GoCD pipeline stage permission to users

[SHWETHA H R]

Hello,

We are trying to restrict users from triggering all the stages in a GoCD pipeline. We tried adding permission within the templates like below:

approval:

type: success

allow_only_on_success: false

authorization:

roles:

- dev

- qa

users: []

This is forcing us to add operate permission on the pipeline groups for both qa and dev roles. If we add operate permission, then dev and qa groups are able to trigger any stage even though there is a restriction within the template stage permissions.

Please let me know if there is a way where we can restrict users to trigger only the required stages without giving operate access on the pipeline group.

Thank you,

Shwetha

[Chad Wilson]

Which plugin are you using to specify your pipelines? That syntax doesn't look valid for the GoCD Yaml plugin, so it's a bit hard to determine what is happening.

The permissions on an individual stage should overwrite anything from the pipeline group (as specified via the GoCD UI configuration) so what you are trying to do should be possible, so there is possibly an issue with your syntax.

Normally with the YAML plugin the syntax would look like the below, according to the docs.

approval:

type: success

allow_only_on_success: false

roles:

- dev

- qa

users: []

-Chad

--
You received this message because you are subscribed to the Google Groups "GoCD Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/go-cd/CALFHbX%2Bt-9wWiAhfwzRUvB2tW41M5eO6U92upF6AxuinJjWqfw%40mail.gmail.com.

[SHWETHA H R]

Hi Chad, 

We are creating these template yaml files inside our BitBucket and we have a job within GoCD to convert the template yaml to json format and then pass it to the API call to create a template.

Initially we created a template from the console and we fetched the json template using the API and then we converted that to yaml and started using the same yaml format for all the templates. That’s how we got this syntax for the template.

Regards, 

Shwetha

To view this discussion visit https://groups.google.com/d/msgid/go-cd/CAEe7TByCZxMRGP_ANMHs-%2Bjs-2pT2RrcRra-2L%3D%2BisWqKiY85g%40mail.gmail.com.

[Chad Wilson]

So does it work correctly with the different syntax I mentioned? Is the YAML you mentioned being directly processed by a GoCD YAML config repo? If so, your syntax is definitely wrong and will likely be ignoring the entire `authorization` block.

It's not possible for anyone else to debug your proprietary/manual conversion logic unless you provide exact steps to replicate, with specific APIs or UIs used.

The configuration repo plugin formats (YAML, JSON etc) are similar, but not the same as the JSON-based APIs so if you are trying to go:

GoCD UI-defined pipeline/template --> pipeline/template config API JSON --> manual YAML conversion --> yaml config repo -> GoCD

...you're going to have problems. It will need manual intervention/translation and review against docs. There are specific APIs/UIs to export UI-defined pipelines in a given 'config repo' format that do the necessary translations, but not possible to directly convert GoCD UI-defined templates, since they are not supported in config repo plugins.

-Chad

To view this discussion visit https://groups.google.com/d/msgid/go-cd/CALFHbXKmt%3D6%3D5_LFPJz1jWiOe2JpOPq2Jf3zQEOx8BB8i922NQ%40mail.gmail.com.

[SHWETHA H R]

I see the permissions are added in the template stages in the console with the syntax we have.

But it is not working as expected. It is forcing us to add the operate permission on the pipeline group.

To view this discussion visit https://groups.google.com/d/msgid/go-cd/CAEe7TBy15KpaEVYm2nPj%2B9SLAtgmgzvvX9zXRWwAkOg5d-fGyQ%40mail.gmail.com.

[SHWETHA H R]

Attaching the screenshot of the template permission added using the yaml file.

[Chad Wilson]

Sorry, your pipeline modelling isn't very clear so it's very difficult to help. Please describe which configuration of roles you have in which locations and the expected vs actual behaviour, so I'm not guessing.

For my last guess, as the message you screenshot indicates, the "stage level" permissions can restrict further the permissions from the wider pipeline group, but you cannot entirely remove the pipeline group permissions; i.e dev and qa (and maybe some other roles) would need to have operate permissions for the entire group which means all pipeline stages that DO NOT have overridden stage permissions.

In other words, if you have a two-stage pipeline and want to have a user/role be able to trigger manual-approval stage 1 but NOT stage 2, you'd need to define manual approval permissions for every stage with different overridden roles (which exclude dev/qa) OR remodel the stages into multiple pipelines in different pipeline groups.

To view this discussion visit https://groups.google.com/d/msgid/go-cd/CALFHbXLf2u-kk3nFGmcT1u20ZEMk8DM7E6U1TVHpB02oYtTO7A%40mail.gmail.com.