Closed anrajme closed 2 years ago
hi @anrajme ! i don't have a lot with experience with RBAC here, but can you share your full rbac config?
just to confirm, and what authenticaiton are you using?
would you be able to try using this bit if not already:
enable = True
backend = default
and see if you get any logs? you should be seeing something
cheers!
We use LDAP with RBAC with no issues internally, but our config is a bit different than yours likely due to our use of AD for the LDAP server. It is possible that your current login still have a valid authentication that needs to be refreshed or you have a local RBAC user defined with an overlapping user name. It seems like multiple "mappings" will default to the highest access level.
Check the output of the command:
st2 role-assignment list
The RBAC mapping for each user is applied at login and written to the DB and that command should dump out all the RBAC users, the mapping applied, if they are Remote (LDAP), and the RBAC mapping file used to determine the Role. It should look something like this:
+--------------------------+----------+---------------+-----------+-----------------------+-----------------------+ | id | role | user | is_remote | source | description | +--------------------------+----------+---------------+-----------+-----------------------+-----------------------+ | 624e04655a04fb4b3264d6ea | observer | ldap_user | True | mappings/st2_xx_xxxxx | Automatic role | | | | | | _xxx.yaml | assignment based on | | | | | | | the remote user | | | | | | | membership in group | | | | | | | "CN=xxxxxxx" | | 62670541d3bec1c9b4e79ed2 | admin | stanley | False | assignments/stanley.y | | | | | | | aml | | +--------------------------+----------+---------------+-----------+-----------------------+-----------------------+
Thank you so much @pimguilherme @jamesdreid. Your responses gave me enough clues to identify the problem.
There were two issues,
enable = True
backend = default
The document here was bit tricky. I assumed it only need thesync_remote_groups = True
attribute.
LDAP group names referenced in the group attribute are case-sensitive.
I have tried different combinations before, but it didn't show up due to (1). I had to change ou=groups
to ou=Groups
and it started working!
2022-07-28 01:46:06,476 139754881641360 INFO ldap_backend [-] Successfully authenticated user "my_username".
2022-07-28 01:46:06,481 139754881641360 AUDIT access [-] Access granted to "my_username" with the token set to expire at "2022-07-29T01:46:06.480239Z". (username='my_username',token_expiration='2022-07-29T01:46:06.480239Z')
2022-07-28 01:46:06,482 139754881641360 DEBUG handlers [-] Retrieving auth backend groups for user "my_username" (auth_backend='LDAPAuthenticationBackend',remote_addr='127.0.0.1')
2022-07-28 01:46:06,482 139754881641360 DEBUG ldap_backend [-] Getting LDAP groups for user "my_username" from cache
2022-07-28 01:46:06,483 139754881641360 DEBUG ldap_backend [-] Found LDAP groups cache for user "my_username"
2022-07-28 01:46:06,483 139754881641360 DEBUG handlers [-] Found "12" groups for user "my_username" (auth_backend='LDAPAuthenticationBackend',remote_addr='127.0.0.1',username='my_username',user_groups=['cn=ORG_GROUP7,ou=Groups,o=myorg', 'cn=ORG_GROUP6,ou=Groups,o=myorg', 'cn=ORG_GROUP10,ou=Groups,o=myorg', 'cn=ORG_GROUP8,ou=Groups,o=myorg', 'cn=ORG_GROUP9,ou=Groups,o=myorg', 'cn=ORG_GROUP11,ou=Groups,o=myorg', 'cn=ORG_GROUP12,ou=Groups,o=myorg', 'cn=ORG_GROUP2,ou=Groups,o=myorg', 'cn=ORG_GROUP1,ou=Groups,o=myorg', 'cn=ORG_GROUP3,ou=Groups,o=myorg', 'cn=ORG_GROUP5,ou=Groups,o=myorg', 'cn=ORG_GROUP4,ou=Groups,o=myorg'])
2022-07-28 01:46:06,483 139754881641360 DEBUG driver_loader [-] Retrieving driver for backend "default"
2022-07-28 01:46:06,484 139754881641360 DEBUG extension [-] found extension EntryPoint.parse('noop = st2common.rbac.backends.noop:NoOpRBACBackend')
2022-07-28 01:46:06,484 139754881641360 DEBUG extension [-] found extension EntryPoint.parse('default = st2rbac_backend.backend:RBACBackend')
2022-07-28 01:46:06,490 139754881641360 INFO syncer [-] Synchronizing remote role assignments for user "UserDB(id=None, is_service=False, name="my_username", nicknames={})" (user_db={'id': None, 'is_service': False, 'name': 'my_username', 'nicknames': {}},groups=['cn=ORG_GROUP5,ou=Groups,o=myorg', 'cn=ORG_GROUP2,ou=Groups,o=myorg', 'cn=ORG_GROUP10,ou=Groups,o=myorg', 'cn=ORG_GROUP7,ou=Groups,o=myorg', 'cn=ORG_GROUP11,ou=Groups,o=myorg', 'cn=ORG_GROUP4,ou=Groups,o=myorg', 'cn=ORG_GROUP1,ou=Groups,o=myorg', 'cn=ORG_GROUP3,ou=Groups,o=myorg', 'cn=ORG_GROUP12,ou=Groups,o=myorg', 'cn=ORG_GROUP9,ou=Groups,o=myorg', 'cn=ORG_GROUP6,ou=Groups,o=myorg', 'cn=ORG_GROUP8,ou=Groups,o=myorg'])
2022-07-28 01:46:06,494 139754881641360 DEBUG syncer [-] New role assignments: {'observer'}
2022-07-28 01:46:06,495 139754881641360 DEBUG syncer [-] Updated role assignments: set()
2022-07-28 01:46:06,495 139754881641360 DEBUG syncer [-] Removed role assignments: {'admin'}
2022-07-28 01:46:06,503 139754881641360 DEBUG syncer [-] Created 1 new remote role assignments for user "UserDB(id=None, is_service=False, name="my_username", nicknames={})" (user_db={'id': None, 'is_service': False, 'name': 'my_username', 'nicknames': {}},groups=['cn=ORG_GROUP5,ou=Groups,o=myorg', 'cn=ORG_GROUP2,ou=Groups,o=myorg', 'cn=ORG_GROUP10,ou=Groups,o=myorg', 'cn=ORG_GROUP7,ou=Groups,o=myorg', 'cn=ORG_GROUP11,ou=Groups,o=myorg', 'cn=ORG_GROUP4,ou=Groups,o=myorg', 'cn=ORG_GROUP1,ou=Groups,o=myorg', 'cn=ORG_GROUP3,ou=Groups,o=myorg', 'cn=ORG_GROUP12,ou=Groups,o=myorg', 'cn=ORG_GROUP9,ou=Groups,o=myorg', 'cn=ORG_GROUP6,ou=Groups,o=myorg', 'cn=ORG_GROUP8,ou=Groups,o=myorg'],mapping_db={'description': None, 'enabled': True, 'group': 'cn=ORG_GROUP6,ou=Groups,o=myorg', 'id': '62e1ea18017b29a4ea935c18', 'roles': ['observer'], 'source': 'mappings/stormers.yaml'})
2022-07-28 01:46:06,503 139754881641360 DEBUG handlers [-] Successfully synchronized groups for user "my_username"
cheers!
I've been following this document here for setting up RBAC over the LDAP auth. However, this never worked even after trying different combinations.
Here is what my configs look like.
configs seems to be registered well in the DB, after running st2-apply-rbac-definitions
Proving that my user is part of the LDAP group.
When I login using my LDAP, I'm suppose to have only observer level privileges but I'm still getting the admin level privileges granted for some reason. There are no RBAC related traces in logs even after enabling DEBUG. Any other suggestions ?
cheers.