[RFC] "action_execute" should also grant "execution_view" on all the corresponding executions

[Kami]

Closes #23

This pull request updates RBAC resolvers code and updates it so now action_execute permission either on the action directly or on a pack, implicitly grants execution_view permission for all the executions which belong to that particular action (or to all the actions which belong to a particular pack).

This was implemented, because of the discussion in #23.

It's worth noting that this is not a bug fix.

This is a new functionality / change of behavior which has security implications (see my comment here https://github.com/extremenetworks/st2-enterprise-rbac-backend/issues/23#issuecomment-521204374).

---

I think that change is reasonable since we already have some other implicit grants in other places, but it could surprise users so it's important all the implications are documented.

With this change, if user A has action_execute permission on Action 1, that user will also be able to view all the executions for that action, even the ones which are triggered by other users if rbac.permission_isolation is not enabled (it's disabled by default).

I personally think that's a reasonable behavior (since it's already the case for execution_re_run and execution_stop), but we should probably also enable rbac.permission_isolation by default at some point in the future.

What do others think?

TODO

• [ ] Document this change of behavior in upgrade notes, add a note on user resource permission isolation
• [ ] Document this behavior in the RBAC docs

[blag]

@armab Was this merged in somewhere or no?

[arm4b]

I think deleting the branch closed this PR automatically. Let me restore it.

With that, not sure if I feel lucky enough to merge this PR after 1yr of stale.

[cognifloyd]

I merged in master. But, CI is out-of-date so bumping to 3.8.0 milestone.

[CLAassistant]

All committers have signed the CLA.