Can't see accounts when trying to "Deploy (Manifest)" -- Authorization


#1

I used this guide https://www.spinnaker.io/setup/security/authorization/#accounts to attempt to get our authorization working so that we can limit our spinnaker accounts access to certain google groups.

When I run hal config I can see the requiredGroupMemberships being correctly listed. On the spinnaker applications screen (http://localhost:9000/#/applications) I can see all the Accounts listed out that were previously there. When I go into create a pipeline and attempt to choose “Deploy (Manifest)” the dropdown list for Accounts is empty.

Maybe I don’t really understand how Authorization should work (There isn’t a lot of documentation) but I would guess that 1. there is a bug that won’t allow me to choose an account… or 2. somehow fiat doesn’t recognize that I am apart of the group in which case… why am I able to see AND even create a pipeline for an application I “don’t have access to”.

Any help would be greatly appreciated


#2

Hey Brian,

Can you clarify whether you see the “Accounts” or the “Applications” on the home page?

Applications and Accounts are two separate resources with their own AuthZ so you’d have to configure both to be locked to the group.


#3

Is it normal to see an account that I “don’t have access to”?

I went into halyard and disabled authz hal config security authz disable and hal deploy apply and now the accounts show up… It seems like it’s not recognizing that I am apart of the group for those accounts.

What exactly is authorization stopping me from doing? I’d think that if I didn’t have access to account that I wouldn’t be able to run a pipeline that that account is associated with… is that not the case?

Any reference documentation you can provide on how to limit applications by group?


#4

I’ve verified that this does seem to be related to the latter case where it doesn’t recognize that I have access to these groups.

I’ve checked the Fiat logs in which I do see the following message:
Fiat:UserRoleSyncer completed in 30s which indicates to me that the service account should have the access needed to verify the group permissions (I could be completely off in this assumption).

Another tidbit is i’ve seen this message: Deprecated requiredGroupMembership found on ACCOUNT xxxxxxxx. Please update to permissions. But given that it’s a deprecation, i’ve chosen to ignore this for now (happy if someone could link to updated documentation for this…)

Not sure where to check next if anyone has ideas.


#5

Brian, have you also locked down the applications themselves to specific groups? https://www.spinnaker.io/setup/security/authorization/#applications