search

StackStorm / st2-rbac-backend

RBAC backend for StackStorm (previously part of EWC aka StackStorm Enteprise)
https://docs.stackstorm.com/latest/rbac.html
Apache License 2.0
5 stars 12 forks source link

RBAC not working with LDAP #67

Closed anrajme closed 2 years ago

anrajme commented 2 years ago

I've been following this document here for setting up RBAC over the LDAP auth. However, this never worked even after trying different combinations.

Here is what my configs look like. 

~]# grep rbac /etc/st2/st2.conf -A2
[rbac]
sync_remote_groups = True
~]# cat /opt/stackstorm/rbac/mappings/stormers.yaml
---
  group: "cn=GROUP_NAME,ou=groups,o=ldaporg"
  roles:
    - "observer"

configs seems to be registered well in the DB, after running st2-apply-rbac-definitions

    > use st2
    switched to db st2
    > db.group_to_role_mapping_d_b.find()
    { "_id" : ObjectId("62deaa7b77bfe684352d1d3a"), "group" : "cn=GROUP_NAME,ou=groups,o=ldaporg", "roles" : [ "observer" ], "source" : "mappings/stormers.yaml", "enabled" : true }

Proving that my user is part of the LDAP group. 

  ~ % ldapsearch -H ldap://ldap.myorg.net:389 -x -ZZ -LLL -b ou=Users,o=ldaporg "cn=my_username"
  dn: cn=my_username,ou=Users,o=ldaporg
  memberOf: cn=GROUP_NAME,ou=Groups,o=ldaporg

When I login using my LDAP, I'm suppose to have only observer level privileges but I'm still getting the admin level privileges granted for some reason. There are no RBAC related traces in logs even after enabling DEBUG. Any other suggestions ?

cheers.

pimguilherme commented 2 years ago

hi @anrajme ! i don't have a lot with experience with RBAC here, but can you share your full rbac config?

just to confirm, and what authenticaiton are you using?

would you be able to try using this bit if not already:

enable = True
backend = default

and see if you get any logs? you should be seeing something

cheers!

jamesdreid commented 2 years ago

We use LDAP with RBAC with no issues internally, but our config is a bit different than yours likely due to our use of AD for the LDAP server. It is possible that your current login still have a valid authentication that needs to be refreshed or you have a local RBAC user defined with an overlapping user name. It seems like multiple "mappings" will default to the highest access level.

Check the output of the command:

st2 role-assignment list

The RBAC mapping for each user is applied at login and written to the DB and that command should dump out all the RBAC users, the mapping applied, if they are Remote (LDAP), and the RBAC mapping file used to determine the Role. It should look something like this:

+--------------------------+----------+---------------+-----------+-----------------------+-----------------------+ | id | role | user | is_remote | source | description | +--------------------------+----------+---------------+-----------+-----------------------+-----------------------+ | 624e04655a04fb4b3264d6ea | observer | ldap_user | True | mappings/st2_xx_xxxxx | Automatic role | | | | | | _xxx.yaml | assignment based on | | | | | | | the remote user | | | | | | | membership in group | | | | | | | "CN=xxxxxxx" | | 62670541d3bec1c9b4e79ed2 | admin | stanley | False | assignments/stanley.y | | | | | | | aml | | +--------------------------+----------+---------------+-----------+-----------------------+-----------------------+

anrajme commented 2 years ago

Thank you so much @pimguilherme @jamesdreid. Your responses gave me enough clues to identify the problem.

There were two issues,

  1. I didn't have these entries in RBAC configs. 
enable = True
backend = default

The document here was bit tricky. I assumed it only need thesync_remote_groups = True attribute.

  1. As mentioned in the documentation -

LDAP group names referenced in the group attribute are case-sensitive.

I have tried different combinations before, but it didn't show up due to (1). I had to change ou=groups to ou=Groups and it started working!

2022-07-28 01:46:06,476 139754881641360 INFO ldap_backend [-] Successfully authenticated user "my_username".
2022-07-28 01:46:06,481 139754881641360 AUDIT access [-] Access granted to "my_username" with the token set to expire at "2022-07-29T01:46:06.480239Z". (username='my_username',token_expiration='2022-07-29T01:46:06.480239Z')
2022-07-28 01:46:06,482 139754881641360 DEBUG handlers [-] Retrieving auth backend groups for user "my_username" (auth_backend='LDAPAuthenticationBackend',remote_addr='127.0.0.1')
2022-07-28 01:46:06,482 139754881641360 DEBUG ldap_backend [-] Getting LDAP groups for user "my_username" from cache
2022-07-28 01:46:06,483 139754881641360 DEBUG ldap_backend [-] Found LDAP groups cache for user "my_username"
2022-07-28 01:46:06,483 139754881641360 DEBUG handlers [-] Found "12" groups for user "my_username" (auth_backend='LDAPAuthenticationBackend',remote_addr='127.0.0.1',username='my_username',user_groups=['cn=ORG_GROUP7,ou=Groups,o=myorg', 'cn=ORG_GROUP6,ou=Groups,o=myorg', 'cn=ORG_GROUP10,ou=Groups,o=myorg', 'cn=ORG_GROUP8,ou=Groups,o=myorg', 'cn=ORG_GROUP9,ou=Groups,o=myorg', 'cn=ORG_GROUP11,ou=Groups,o=myorg', 'cn=ORG_GROUP12,ou=Groups,o=myorg', 'cn=ORG_GROUP2,ou=Groups,o=myorg', 'cn=ORG_GROUP1,ou=Groups,o=myorg', 'cn=ORG_GROUP3,ou=Groups,o=myorg', 'cn=ORG_GROUP5,ou=Groups,o=myorg', 'cn=ORG_GROUP4,ou=Groups,o=myorg'])
2022-07-28 01:46:06,483 139754881641360 DEBUG driver_loader [-] Retrieving driver for backend "default"
2022-07-28 01:46:06,484 139754881641360 DEBUG extension [-] found extension EntryPoint.parse('noop = st2common.rbac.backends.noop:NoOpRBACBackend')
2022-07-28 01:46:06,484 139754881641360 DEBUG extension [-] found extension EntryPoint.parse('default = st2rbac_backend.backend:RBACBackend')
2022-07-28 01:46:06,490 139754881641360 INFO syncer [-] Synchronizing remote role assignments for user "UserDB(id=None, is_service=False, name="my_username", nicknames={})" (user_db={'id': None, 'is_service': False, 'name': 'my_username', 'nicknames': {}},groups=['cn=ORG_GROUP5,ou=Groups,o=myorg', 'cn=ORG_GROUP2,ou=Groups,o=myorg', 'cn=ORG_GROUP10,ou=Groups,o=myorg', 'cn=ORG_GROUP7,ou=Groups,o=myorg', 'cn=ORG_GROUP11,ou=Groups,o=myorg', 'cn=ORG_GROUP4,ou=Groups,o=myorg', 'cn=ORG_GROUP1,ou=Groups,o=myorg', 'cn=ORG_GROUP3,ou=Groups,o=myorg', 'cn=ORG_GROUP12,ou=Groups,o=myorg', 'cn=ORG_GROUP9,ou=Groups,o=myorg', 'cn=ORG_GROUP6,ou=Groups,o=myorg', 'cn=ORG_GROUP8,ou=Groups,o=myorg'])
2022-07-28 01:46:06,494 139754881641360 DEBUG syncer [-] New role assignments: {'observer'}
2022-07-28 01:46:06,495 139754881641360 DEBUG syncer [-] Updated role assignments: set()
2022-07-28 01:46:06,495 139754881641360 DEBUG syncer [-] Removed role assignments: {'admin'}
2022-07-28 01:46:06,503 139754881641360 DEBUG syncer [-] Created 1 new remote role assignments for user "UserDB(id=None, is_service=False, name="my_username", nicknames={})" (user_db={'id': None, 'is_service': False, 'name': 'my_username', 'nicknames': {}},groups=['cn=ORG_GROUP5,ou=Groups,o=myorg', 'cn=ORG_GROUP2,ou=Groups,o=myorg', 'cn=ORG_GROUP10,ou=Groups,o=myorg', 'cn=ORG_GROUP7,ou=Groups,o=myorg', 'cn=ORG_GROUP11,ou=Groups,o=myorg', 'cn=ORG_GROUP4,ou=Groups,o=myorg', 'cn=ORG_GROUP1,ou=Groups,o=myorg', 'cn=ORG_GROUP3,ou=Groups,o=myorg', 'cn=ORG_GROUP12,ou=Groups,o=myorg', 'cn=ORG_GROUP9,ou=Groups,o=myorg', 'cn=ORG_GROUP6,ou=Groups,o=myorg', 'cn=ORG_GROUP8,ou=Groups,o=myorg'],mapping_db={'description': None, 'enabled': True, 'group': 'cn=ORG_GROUP6,ou=Groups,o=myorg', 'id': '62e1ea18017b29a4ea935c18', 'roles': ['observer'], 'source': 'mappings/stormers.yaml'})
2022-07-28 01:46:06,503 139754881641360 DEBUG handlers [-] Successfully synchronized groups for user "my_username"

cheers!