Chained Pipelines authorization mechanism limiting user's ability to execute Pipeline
long-term
L
Literary Toucan
We have a pipeline "create_eks_environment" in project "eks_management". It has a chained pipeline in it "load_flipper_features_eks" in project "basis_dev".
A user who has execute access in eks_management triggered create_eks_environment and then received an error "User not Authorized: Missing permission core_pipeline_execute on pipeline with identifier load_flipper_features_eks".
We might create pipelines in a one project for people to execute, but they may chain pipelines from many other projects. It is impractical and undesirable for us to grant full execute permissions for every single person to every single project.
Log In
Canny AI
Merged in a post:
add chained pipeline RBAC alternative
N
New Cricket
We request for the option/ability to execute a particular chained pipeline where the executor does not need to have the usual explicit permissions to execute it. This use case is primarily relevant for triggering a provisioning pipeline across projects, so the executor would need temporary access to connectors, secrets, etc, that they normally would not have in order to self service provision entities and resources.
Scenario:
As a platform team, I would like to allow app teams to provision resources, TF workspaces etc via harness pipelines. The app teams have their own harness projects - because the pipelines require elevated access, I cannot explicitly grant app teams permissions to use the secrets and connectors required (even via specific resource group scoping), as this can lead to mis-use of these secrets and connectors, and these provisioning pipelines will live in a locked project (e.g. provisioning) that the app teams will not have access to. I also cannot simply use a trigger as the app team would like provision + then use some outputs from the provisioning pipeline in a following stage, leading to pipeline chaining.
Currently, the only way to achieve this is via a IDP workflow + a service account that can access both projects (provisioning + app team) - where 1. the IDP workflow triggers a pipeline in the app team project (not provisioning)
- The app team pipeline's first stage is a pipeline chaining stage, that points to the provisioning pipeline.
- the 2nd stage can then use the first stage's outputs
This is a fairly complex setup that also means the pipeline has to be configured with selective stage executions to allow for re-runs - otherwise the pipeline can only really be fired by IDP, or an admin. The feature request would loosen this such that a pipeline chain stage can allow executors to provide just
- pipeline name/location
- inputs and outputs
and not have to worry about RBAC and allow re-use of the pipeline logic from the platform team.
Canny AI
Merged in a post:
Permission check before start of the pipelines
N
Neon green Lungfish
Currently, if a user without the necessary environment permission access attempts to execute the pipeline, they are able to execute the pipeline and later the execution of pipeline fails with permission error.
We propose implementing a permission check at the beginning of the pipeline. This check will ensure that users without the required access cannot initiate the pipeline, thus preventing execution failures and saving time.
Prasad Satam
long-term