Enabling Fiat [solved]

I’m trying to enable authorization in Spinnaker via G Suite and I follow the guide: https://www.spinnaker.io/setup/security/authorization/google-groups/.

However after I execute the hal commands from this section: https://www.spinnaker.io/setup/security/authorization/google-groups/#configure-with-halyard and then do hal deploy apply I see that the Fiat pod is launched but I don’t see any authz-related fields in UI (for example permissions for applications).

Also according to logs Clouddriver does make calls to Fiat to authorize users.

What am I doing wrong? I see that deck expects environment variable FIAT_ENABLED but I don’t see how it’s set by halyard. Do I need to set it myself? If so, how?

I’m using Spinnaker 1.5.4 and Halyard 0.40.0

@Stephen_Chen

That was a misconfiguration on my side. I have a custom config for Deck called ‘settings.js’ and it had fiat disabled. After I enabled it via var fiatEnabled = true; I was able to see the fields in the UI.

It will be nice if they update halyard config features edit to enable fiat through there rather than have to manually edit files.

1 Like

For some reason after this is enabled I still do not have the fiat yaml file generated and fiat installed in kubernetes

Which version if Spinnaker and Halyard do you use?

Are you sure that you followed these instructions: https://www.spinnaker.io/setup/security/authorization/google-groups/#configure-with-halyard and have all the necessary values in the generated by Halyard config file?

Alright it was an issue with gate setup. The veriosn 1.5.4

Question, by default fiat will not be installed in kubernetes. I enabled fiat but hal did not install fiat as a service ?

I also use Spinnaker version 1.5.4 and that’s not what I observe. After I enabled authorization in the main halyard configuration files, spin-fiat pod got deployed

OK, the enable authorization needs to happen to halyard. Now it works

hal config security authz enable, did the trick

1 Like

According to the guide it should also support SAML for authz:

hal config security authz enable

hal config security authz file edit --file-path security.authz.config
hal config security authz edit --type file

What is the format of the authz ‘file’?

  • --file-path : A path to a file describing the roles of each user.

I don’t think we need the ‘file’ option set for SAML:

hal config provider kubernetes account edit devkube
–add-read-permission spinnaker-ops
–add-write-permission spinnaker-ops

I had to edit config manually to enable fiat:

deploymentConfigurations->features->fiat: true

I see fiat pod is running however I don’t have any permission options when I edit the app:

Hi, sorry for bumping this old thread but have you managed to find a solution to this in the end?