Open Kami opened 5 years ago
@armab Was this merged in somewhere or no?
I think deleting the branch closed this PR automatically. Let me restore it.
With that, not sure if I feel lucky enough to merge this PR after 1yr of stale.
I merged in master. But, CI is out-of-date so bumping to 3.8.0 milestone.
Closes #23
This pull request updates RBAC resolvers code and updates it so now
action_execute
permission either on the action directly or on a pack, implicitly grantsexecution_view
permission for all the executions which belong to that particular action (or to all the actions which belong to a particular pack).This was implemented, because of the discussion in #23.
It's worth noting that this is not a bug fix.
This is a new functionality / change of behavior which has security implications (see my comment here https://github.com/extremenetworks/st2-enterprise-rbac-backend/issues/23#issuecomment-521204374).
I think that change is reasonable since we already have some other implicit grants in other places, but it could surprise users so it's important all the implications are documented.
With this change, if user A has
action_execute
permission on Action 1, that user will also be able to view all the executions for that action, even the ones which are triggered by other users ifrbac.permission_isolation
is not enabled (it's disabled by default).I personally think that's a reasonable behavior (since it's already the case for
execution_re_run
andexecution_stop
), but we should probably also enablerbac.permission_isolation
by default at some point in the future.What do others think?
TODO