:
    - prefix: "*"   # “all” applications. it is possible to restrict application creation based on regex
      permissions:
        CREATE:
        - "bar"   #Only users who belong to “bar” can create an application
        READ:
        - "bar"
        - "baz"  #baz users can read and execute if allowed by the application  permissions
        WRITE:
        - "bar"
        EXECUTE:
        - "bar"
        - "baz"
				
			

Now we can generalize that:

  1. User1 can create an application, create a pipeline, edit and execute
  2. User2 cannot create an application but can view and execute the pipeline (as baz was given read-only access in the application)
  3. User3, who is not present anywhere, can log in but cannot see any application or create one.
  4. Any application, where roles are not set, cannot be changed without WRITE permission. 

If you want to know more about the Spinnaker application or request a demonstration, please book a meeting with us.

OpsMx is a leading provider of Continuous Delivery solutions that help enterprises safely deliver software at scale and without any human intervention. We help engineering teams take the risk and manual effort out of releasing innovations at the speed of modern business. For additional information, contact us


References:

  1. File-based user roles provider:
    https://github.com/ksrinimba/fiat/blob/master/fiat-file/src/main/java/com/netflix/spinnaker/fiat/roles/file/FileBasedUserRolesProvider.java
  2. Flexible authorization model:
    https://spinnaker.io/community/releases/versions/1-17-6-changelog#more-flexible-authorization-model
  3. Resource group permissions:
    https://github.com/spinnaker/fiat/blob/8beac88176c9910e4fa4dda2303fdbdc5ae44080/README.md#resource-group-permissions

0 Comments

Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.