search

StackStorm / st2-rbac-backend

RBAC backend for StackStorm (previously part of EWC aka StackStorm Enteprise)
https://docs.stackstorm.com/latest/rbac.html
Apache License 2.0
5 stars 12 forks source link

500 on actionalias help endpoint with action_alias_help permission grant #47

Open dubi0us opened 3 years ago

dubi0us commented 3 years ago

Calling the action alias help endpoint results in 500 when RBAC is enabled and the action_alias_help permission grant if specified in a role.

St2 version: st2 3.3.0, on Python 3.6.8

OS: CentOS Linux release 8.2.2004 (Core)

RBAC: master branch

Role: chatbot.yaml

---
    name: "chatbot"
    description: "Mr. Chatbot"
    enabled: true
    permission_grants:
        -
            resource_uid: "action:packs:show"
            permission_types:
               - "action_execute"
        -
            permission_types:
               - "action_list"
               - "rule_list"
               - "action_alias_help"

assignment: bot.yaml

---
username: "bot
roles:
- "chatbot"

st2api.log :

2021-02-08 15:24:46,700 140311874581616 INFO logging [-] f9a6d8e1-17c6-4fcc-8615-f01b8dc204e2 - GET /v1/actionalias/help with query={'x-auth-token': '********'} (method='GET',path='/v1/actionalias/help',remote_addr='127.0.0.1',query={'x-auth-token': '********'},request_id='f9a6d8e1-17c6-4fcc-8615-f01b8dc204e2')
2021-02-08 15:24:46,714 140311874581616 ERROR router [-] Failed to call controller function "help" for operation "st2api.controllers.v1.actionalias:action_alias_controller.help": 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 516, in __call__
    resp = func(**kw)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionalias.py", line 105, in help
    aliases_resp = super(ActionAliasController, self)._get_all(**kwargs)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 564, in _get_all
    requester_user=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 184, in _get_all
    limit = validate_limit_query_param(limit=limit, requester_user=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 625, in validate_limit_query_param
    user_is_admin = rbac_utils.user_is_admin(user_db=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 194, in user_is_admin
    is_system_admin = RBACUtils.user_is_system_admin(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 214, in user_is_system_admin
    return RBACUtils.user_has_role(user_db=user_db, role=SystemRole.SYSTEM_ADMIN)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 232, in user_has_role
    user_role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/service.py", line 87, in get_roles_for_user
    queryset = UserRoleAssignment.query(user=user_db.name)
AttributeError: 'NoneType' object has no attribute 'name'
2021-02-08 15:24:46,715 140311874581616 ERROR error_handling [-] API call failed: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/middleware/error_handling.py", line 49, in __call__
    return self.app(environ, start_response)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/middleware/streaming.py", line 48, in __call__
    return self.app(environ, start_response)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 599, in as_wsgi
    resp = self(req)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 524, in __call__
    raise e
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 516, in __call__
    resp = func(**kw)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionalias.py", line 105, in help
    aliases_resp = super(ActionAliasController, self)._get_all(**kwargs)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 564, in _get_all
    requester_user=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 184, in _get_all
    limit = validate_limit_query_param(limit=limit, requester_user=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 625, in validate_limit_query_param
    user_is_admin = rbac_utils.user_is_admin(user_db=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 194, in user_is_admin
    is_system_admin = RBACUtils.user_is_system_admin(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 214, in user_is_system_admin
    return RBACUtils.user_has_role(user_db=user_db, role=SystemRole.SYSTEM_ADMIN)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 232, in user_has_role
    user_role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/service.py", line 87, in get_roles_for_user
    queryset = UserRoleAssignment.query(user=user_db.name)
AttributeError: 'NoneType' object has no attribute 'name' (_exception_class='AttributeError',_exception_message="'NoneType' object has no attribute 'name'",_exception_data={})
2021-02-08 15:24:46,715 140311874581616 INFO logging [-] f9a6d8e1-17c6-4fcc-8615-f01b8dc204e2 - 500 46 15.714ms (method='GET',path='/v1/actionalias/help',remote_addr='127.0.0.1',status=500,runtime=15.714,content_length=46,request_id='f9a6d8e1-17c6-4fcc-8615-f01b8dc204e2')

Endpoint: GET/api/v1/actionalias/help (using user name / password and auth-token).

Result: 500: {'faultstring': 'Internal Server Error'}

blag commented 3 years ago

I can confirm this bug when using err-stackstorm.

pamelin commented 1 year ago

This seems to be still an issue with st2 3.7 and err-stackstorm and rbac enabled.

Regardless of the bot even if I hit directly

Endpoint: GET/api/v1/actionalias/help

it throws 500 (with rbac enabled, using system user)

So the issue is not with RBAC in itself but with st2api

https://github.com/StackStorm/st2/blob/master/st2api/st2api/controllers/v1/actionalias.py#L102