# Pipeline level RBAC ## **Introduction** Role-based access control (RBAC) restricts access based on the roles of individual users within an organization.\ \ OpsMx **Pipeline level RBAC** feature restricts access at the pipeline level within an application. {% hint style="info" %} Pipeline RBAC feature is disabled by default {% endhint %} ### **To Enable Pipeline RBAC** * Connect to Spinnaker halyard pod using the command below: ``` kubectl exec -it -n bash ``` * Do the following changes in the hal config file. Search for **authz** and enable it. ``` authz: groupMembership: service: "EXTERNAL" google: roleProviderType: "GOOGLE" github: roleProviderType: "GITHUB" file: roleProviderType: "FILE" ldap: roleProviderType: "LDAP" enabled: true ``` 1. Access to the GitHub repository where Spinnaker is configured and locate the **Gate secret & fiat**, **front50** and **orca** yaml files under the *\~/.hal/default/profiles*. 2. Set **pipeline: rbac: true** in the orca.yml, fiat.yml and front50.yml files. 3. Run the following command to apply the changes: *- hal deploy apply.* 4. Save the changes and exit. 5. Restart the gate service. 6. Wait for all the 3 pods to restart successfully. #### To verify if the Pipeline RBAC is enabled or not Follow the steps provided below to verify if pipeline RBAC is enabled or not: 1. Port-forward the fiat service by running the following command from your terminal ``` kubectl port-forward service/spin 7003:7003 -n ``` 2. Once port-forwarded the fiat service, access the following url from your browser: \ {% hint style="info" %} You will get the list of Applications & Pipelines {% endhint %} Search for pipelines to check if the list of pipelines are listed. If you are seeing the list of pipelines - then Pipeline level RBAC is enabled successfully. ### To provide Pipeline-level RBAC Access Admin can restrict access to the pipeline's **Read**, **Write**, and **Execute** functions to a specific user group. Through this access, users can define who can edit the pipeline configuration, execute the pipeline, and delete the pipeline. ### **Prerequisite** {% hint style="info" %} The following config change will be updated through helm. {% endhint %} To use the Pipeline level RBAC feature, the **fiat** configuration in the all gate secret would be **enabled** by default. If not, set it to **true**, as shown below. ```yaml Fiat: baseUrl:http://spin-fiat: enabled: true host: 0.0.0.0 port: 7003 ``` ### **Instructions** Follow the steps below to provide pipeline-level RBAC access: 1. Access to the GitHub repository where Spinnaker is configured and locate the **fiat-local-yaml** file in the path “**\~/default/profiles/fiat-local.yaml**”. 2. Update the **aggregate** and **prefix** details in the **fiat-local-yaml** file as mentioned below: 
auth.permissions.provider.pipeline: aggregate 
   auth.permissions.source.pipeline.Prefix:
3. **Prefix:** Provide any prefix name with **“\*”** mark (Example: “dev\*”) as shown below:

Note: The pipeline name should begin with the prefix provided here. Here we have mentioned the prefix “dev*”.

4. **Pipeline Prefix:** As mentioned above, a pipeline was created with a specified prefix.
5. **Permissions:** Specify the **READ**, **WRITE** and **EXECUTE** permissions to the specific user group as shown in the below image:

Note: In the above example, we provided access as follows:

  • devteam group has READ permission only
  • qateam group has READ, WRITE and EXECUTE permissions
6. We have only provided **READ** access to the **devteam** group, **WRITE** and **EXECUTE** permissions are not provided. So, this user group can view a specific pipeline and will not be able to modify, execute or delete the pipeline.\ \ If the user tries to edit, execute or delete the pipeline, an error message will be displayed as shown below: * If a restricted user tries to **Edit** the pipeline, the following error message is displayed:
* If a restricted user tries to **Execute** the pipeline, the following error message is displayed:
* If a restricted user tries to **Delete** the pipeline, the following error message is displayed: