Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OP-16464: integrate pipeline trigger to verify fiat permissions #66

Merged
merged 1 commit into from
Jul 11, 2024
Merged

OP-16464: integrate pipeline trigger to verify fiat permissions #66

merged 1 commit into from
Jul 11, 2024

Conversation

sudhakaropsmx
Copy link
Collaborator

@sudhakaropsmx sudhakaropsmx commented Jul 10, 2024
edited
Loading

https://devopsmx.atlassian.net/browse/OP-16464

Pipeline RBAC implementation commits have ORCA, Front50, and Fiat, Gate is missing implementation.
As part of the Pipeline RBAC implementation these changes required before trigger pipeline to verify the permissions against with fiat

OpsMx#279

aman-agrawal
aman-agrawal reviewed Jul 10, 2024
View reviewed changes
gate-web/src/main/groovy/com/netflix/spinnaker/gate/controllers/PipelineController.groovy
@@ -272,7 +272,7 @@ class PipelineController {
}

@Operation(summary = "Trigger a pipeline execution")
@PreAuthorize("hasPermission(#application, 'APPLICATION', 'EXECUTE')")
@PreAuthorize("hasPermission(#application, 'APPLICATION', 'EXECUTE') && hasPermission(#pipelineNameOrId, 'PIPELINE', 'EXECUTE')")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can u pls explain why we made this change ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we enable the Pipeline RBAC before trigger pipeline to verify the permissions against with fiat

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. oss dont hav pipeline level rbac, only oes hav ?
  2. If yes, then why only selected controller, not other controllers as well?
  3. If someone gave execute access for some pipeline but not to application, is this scenario possible?

Copy link
Collaborator Author

@sudhakaropsmx sudhakaropsmx Jul 11, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oes only will have these customization pipeline rbac.
Pipeline trigger will from gate to echo and to orca. remain verification have in orca and front50.
first priority Application level and then Pipeline.
This feature is requested by customer WU and currently using this feature.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in a call, @sudhakaropsmx mentioned that other checks r implemented in other services like orca.
still, i hav one doubt, for few controllers we r allowing access from gate to orca & checking in orca for rbac.
but for some controllers, we r checking rbac in gate itself, any particular reason ?
-> but as this is not a blocker, approving the PR.

@sudhakaropsmx sudhakaropsmx changed the title OP-18094: integrate pipeline trigger to verify fiat permissions OP-16464: integrate pipeline trigger to verify fiat permissions Jul 11, 2024
@sudhakaropsmx sudhakaropsmx force-pushed the Bugfix/OP-18094_Pipeline_permissions branch from 8a9f715 to 63491bf Compare July 11, 2024 06:09
@sudhakaropsmx sudhakaropsmx merged commit 94a16ab into OES-1.33.x Jul 11, 2024
1 check passed
@sudhakaropsmx sudhakaropsmx deleted the Bugfix/OP-18094_Pipeline_permissions branch July 11, 2024 06:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aman-agrawal aman-agrawal aman-agrawal approved these changes

@rakeshkrmeena rakeshkrmeena Awaiting requested review from rakeshkrmeena

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sudhakaropsmx @aman-agrawal