Links

Pipeline level RBAC

Introduction

Role-based access control (RBAC) restricts access based on the roles of individual users within an organization. OpsMx introduced the Pipeline level RBAC feature to restrict access at the pipeline level within an application. Admin can restrict access to the pipeline's Read, Write, and Execute functions to a specific user group. Through this access, users can define who can edit the pipeline configuration, execute the pipeline, and delete the pipeline.
If you haven’t created an application already, refer here.
If you haven’t created your pipelines yet, refer here.

Prerequisite

Note: The following config change will be updated through helm.
To use the Pipeline level RBAC feature, the "fiat" configuration in the all gate secret would be "enabled" by default. If not, set it to "true," as shown below.
Fiat:
baseUrl:http://spin-fiat:
enabled: true
host: 0.0.0.0
port: 7003

Instructions

Follow the steps below to provide pipeline-level RBAC access:
  1. 1.
    Access to the GitHub repository where Spinnaker is configured and locate the fiat-local-yaml file in the path “~/default/profiles/fiat-local.yaml”.
  2. 2.
    Update the aggregate and prefix details in the fiat-local-yaml file as mentioned below:
    auth.permissions.provider.pipeline: aggregate
    auth.permissions.source.pipeline.Prefix:
  3. 3.
    Prefix: Provide any prefix name with “*” mark (Example: “dev*”) as shown below:
    Note: The pipeline name should begin with the prefix provided here. Here we have mentioned the prefix “dev*”.
  4. 4.
    Pipeline Prefix: As mentioned above, a pipeline was created with a specified prefix.
  5. 5.
    Permissions: Specify the READ, WRITE and EXECUTE permissions to the specific user group as shown in the below image:
    Note: In the above example, we provided access as follows:
    • devteam” group has READ permission only
    • qateam” group has READ, WRITE and EXECUTE permissions
  6. 6.
    We have only provided “READ” access to the “devteam” group, “WRITE” and “EXECUTE” permissions are not provided. So, this user group can view a specific pipeline and will not be able to modify, execute or delete the pipeline. If the user tries to edit, execute or delete the pipeline, an error message will be displayed as shown below:
    • If a restricted user tries to "Edit" the pipeline, the following error message is displayed:
    • If a restricted user tries to "Execute" the pipeline, the following error message is displayed:
    • If a restricted user tries to "Delete" the pipeline, the following error message is displayed: