spinnaker.http.authz

This policy allows you to write policies on Spinnakers core APIs. This allows restricting many actions from the UI, or from custom API clients. Many paths in http.authz have dedicated packages written for them, and in such cases it is reccomended to write your package against the dedicated package rather than spinnaker.http.authz. spinnaker.http.authz is available because it grants the ability to write policy on almost any UI event within spinnaker.

The following paths in spinnaker.http.authz all contain the same keys:

  • applications
  • applications.<app>
  • projects
  • v2/canaryConfig

Other paths contain additional keys/data that can be used when writing policies.

Example Payload

Click to expand
{
  "input": {
    "method": "GET",
    "path": [
      "applications"
    ],
    "user": {
      "isAdmin": false,
      "roles": [
        {
          "name": "armory-io",
          "source": "GITHUB_TEAMS"
        },
        {
          "name": "productmanagers",
          "source": "GITHUB_TEAMS"
        }
      ],
      "username": "myUserName"
    }
  }
}

Example Policy

This policy simply grants all users access to all APIs. It is a good policy to enable on spinnaker.http.authz if you do not need a more complicated policy.

package spinnaker.http.authz
default allow = true
allow {
    input.user.isAdmin == true
}

Special considerations

Unlike most other packages, when writing policies against spinnaker.http.authz you must return a single boolean value named allow. If allow is false then access is denied.

A second optional parameter named message can be passed back, and set to a string. If message is returned and allow is false, then the given message is returned to the API call, and in many cases displayed to the user if the UI made the API call.

Keys

KeyTypeDescription
input.methodstringThe HTTP method being used to call the API.
input.path[]stringThis array corresponds to the subpath of the API being invoked.

input.user

This object provides information about the user performing the action. This can be used to restrict actions by role. See input.user for more information.


Other objects are listed below:


Pipelines

Controls access to the Spinnaker pipelines API. Can be used to prevent a user from creating a pipeline.

Tasks

Posts to the tasks api create new tasks in Spinnaker.


Last modified August 18, 2023: (02b163b7)