/fiat

Spinnaker auth service

Primary LanguageJavaApache License 2.0Apache-2.0

Spinnaker Auth Service

Build Status

   ____ _         ____ __    ___               _            ______                  _    
  / __/(_)__ __  /  _// /_  / _ | ___ _ ___ _ (_)___       /_  __/____ ___ _ _  __ (_)___
 / _/ / / \ \ / _/ / / __/ / __ |/ _ `// _ `// // _ \ _     / /  / __// _ `/| |/ // /(_-<
/_/  /_/ /_\_\ /___/ \__/ /_/ |_|\_, / \_,_//_//_//_/( )   /_/  /_/   \_,_/ |___//_//___/
                                /___/                |/                                  

Fiat is the authorization server for the Spinnaker system.

It exposes a RESTful interface for querying the access permissions for a particular user. It currently supports three kinds of resources:

  • Accounts
  • Applications
  • Service Accounts

Accounts

Accounts are setup within Clouddriver and queried by Fiat for its configured requiredGroupMembership restrictions.

Applications

Applications are the combination of config metadata pulled from Front50 and server group names (e.g., application-stack-details). Application permissions sit beside application configuration in S3/Google Cloud Storage.

Service Accounts

Fiat Service Accounts are groups that act as a user during automated triggers (say, from a GitHub push or Jenkins build). Authorization is built in by making the service account a member of a group specified in requiredGroupMembership.


User Role/Authorization Providers

There are currently two user role providers: Google Groups (through a Google Apps for Work organization) and GitHub Teams. If you would like to see additional providers, see this issue.


Roadmap/Implementation Punch list has been moved to Milestone 1 Issues