Tags: spinnakerbot/fiat
Tags
feat(roles): Configurable `__unrestricted_user__` roles (spinnaker#263) Delegates loading to the `UserRolesProvider` with the default remaining an empty set. We have a custom `UserRolesProvider` at Netflix and would like the ability to specify one or more additional roles for the anonymous user.
chore(dependencies): spinnaker-dependencies to 1.0.10 (spinnaker#261)
fix(ldap): Return a new ExternalUser from multiLoadRoles in LDAP (spi… …nnaker#260)
feat(api): Surface context around what resource was denied access (sp… …innaker#256) In response to user feedback that seeing just a `403` error lacked sufficient context to determine exactly what permission was lacking, particularly when a pipeline or orchestration failed. The chosen response messaging mimics what clouddriver is already doing. https://github.com/spinnaker/clouddriver/blob/master/clouddriver-core/src/main/groovy/com/netflix/spinnaker/clouddriver/deploy/DescriptionValidator.groovy#L29 ``` { "error": "Forbidden", "message": "Access denied to application clouddriver", "status": 403, "timestamp": 1534222128232 } ```
fix(roles): Avoid filtering when `allowAccessToUnknownApplications` i… …s enabled (spinnaker#255) This flag was originally added to allow sites with large numbers of applications to avoid needlessly serializing the same set of applications for each user. Unfortunately it doesn't play nice when an application was explicitly filtered out because a user was not granted access to it! This PR will no longer filter applications but rather include them in the permission with _no_ authorizations. It only applies when `allowAccessToUnknownApplications` is enabled. ``` [ { "name": "clouddriver", "authorizations": [ "READ", "WRITE" ] }, { "name": "orca", "authorizations": [ ] } ] ``` vs ``` [ { "name": "clouddriver", "authorizations": [ "READ", "WRITE" ] } ] ```
fix(roles): Avoid filtering when `allowAccessToUnknownApplications` i… …s enabled (spinnaker#255) This flag was originally added to allow sites with large numbers of applications to avoid needlessly serializing the same set of applications for each user. Unfortunately it doesn't play nice when an application was explicitly filtered out because a user was not granted access to it! This PR will no longer filter applications but rather include them in the permission with _no_ authorizations. It only applies when `allowAccessToUnknownApplications` is enabled. ``` [ { "name": "clouddriver", "authorizations": [ "READ", "WRITE" ] }, { "name": "orca", "authorizations": [ ] } ] ``` vs ``` [ { "name": "clouddriver", "authorizations": [ "READ", "WRITE" ] } ] ```
feat(api): FiatPermissionEvaluator reliablity (spinnaker#254) Adds retry support for calls to fiat in FiatPermissionEvaluator Invalidates cached users if they contain legacyFallback permissions
feat(api): Allow `admin` to access any resource regardless of permiss… …ion (spinnaker#253)
PreviousNext