____ _ ____ __ ___ _ ______ _ / __/(_)__ __ / _// /_ / _ | ___ _ ___ _ (_)___ /_ __/____ ___ _ _ __ (_)___ / _/ / / \ \ / _/ / / __/ / __ |/ _ `// _ `// // _ \ _ / / / __// _ `/| |/ // /(_-< /_/ /_/ /_\_\ /___/ \__/ /_/ |_|\_, / \_,_//_//_//_/( ) /_/ /_/ \_,_/ |___//_//___/ /___/ |/
Fiat is the authorization server for the Spinnaker system.
It exposes a RESTful interface for querying the access permissions for a particular user. It currently supports three kinds of resources:
Accounts are setup within Clouddriver and queried by Fiat for its configured
Applications are the combination of config metadata pulled from Front50 and server group names (e.g., application-stack-details). Application permissions sit beside application configuration in S3/Google Cloud Storage.
Fiat Service Accounts are groups that act as a user during automated triggers (say, from a GitHub push or Jenkins build). Authorization is built in by making the service account a member of a group specified in
Currently supported user role providers are:
By default, Fiat is built with all authorization providers included. To build only a subset of
providers, use the
./gradlew -PincludeProviders=google-groups,ldap clean build
You can view the list of all providers in
To start the JVM in debug mode, set the Java system property
The JVM will then listen for a debugger to be attached on port 7103. The JVM will not wait for the debugger
to be attached before starting Fiat; the relevant JVM arguments can be seen and modified as needed in