Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POST SyncServiceAccount API with empty role removes unrestricted permissions #6934

Open
chunyap-lim opened this issue Mar 11, 2024 · 2 comments
Open

POST SyncServiceAccount API with empty role removes unrestricted permissions #6934

chunyap-lim opened this issue Mar 11, 2024 · 2 comments

Comments

@chunyap-lim
Copy link

Issue Summary:

POST SyncServiceAccount API with empty role removes unrestricted permissions.

Cloud Provider(s):

NA

Environment:

On AWS ECS.

Feature Area:

Role Sync - SyncServiceAccount

Description:

When isDisableRoleSyncWhenSavingServiceAccounts flag is enabled in Front50, saving a service account will result in removing unrestricted permissions in Fiat. User got permissions error in the pipeline execution until the next scheduled full role sync to repopulate these unrestricted permissions.

Steps to Reproduce:

Clouddriver account config (with no specified permissions set):

aws:
  enabled: true
  accounts:
  - name: aws-account
    accountId: 1234567890123
    assumeRole: spinnaker-role
    regions:
      - name: ap-southeast-1
  1. Check user authorization. accounts permission is populated.

request:

GET {{FIAT_HOST}}/authorize/<user>

response:

{
    "name": "chunyap.lim",
    "accounts": [
        {
            "name": "aws-account",
            "authorizations": [
                "READ",
                "WRITE",
                "EXECUTE",
                "CREATE"
            ]
        }
    ],
    "applications": [...],
    "serviceAccounts": [...],
    "roles": [...],
    "buildServices": [...]
    ...
}
  1. Run SyncServiceAccount with empty role

Request:

POST -H 'Content-Type: application/json' -d '[]' {{FIAT_HOST}}/roles/sync/serviceAccount/<serviceaccount>
  1. Check user authorization again, accounts permission IS GONE.

Request:

GET {{FIAT_HOST}}/authorize/<user>

Response:

{
    "name": "chunyap.lim",
    "accounts": [],
    "applications": [...],
    "serviceAccounts": [...],
    "roles": [...],
    "buildServices": [...]
    ...
}

Additional Details:

permissionsRepository.getAllByRoles([]) function will return UNRESTRICTED_USER role. Running permissionsResolver.resolveResources on UNRESTRICTED_USER will not resolve any unrestricted permissions, and UNRESTRICTED_USER with empty permissions is updated into the cache. In other words, the unrestricted permissions are wiped. In the full role sync process, UNRESTRICTED_USER is handled differently by calling permissionsResolver.resolveUnrestrictedUser instead.
@spinnakerbot
Copy link

This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:

@spinnakerbot remove-label stale

@chunyap-lim
Copy link
Author

@spinnakerbot remove-label stale

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spinnakerbot @chunyap-lim