____ _ ____ __ ___ _ ______ _
/ __/(_)__ __ / _// /_ / _ | ___ _ ___ _ (_)___ /_ __/____ ___ _ _ __ (_)___
/ _/ / / \ \ / _/ / / __/ / __ |/ _ `// _ `// // _ \ _ / / / __// _ `/| |/ // /(_-<
/_/ /_/ /_\_\ /___/ \__/ /_/ |_|\_, / \_,_//_//_//_/( ) /_/ /_/ \_,_/ |___//_//___/
/___/ |/
Fiat is the authorization server for the Spinnaker system.
It exposes a RESTful interface for querying the access permissions for a particular user. It currently supports three kinds of resources:
- Accounts
- Applications
- Service Accounts
Accounts are setup within Clouddriver and queried by Fiat for it
736F
s configured requiredGroupMembership restrictions.
Applications are the combination of config metadata pulled from Front50 and server group names (e.g., application-stack-details). Application permissions sit beside application configuration in S3/Google Cloud Storage.
Fiat Service Accounts are groups that act as a user during automated triggers (say, from a GitHub push or Jenkins build). Authorization is built in by making the service account a member of a group specified in requiredGroupMembership.
Currently supported user role providers are:
- Google Groups (through a Google Apps for Work organization)
- GitHub Teams
- LDAP
- File based role provider
- SAML Groups
By default, Fiat is built with all authorization providers included. To build only a subset of
providers, use the includeProviders flag:
./gradlew -PincludeProviders=google-groups,ldap clean build
You can view the list of all providers in gradle.properties.
To start the JVM in debug mode, set the Java system property DEBUG=true:
./gradlew -DDEBUG=true
The JVM will then listen for a debugger to be attached on port 7103. The JVM will not wait for the debugger
to be attached before starting Fiat; the relevant JVM arguments can be seen and modified as needed in build.gradle.