search

StackStorm / st2-rbac-backend

RBAC backend for StackStorm (previously part of EWC aka StackStorm Enteprise)
https://docs.stackstorm.com/latest/rbac.html
Apache License 2.0
5 stars 12 forks source link

Can't seem to load a simple role #66

Closed pimguilherme closed 2 years ago

pimguilherme commented 2 years ago

Hi! It looks like the role loading procedure is broken.. If I try to load this role (using master):

# sample RBAC role file, see https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
---
name: "sample"
description: "Example Role which contains no permission grants and serves for demonstration purposes"
permission_grants:
  - resource_uid: "action:core:echo"
    permission_types:
      - "action_execute"

it simply doesnt work!

root@a24bf10f204e:/opt/stackstorm# st2-apply-rbac-definitions --config-file /etc/st2/st2.docker.conf
Loading RBAC definitions
2022-07-26 20:29:53,876 INFO [-] Connecting to database "st2" @ "mongo:27017" as user "None".
2022-07-26 20:29:53,880 INFO [-] Successfully connected to database "st2" @ "mongo:27017" as user "None".
2022-07-26 20:29:54,083 INFO [-] Loading role definitions from "/opt/stackstorm/rbac/roles/"
Traceback (most recent call last):
  File "/usr/bin/st2-apply-rbac-definitions", line 15, in <module>
    sys.exit(apply_rbac_definitions.main(sys.argv[1:]))
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/cmd/apply_rbac_definitions.py", line 60, in main
    apply_definitions()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/cmd/apply_rbac_definitions.py", line 42, in apply_definitions
    result = loader.load()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/loader.py", line 61, in load
    result["roles"] = self.load_role_definitions()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/loader.py", line 79, in load_role_definitions
    role_definition_api = self.load_role_definition_from_file(file_path=file_path)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/loader.py", line 159, in load_role_definition_from_file
    role_definition_api = role_definition_api.validate()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/api/rbac.py", line 170, in validate
    cleaned = super(RoleDefinitionFileFormatAPI, self).validate()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/api/base.py", line 75, in validate
    cleaned = util_schema.validate(
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/util/schema/__init__.py", line 370, in validate
    instance = assign_default_values(instance=instance, schema=schema)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/util/schema/__init__.py", line 255, in assign_default_values
    instance[property_name] = assign_default_values(
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/util/schema/__init__.py", line 249, in assign_default_values
    array_instance = instance.get(property_name, None)
AttributeError: 'list' object has no attribute 'get'

And there's apparently the same behavior in the tests.. is this something expected?

Thanks!

pimguilherme commented 2 years ago

FYI this doesn't seem to happen in the 3.7.0 branch, so i think it's just the process of developing the new version which has this 'intermediate broken' state.. anyway will leave it here for documentation

thanks!

pimguilherme commented 2 years ago

This is apparently due to this change in the st2common/util/schema/init.py


        if (
            is_attribute_type_array(attribute_type)
            and schema_items
            and schema_items.get("properties", {})
        ):

(it's trying to use 'get' on a list, and before it wasn't because it was not getting to that point because the schema didn't have properties on the items)

                        "permission_types": {
                            "type": "array",
                            "description": "A list of permission types to grant",
                            "uniqueItems": True,
                            "items": {
                                "type": "string",
                                # Note: We permission aditional validation for based on the
                                # resource type in other place
                                "enum": PermissionType.get_valid_values(),
                            },
                            "default": [],

the change was introduced here dfad436413ffca12daf6139718c1d22f298216b3 so tagging @cognifloyd because I am not sure how to proceed here

cognifloyd commented 2 years ago

Fixed in StackStorm/st2#5685