Setting up Authorization with Google Groups


#1

The documentation here (https://www.spinnaker.io/setup/security/authorization/) could really use some updates to explain more about how authorization works. First of all, I have read in many places that the requiredGroupMemberships property is deprecated (i’ve even heard that it straight up doesn’t work in Spinnaker 1.7.5+). Despite this, I’ve seen some really weird behavior while trying to figure out how exactly Authorization should work.

I am able to see Google Groups that I belong to in the “Edit Application Properties>Permissions” dropdown which to me indicates that the service account that has the GSuite Group Read access appears to be working.

  1. There is no information I can find that explains how these groups should be specified when using Google OAuth and trying to specify Google Groups… My guess is that they should look exactly like the names in the Permissions dropdown… but that doesn’t seem to work. I’ve also tried including the domain but have not had luck finding the solution here…

For example: I added READ and WRITE permissions for our “dev” group to our account (cluster-- using k8s v2) and the application ceases to exist in the UI when this is done.

  1. My application exists across multiple accounts (which according to the documentation above is fine), but when enabling permissions on one account… the entire application becomes completely inaccessible even for the “accounts” that don’t have any permissions enabled… not exactly sure how this should work.

  2. I currently have our authorization disabled (due to the issues called out above) but didn’t remove the “permissions” I had defined on our account. Even with authorization disabled I still get the following message when trying to trigger our pipeline for this account:

Exception ( Deploy Manifest )
my@email.com is not authorized (account: my-authorized-spinnaker-account, description: KubernetesDeployManifestDescription)

the same thing happens when this is triggered via our pubsub trigger but with “anonymous” instead of "my@email.com".

It is possible that I just don’t understand enough about how to configure Fiat, but some of these items seem quite strange to me and have made enabling authorization somewhat of a headache, especially in an environment where we are now actively using our spinnaker instance for our day to day development work. Any help would be greatly appreciated!


#2

@Stephen_Chen is cleaning up the requiredGroupMembership -> permissions object and can comment.

Yeah, security is something we’ve struggled to really clean up, but every feedback helps. There’s enough at play here, where perhaps it’s worth @ezimanyi or myself doing a working session together with you, either via slack or even a Hangouts to work through this? Please reach out to me with what works for you.


#3

@stevenkim that would be great. I am available on either Hangouts or Slack. I do idle in the Spinnaker slack if that’s easier. My username should be @banderson, otherwise my hangouts is just my username on the forums @gmail.com.


#4

Yeah, the docs have been somewhat out of date since the addition of Permissions a while back. I am currently working on adding permissions support in halyard and updating the docs to encourage people to move to it. There’s also been some posts mentioning that requiredGroupMembership is no longer working, although I tried reproducing it this morning and my config does restrict access properly, so not sure is the actual state of that yet.

If it helps, here is the docs update PR I have currently: https://github.com/spinnaker/spinnaker.github.io/pull/813 which will go in after halyard releases with the new commands https://github.com/spinnaker/halyard/pull/954. For now, you can add the permissions in your clouddriver-local.yml, or halyard with requiredGroupMembership.