| Status | Proposed, Accepted, Implemented, Obsolete |
| RFC # | spinnaker/deck#8368 |
| Author(s) | Sanjeev Thatiparthi (@sanopsmx) (https://github.com/sanopsmx) |
| SIG / WG | sig-ux |
Display all the roles of the user added in the application in the manual judgment stage.If there are 2 groups(dev,qa) and qa group has the permission to deploy.If there is a manual judgment stage before the deploy stage.If there are no groups attached to the manual judgment stage, then dev group can continue with the manual judgment stage and get failed at the deploy stage as only qa group has the permission to deploy. This is the reason we are displaying all the roles of the application. This is a usability feature.
Display authorized groups dropdown list only when the user selects the manual judgment stage. Display all the groups the user has selected while creating application(permissions) in the authorized groups dropdown. When the pipeline is executed, disable the manual judgment 'continue/cancel' based on the user role selected in the authorized groups.
opsmxemp1 : ["mail-qa","sra-dev","mail-dev","sra-qa","empdev"]
| Testcase No. | Application Name | Application Roles | Application Permissions | Manual Judgment Roles | User | Result |
|---|---|---|---|---|---|---|
| 1 | testmanualjud001 | sra-dev,sra-qa | sra-dev(r,w,e),sra-qa(r) | sra-dev | opsmxemp1 | Enable Button |
| 2 | testmanualjud002 | N.A | ---- | N.A | opsmxemp1 | Enable Button |
| 3 | testmanualjud003 | sra-dev,sra-qa | sra-dev(r,w,e),sra-qa(r) | N.A | opsmxemp1 | Enable Button |
| 4 | testmanualjud004 | sra-dev,sra-qa,mail-dev,mail-qa,emp-dev,finance | sra-dev(r),sra-qa(r),mail-dev(r,w,e),mail-qa(r),emp-dev(r),finance(r) | sra-qa,mail-dev,finance | opsmxemp1 | Enable Button |
| 5 | testmanualjud005 | sra-dev,mail-qa,operations | sra-dev(r),mail-qa(r),operations(r,w,e) | operations | opsmxemp1 | Disable Button |
| 6 | testmanualjud006 | sra-dev,mail-qa | sra-dev(r),mail-qa(r,w,e) | sra-dev | opsmxemp1 | Disable Button |
User can opt out of this feature as stated in the testcase 2 & 3. If authz is not enabled, it will work in the same way. The above test cases will handle all the test scenarios. If the role is set in the manual judgment stage, then we check the stage role both in the application roles and user roles. If yes,we check for application permissions of that role. If yes(stage role has execute/write/create application permission), we can approve and move to the downstream stage, if no(stage role has read application permission), then we deny (disable the continue button in the manual judgment stage).If the pipeline is triggered from command line, then the backend orca code checks the same above mentioned logic.If yes,we approve and moves to the downstream stage , if no, then we deny(It will be running in the same stage).
Only legitimate users can approve the manual judgment stage so that it can be moved to downstream stages.
Already Implemented
-
Enhanced stage.html to
Get the roles of the application. Display the roles of the application as a list only if the stage is Manual Judgment.
-
Enhanced stage.module.js to
Fetch the permissions of the application from the gate application url. Application permissions has all the roles. Populate the list with only the roles of the application with no duplicates.
-
Enhanced ApplicationReader.ts to
Fetch the permissions of the application from the gate application url.
- Enhanced ManualJudgmentApproval.tsx to
Fetch the roles of the application, stage and the user during the execution. Iterate through each of the user role to check if the role exists in the stage and application. We also check for stage role application permission. If the stage role has execute/write/create application permission, then enable the continue button. If the stage role has read application permission, then disable the continue button.
-
Enhanced OperationsController.groovy to
Get the application roles, stage roles and the user roles. Check each of the user roles whether they are contained in the stage and application roles. We also check for stage role application permission. If the stage role has execute/write/create application permission, then we set the isAuthorized flag to true. If the stage role has read application permission, then we set the isAuthorized flag to false. By default, all the stages except Manual Judgment are true.
-
Enhanced ManualJudgmentStage.groovy to
Check for the flag in ManualJudgmentStage.groovy whether to execute to the next stage or not. If yes/no, continue with the next stages/continues running the same stage.
-
Enhanced ManualJudgmentStageSpec.groovy to
Modified the testcases as per the new logic.