You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
POST SyncServiceAccount API with empty role removes unrestricted permissions.
Cloud Provider(s):
NA
Environment:
On AWS ECS.
Feature Area:
Role Sync - SyncServiceAccount
Description:
When isDisableRoleSyncWhenSavingServiceAccounts flag is enabled in Front50, saving a service account will result in removing unrestricted permissions in Fiat. User got permissions error in the pipeline execution until the next scheduled full role sync to repopulate these unrestricted permissions.
Steps to Reproduce:
Clouddriver account config (with no specified permissions set):
Issue Summary:
POST SyncServiceAccount API with empty role removes unrestricted permissions.
Cloud Provider(s):
NA
Environment:
On AWS ECS.
Feature Area:
Role Sync - SyncServiceAccount
Description:
When isDisableRoleSyncWhenSavingServiceAccounts flag is enabled in Front50, saving a service account will result in removing unrestricted permissions in Fiat. User got permissions error in the pipeline execution until the next scheduled full role sync to repopulate these unrestricted permissions.
Steps to Reproduce:
Clouddriver account config (with no specified permissions set):
accounts
permission is populated.request:
response:
Request:
accounts
permission IS GONE.Request:
Response:
Additional Details:
permissionsRepository.getAllByRoles([]) function will return UNRESTRICTED_USER role. Running permissionsResolver.resolveResources on UNRESTRICTED_USER will not resolve any unrestricted permissions, and UNRESTRICTED_USER with empty permissions is updated into the cache. In other words, the unrestricted permissions are wiped. In the full role sync process, UNRESTRICTED_USER is handled differently by calling permissionsResolver.resolveUnrestrictedUser instead.
The text was updated successfully, but these errors were encountered: