Task Type: createApplication

A policy call is made for this type anytime a user attmpts to create a new application.
  • Path: tasks
  • Method: Post
  • Package: spinnaker.http.authz

Example Payload

Click to expand
{
  "input": {
    "body": {
      "application": "aftest",
      "description": "Create Application: aftest",
      "job": [
        {
          "application": {
            "cloudProviders": "",
            "email": "af@test.com",
            "instancePort": 80,
            "name": "aftest"
          },
          "type": "createApplication",
          "user": "myUserName"
        }
      ]
    },
    "method": "POST",
    "path": [
      "tasks"
    ],
    "user": {
      "isAdmin": false,
      "roles": [
        {
          "name": "armory-io",
          "source": "GITHUB_TEAMS"
        },
        {
          "name": "productmanagers",
          "source": "GITHUB_TEAMS"
        }
      ],
      "username": "myUserName"
    }
  }
}

Example Policy

  • This policy disables the ability to create new applications for non-admin users unless their role is ‘applicationCreators’.

    package spinnaker.http.authz
    default message=""
    allow = message==""
    message = "Your role lacks permissions to create new applications"{
          createsTaskOfType("createApplication")
          input.user.isAdmin!=true
          not hasRole("applicationCreators")
    }
    hasRole(role){
        input.user.roles[_].name=role
    }
    createsTaskOfType(tasktype){
        input.method="POST"
        input.path=["tasks"]
        input.body.job[_].type=tasktype
    }
    
  • This policy disables the ability to create new applications, or update existing applications unless the applications have specified at least 1 role with ‘write’ permissions. Note: The spinnaker UI is not currently able to display an error message when this policy denies the action.

    package spinnaker.http.authz
    
    allow = message==""
    
    default message=""
    message="You must provide at least 1 user with full execute permissions"{
      not(hasWritePermissions(input.body.job[0]))
      createsTaskOfType(["createApplication","updateApplication"][_])
    }
    
    hasWritePermissions(job) {
      count(job.application.permissions.WRITE)>0
    }
    
    createsTaskOfType(tasktype){
        input.method="POST"
        input.path=["tasks"]
        input.body.job[_].type=tasktype
    }
    

Keys

KeyTypeDescription
input.body.applicationstringThe name of the application being created.
input.body.descriptionstringThe description of the application being created.
input.body.job[].application.cloudProvidersstringThe applications allowed cloud providers.
input.body.job[].application.emailstringThe email address of the owner of the application.
input.body.job[].application.instancePortnumber
input.body.job[].application.namestringThe name of the application being created.
input.body.job[].typestringThe type of task being run, in this case createApplication
input.body.job[].userstringThe ID of the user to run the job as.
input.methodstringThe HTTP method by which the API is being called. When creating a task this is POST
input.path[]stringThe API path of the job. When creating a new task this is the array ["tasks"]
input.body.job[].application.descriptionstringThe description of the application being created.
input.body.job[].application.permissions.EXECUTE[]stringThe list of roles that have execute permission to the application.
input.body.job[].application.permissions.READ[]stringThe list of roles that have read permission to the application.
input.body.job[].application.permissions.WRITE[]stringThe list of roles that have write permission to the application.
input.body.job[].application.repoProjectKeystringThe unique ID of the project in source control.
input.body.job[].application.repoSlugstringThe slug for the source code repo. Typically the repository’s owner or organization ID.
input.body.job[].application.repoTypestringWith what type of sourcecode repo is this application associated.

input.user

This object provides information about the user performing the action. This can be used to restrict actions by role. See input.user for more information.


Last modified August 18, 2023: (02b163b7)