EWC OSS: RBAC assignments and definitions integration

[arm4b]

Per https://stackstorm.com/2020/05/27/extreme-networks-donates-ewc-to-linux-foundation/ Extreme Networks open-sourced EWC (previously StackStorm Enterprise).

Old scripted EWC-installer provided some default RBAC assignments/definitions and automation steps to enable RBAC: https://github.com/extremenetworks/ewc-installer/blob/4ac4c34073998c5ffd8e6d746b7e0cb9b3b5d346/scripts/bwc-installer-deb.sh#L200-L228

We need to decide what to do with this in a new environment to provide safe and transition-friendly defaults.

• Should we enable RBAC by default in every new StackStorm installation and add RBAC assignments/definitions? How it will affect old st2 users? Any side effects when RBAC is restrictive by default?
• Should we add assignments/definitions files by deb/rpm packaging or only via scripted installer as specific deployment? Note: Helm and Ansible which currently are the only deployment methods to configure Enterprise create and configure these RBAC settings themselves.

[amanda11]

Some discussion held on this in the November TSC meeting - suggestion was that RBAC should be disabled on new installations so that it isn't enabled by default, as many of community may not want it. It could be installed, but with RBAC disabled. Suggested for instance that instead of the --license parameter on the deployers, you could have an rbac parameter and if specified that this would enable rbac, otherwise it would be installed but not enabled.

[arm4b]

The current state is that the instructions are documented in the https://docs.stackstorm.com/rbac.html#enabling-rbac so users can enable the RBAC and configure definitions/assignments manually.

However, some of the deployments like Ansible, Kubernetes, Docker, Puppet go further and provide configuration for ease of use.

That looks like a well-established good enough state. Closing the issue.