search

StackStorm / st2-rbac-backend

RBAC backend for StackStorm (previously part of EWC aka StackStorm Enteprise)
https://docs.stackstorm.com/latest/rbac.html
Apache License 2.0
5 stars 12 forks source link

RBAC permissions to allow user to only list actions for certain packs #64

Open amanda11 opened 2 years ago

amanda11 commented 2 years ago

This issue arose from the discussions in https://github.com/StackStorm/st2docs/issues/1107 in regard to the behaviour in the example in the documentation.

In the current example the user had permissions

permission_grants:
    -
        resource_uid: "pack:example"
        permission_types:
           - "pack_all"
           - "sensor_type_all"
           - "rule_all"
           - "action_all"

With this permission the user was unable to run "st2 action list" or "st2 action list -p example".

The only way the user could list the actions in the pack was to add the global action_list permission, and then they were able to list the actions in that and all other packs.

See the comments in the existing issue from @satellite-no https://github.com/StackStorm/st2docs/issues/1107#issuecomment-1024523164, and @amanda11 https://github.com/StackStorm/st2docs/issues/1107#issuecomment-1025647544 about two different possibilities of how the permissions could be viewed/altered to support restricting the list to certain packs.