Closed minsis closed 3 years ago
RBAC is primarily checked within st2api (not the auth container), so enabling/disabling rbac only requires restarting the st2api component.
During runtime, all of the RBAC checks query mongo, not the rbac files. Those files are loaded into mongo via the st2-apply-rbac-definitions
tool: https://docs.stackstorm.com/rbac.html#enabling-rbac
So, you only need the rbac files on one or more pods tasked with running st2-apply-rbac-definitions
.
Ok. So it still might benefit with adding this volume to the api container and the client container to allow for making changes. As of now because the api container uses st2 as the user, you can't really directly log into the container and add these files without knowing the st2 password.
drwxr-xr-x 1 root root 4096 Feb 23 19:15 ..
st2@e739f45ea28d:/opt/stackstorm$ touch rbac/asdf.yaml
touch: cannot touch 'rbac/asdf.yaml': Permission denied
You only need it in the api container if you want to run st2-apply-rbac-definitions
there. Just in the st2client container would probably be fine, assuming that container can access mongo directly.
Technical FYI if you want to try "to add a proper interface component":
st2-apply-rbac-definitions
bin: https://github.com/StackStorm/st2-rbac-backend/blob/master/bin/st2-apply-rbac-definitionsst2-apply-rbac-definitions
code: https://github.com/StackStorm/st2-rbac-backend/blob/master/st2rbac_backend/cmd/apply_rbac_definitions.pyI've added a PR for this if someone could review it.
Is your feature request related to a problem? Please describe. With 3.4 arriving I've been testing the dev version in docker. RBAC is included in this version but requires files (roles, users, etc) in order for this function. Right now there is no place to host and manage these files for the containers that need them.
Describe the solution you'd like I was thinking maybe it would be a good idea to add a static rbac volume to host all these files and shared between the relevant containers. I just dont know what containers needs to access these files outside of the auth container.
If these containers are identified I'm happy to push a 3.4 branch with these changes.
Describe alternatives you've considered The other alternative is outside the scope of this repo which is to add a proper interface component to manage rbac features.