package proto.security.authz

Get desktop application:
View/edit binary Protocol Buffers messages

Configuration for what resources users of Spinnaker can read and modify.

Used in: config.Fiat, Security

• optional google.protobuf.BoolValue enabled = 1

  Whether Spinnaker's role-based authorization is enabled.

• optional GroupMembership groupMembership = 2

  Configuration role providers that map users to groups.

Configuration for the file-based role provider.

Used in: GroupMembership

• string path = 1

  A path to a file describing the roles of each user.

Configuration for the GitHub role provider.

Used in: GroupMembership

• string baseUrl = 1

  Used if using GitHub enterprise some other non github.com GitHub installation.

• string accessToken = 2

  A personal access token of an account with access to your organization's GitHub Teams structure.

• string organization = 3

  The GitHub organization under which to query for GitHub Teams.

Configuration for the Google role provider.

Used in: GroupMembership

• string credentialPath = 1

  A path to a valid json service account that can authenticate against the Google role provider.

• string adminUsername = 2

  Your role provider's admin username e.g. admin@myorg.net.

• string domain = 3

  The domain your role provider is configured for e.g. myorg.net.

Configuration role providers that map users to groups.

Used in: Authorization

• GroupMembership.RoleProviderType service = 1

  Configuration for which role provider to use for authorization decisions. Each role provider has a corresponding field; configuration specific to the role provider you are using should be added to the appropriate field.

• optional GoogleRoleProvider google = 2

  Configuration for the Google role provider.

• optional GithubRoleProvider github = 3

  Configuration for the GitHub role provider.

• optional FileRoleProvider file = 4

  Configuration for the file-based role provider.

• optional LdapRoleProvider ldap = 5

  Configuration for the LDAP role provider.

Configuration for which role provider to use for authorization decisions.

Used in: GroupMembership

• UNSPECIFIED = 0

  Unspecified. Do not directly use, instead omit the field.

• FILE = 1

  File-based role provider.

• GOOGLE = 2

  Google role provider.

• GITHUB = 3

  GitHub role provider.

• LDAP = 4

  LDAP role provider.

Configuration for the LDAP role provider.

Used in: GroupMembership

• string url = 1

  ldap:// or ldaps:// url of the LDAP server.

• string managerDn = 2

  The manager user's distinguished name (principal) to use for querying LDAP groups.

• string managerPassword = 3

  The manager user's password to use for querying LDAP groups.

• string userDnPattern = 4

  The pattern for finding a user's DN using simple pattern matching. For example, if your LDAP server has the URL ldap://mysite.com/dc=spinnaker,dc=org, and you have the pattern 'uid={0},ou=members', 'me' will map to a DN uid=me,ou=members,dc=spinnaker,dc=org. If no match is found, will try to find the user using -user-search-filter, if set.

• string userSearchBase = 5

  The part of the directory tree under which user searches should be performed. If -user-search-base isn't supplied, the search will be performed from the root.

• string groupSearchBase = 6

  The part of the directory tree under which group searches should be performed.

• string userSearchFilter = 7

  The filter to use when searching for a user's DN. Will search either from -user-search-base (if specified) or root for entries matching the filter.

• string groupSearchFilter = 8

  The filter which is used to search for group membership. The default is 'uniqueMember={0}', corresponding to the groupOfUniqueMembers LDAP class. In this case, the substituted parameter is the full distinguished name of the user. The parameter '{1}' can be used if you want to filter on the login name.

• string groupRoleAttributes = 9

  The attribute which contains the name of the authority defined by the group entry. Defaults to 'cn'.