search

StackStorm / st2-rbac-backend

RBAC backend for StackStorm (previously part of EWC aka StackStorm Enteprise)
https://docs.stackstorm.com/latest/rbac.html
Apache License 2.0
5 stars 12 forks source link

RBAC permissions don't seem to be hierarchical as documentation has made it to be #60

Open minsis opened 2 years ago

minsis commented 2 years ago

I have a user with a role assigned as this:

name: "my_role"
permission_grants:
  -
    resource_uid: "pack:<my special pack>"
    permission_types:
      - "pack_all"
      - "sensor_type_all"
      - "action_all"
      - "action_alias_all"
      - "rule_all"

In the documentation under pack its lead to believe that action_all will allow the execution of any action under that pack but this is not the case.

from st2api.log

2021-10-06 09:56:21,637 140650525596712 ERROR router [-] Failed to call controller function "post" for operation "st2api.controllers.v1.actionexecutions:action_execution_rerun_controller.post": User "<user>" doesn't have required permission "action_execute" on resource "action:<my special pack>:<my action>"
Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 621, in __call__
    resp = func(**kw)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionexecutions.py", line 675, in post
    show_secrets=show_secrets,
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionexecutions.py", line 130, in _handle_schedule_execution
    permission_type=permission_type,
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2rbac_backend/utils.py", line 127, in assert_user_has_resource_db_permission
    permission_type=permission_type)
st2common.exceptions.rbac.ResourceAccessDeniedError: User "<user>" doesn't have required permission "action_execute" on resource "action:<my special pack>:<my action>"

So action_all is ignored with the pack resource.