feat(api): Allow access to unknown applications when legacyFallback=t…

…rue (#375) Recent testing of our legacy fallback support did not actually work correctly when `fiat` was unavailable. The original intention of `legacyFallback: true` was to support a fallback to the authorization model that existed pre-fiat. This model only supported WRITE restricted accounts and expected that the authorization context was propagated between services with the `X-SPINNAKER-*` headers. This PR is an attempt to do a better job for manually triggered pipelines (which should have some accounts specified) as well as read operations performed via the UI. It does not yet tackle anything related to cron-triggered pipelines.
spinnaker · Apr 17, 2019 · 38a59e2 · 38a59e2
1 parent 28db241
commit 38a59e2
Showing 1 changed file with 1 addition and 5 deletions.
diff --git a/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java b/fiat-api/src/main/java/com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.java
@@ -232,7 +232,7 @@ public UserPermission.View getPermission(String username) {
                             .map(a -> new Account().setName(a))
                             .collect(Collectors.toSet())
                     )
-            ).setLegacyFallback(true);
+            ).setLegacyFallback(true).setAllowAccessToUnknownApplications(true);
           }
         }).call();
       });
@@ -255,10 +255,6 @@ public UserPermission.View getPermission(String username) {
       id = id.withTag("legacyFallback", legacyFallback.get());
     }
 
-    if (legacyFallback.get()) {
-      permissionsCache.invalidate(username);
-    }
-
     registry.counter(id).increment();
 
     return view;