3.4 rbac drive addition

StackStorm / st2-docker

StackStorm docker-compose deployment

https://docs.stackstorm.com/install/docker.html

Apache License 2.0

188 stars 158 forks source link

3.4 rbac drive addition #219

Closed minsis closed 3 years ago

minsis commented 3 years ago

Is your feature request related to a problem? Please describe. With 3.4 arriving I've been testing the dev version in docker. RBAC is included in this version but requires files (roles, users, etc) in order for this function. Right now there is no place to host and manage these files for the containers that need them.

Describe the solution you'd like I was thinking maybe it would be a good idea to add a static rbac volume to host all these files and shared between the relevant containers. I just dont know what containers needs to access these files outside of the auth container.

If these containers are identified I'm happy to push a 3.4 branch with these changes.

Describe alternatives you've considered The other alternative is outside the scope of this repo which is to add a proper interface component to manage rbac features.

cognifloyd commented 3 years ago

RBAC is primarily checked within st2api (not the auth container), so enabling/disabling rbac only requires restarting the st2api component.

During runtime, all of the RBAC checks query mongo, not the rbac files. Those files are loaded into mongo via the st2-apply-rbac-definitions tool: https://docs.stackstorm.com/rbac.html#enabling-rbac

So, you only need the rbac files on one or more pods tasked with running st2-apply-rbac-definitions.

minsis commented 3 years ago

Ok. So it still might benefit with adding this volume to the api container and the client container to allow for making changes. As of now because the api container uses st2 as the user, you can't really directly log into the container and add these files without knowing the st2 password.

drwxr-xr-x 1 root root 4096 Feb 23 19:15 ..
st2@e739f45ea28d:/opt/stackstorm$ touch rbac/asdf.yaml
touch: cannot touch 'rbac/asdf.yaml': Permission denied

cognifloyd commented 3 years ago

You only need it in the api container if you want to run st2-apply-rbac-definitions there. Just in the st2client container would probably be fine, assuming that container can access mongo directly.

Technical FYI if you want to try "to add a proper interface component":

st2-apply-rbac-definitions bin: https://github.com/StackStorm/st2-rbac-backend/blob/master/bin/st2-apply-rbac-definitions
st2-apply-rbac-definitions code: https://github.com/StackStorm/st2-rbac-backend/blob/master/st2rbac_backend/cmd/apply_rbac_definitions.py
This part actually syncs the data into mongo: https://github.com/StackStorm/st2-rbac-backend/blob/master/st2rbac_backend/syncer.py

minsis commented 3 years ago

I've added a PR for this if someone could review it.