Enabling Fiat [solved]


#1

I’m trying to enable authorization in Spinnaker via G Suite and I follow the guide: https://www.spinnaker.io/setup/security/authorization/google-groups/.

However after I execute the hal commands from this section: https://www.spinnaker.io/setup/security/authorization/google-groups/#configure-with-halyard and then do hal deploy apply I see that the Fiat pod is launched but I don’t see any authz-related fields in UI (for example permissions for applications).

Also according to logs Clouddriver does make calls to Fiat to authorize users.

What am I doing wrong? I see that deck expects environment variable FIAT_ENABLED but I don’t see how it’s set by halyard. Do I need to set it myself? If so, how?

I’m using Spinnaker 1.5.4 and Halyard 0.40.0


Error setting up authorization using G Suite [solved]
#2

@Stephen_Chen


#3

That was a misconfiguration on my side. I have a custom config for Deck called ‘settings.js’ and it had fiat disabled. After I enabled it via var fiatEnabled = true; I was able to see the fields in the UI.


#4

It will be nice if they update halyard config features edit to enable fiat through there rather than have to manually edit files.


#5

For some reason after this is enabled I still do not have the fiat yaml file generated and fiat installed in kubernetes


#6

Which version if Spinnaker and Halyard do you use?

Are you sure that you followed these instructions: https://www.spinnaker.io/setup/security/authorization/google-groups/#configure-with-halyard and have all the necessary values in the generated by Halyard config file?


#7

Alright it was an issue with gate setup. The veriosn 1.5.4

Question, by default fiat will not be installed in kubernetes. I enabled fiat but hal did not install fiat as a service ?


#8

I also use Spinnaker version 1.5.4 and that’s not what I observe. After I enabled authorization in the main halyard configuration files, spin-fiat pod got deployed


#9

OK, the enable authorization needs to happen to halyard. Now it works

hal config security authz enable, did the trick


#10

According to the guide it should also support SAML for authz:

hal config security authz enable

hal config security authz file edit --file-path security.authz.config
hal config security authz edit --type file

What is the format of the authz ‘file’?

  • --file-path : A path to a file describing the roles of each user.

I don’t think we need the ‘file’ option set for SAML:

hal config provider kubernetes account edit devkube
–add-read-permission spinnaker-ops
–add-write-permission spinnaker-ops

I had to edit config manually to enable fiat:

deploymentConfigurations->features->fiat: true

I see fiat pod is running however I don’t have any permission options when I edit the app: