Warning! Breaking Change in GCE API


#1

The GCE API team is making a change that will break Spinnaker’s API usage within a week. Spinnaker was patched to handle this in versions 1.9.2, 1.8.6, and 1.7.8. We recommend you update as soon as possible, and reach out to the Spinnaker Google team with any questions.


#2

We upgraded spinnaker to 1.9.2 on GCE in order to avoid possible breaking changes that were highlighted earlier. Somehow Fiat is not working properly in this version. We have enabled google group permissions in clouddriver along with requiredmembership and we are using google groups under fiat authorisation. But somehow its very flaky in this version. Sometime it works and most of the time it doesn’t. Its allowing anonymous user to delete components even when we are logged-in as valid gmail user it still gets anonymous from nowhere. We are using IAP authentication on Gate and currently everything is setup on GCE. The READ and WRITE permissions doesn’t seems to work. Let us know if you need logs for this issue, we are not able to upgrade our production spinnaker setup due to this potential security risk


#3

Which version did you upgrade from?

@dibyom is it possible your fiat fixes are related?


#4

Not sure where exactly it started breaking we were on 1.8.4 . We upgraded to 1.9.0 yesterday then we got to know that better to go with 1.9.2 after reading the above warning so last working and validated version was 1.8.4 for us


#5

Release 1.9.2 has a fix for the LDAP fiat provider. I am not aware of any issues affecting the Google group provider.

@sweetib if you get us the logs, I can to take a look!


#6

I guess we found the issue as discussed here Setting up Authorization with Google Groups