-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
POST SyncServiceAccount API with empty role removes unrestricted permissions #6934
Comments
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
@spinnakerbot remove-label stale |
This issue hasn't been updated in 45 days, so we are tagging it as 'stale'. If you want to remove this label, comment:
|
The problem still exists in the latest version 1.34.x. The workaround for now is to not having ant Accounts/BuildServices without permissions (i.e. not using UNRESTRICTED permissions). @spinnakerbot remove-label stale |
@spinnakerbot remove-label stale |
"stale" has not been applied, and cannot be removed. |
Issue Summary:
POST SyncServiceAccount API with empty role removes unrestricted permissions.
Cloud Provider(s):
NA
Environment:
On AWS ECS.
Feature Area:
Role Sync - SyncServiceAccount
Description:
When isDisableRoleSyncWhenSavingServiceAccounts flag is enabled in Front50, saving a service account will result in removing unrestricted permissions in Fiat. User got permissions error in the pipeline execution until the next scheduled full role sync to repopulate these unrestricted permissions.
Steps to Reproduce:
Clouddriver account config (with no specified permissions set):
accounts
permission is populated.request:
response:
Request:
accounts
permission IS GONE.Request:
Response:
Additional Details:
permissionsRepository.getAllByRoles([]) function will return UNRESTRICTED_USER role. Running permissionsResolver.resolveResources on UNRESTRICTED_USER will not resolve any unrestricted permissions, and UNRESTRICTED_USER with empty permissions is updated into the cache. In other words, the unrestricted permissions are wiped. In the full role sync process, UNRESTRICTED_USER is handled differently by calling permissionsResolver.resolveUnrestrictedUser instead.
The text was updated successfully, but these errors were encountered: