The documentation here (https://www.spinnaker.io/setup/security/authorization/) could really use some updates to explain more about how authorization works. First of all, I have read in many places that the
requiredGroupMemberships property is deprecated (i’ve even heard that it straight up doesn’t work in Spinnaker 1.7.5+). Despite this, I’ve seen some really weird behavior while trying to figure out how exactly Authorization should work.
I am able to see Google Groups that I belong to in the “Edit Application Properties>Permissions” dropdown which to me indicates that the service account that has the GSuite Group Read access appears to be working.
- There is no information I can find that explains how these groups should be specified when using Google OAuth and trying to specify Google Groups… My guess is that they should look exactly like the names in the Permissions dropdown… but that doesn’t seem to work. I’ve also tried including the domain but have not had luck finding the solution here…
For example: I added READ and WRITE permissions for our “dev” group to our account (cluster-- using k8s v2) and the application ceases to exist in the UI when this is done.
My application exists across multiple accounts (which according to the documentation above is fine), but when enabling permissions on one account… the entire application becomes completely inaccessible even for the “accounts” that don’t have any permissions enabled… not exactly sure how this should work.
I currently have our authorization disabled (due to the issues called out above) but didn’t remove the “permissions” I had defined on our account. Even with authorization disabled I still get the following message when trying to trigger our pipeline for this account:
Exception ( Deploy Manifest )
firstname.lastname@example.org is not authorized (account: my-authorized-spinnaker-account, description: KubernetesDeployManifestDescription)
the same thing happens when this is triggered via our pubsub trigger but with “anonymous” instead of "email@example.com".
It is possible that I just don’t understand enough about how to configure Fiat, but some of these items seem quite strange to me and have made enabling authorization somewhat of a headache, especially in an environment where we are now actively using our spinnaker instance for our day to day development work. Any help would be greatly appreciated!