ST2 v2.3: Error installing action pack user "stanley" doesn't have required permission

[theuiz]

Got the following error when I authenticated a user declared in a flat file. rbac is enabled.

export ST2_AUTH_TOKEN=fcdad4b9b69b4d8db67f3ce983d333b6 && st2 pack install https://myrepo/my_action_pack.git
ERROR: 403 Client Error: Forbidden
MESSAGE: User "stanley" doesn't have required permission "action_execute" on resource "action:packs:install" for url: http://127.0.0.1:xxx/v1/packs/install

[humblearner]

vagrant@st2test:~$ st2 role list
+--------------------------+--------------------+--------+-----------------------+
| id                       | name               | system | description           |
+--------------------------+--------------------+--------+-----------------------+
| 599b619f55fc8c372be075f4 | admin              | True   | admin                 |
| 599b845655fc8c65ac1b65af | example_pack_owner | False  | Owner of pack example |
| 599b619f55fc8c372be075f5 | observer           | True   | observer              |
| 599b619f55fc8c372be075f6 | system_admin       | True   | system_admin          |
+--------------------------+--------------------+--------+-----------------------+
vagrant@st2test:~$ st2 role-assignment list
+--------------------------+--------------------+----------+-----------+----------------------+
| id                       | role               | user     | is_remote | description          |
+--------------------------+--------------------+----------+-----------+----------------------+
| 599b845655fc8c65ac1b65b1 | admin              | st2admin | False     |                      |
| 599b845655fc8c65ac1b65b2 | example_pack_owner | user1    | False     | Grant                |
|                          |                    |          |           | example_pack_owner   |
|                          |                    |          |           | role to rbac_user1   |
|                          |                    |          |           | user.                |
+--------------------------+--------------------+----------+-----------+----------------------+
vagrant@st2test:~$ export ST2_AUTH_TOKEN=`st2 auth st2admin -t -p Ch@ngeMe`
vagrant@st2test:~$ echo $ST2_AUTH_TOKEN
2449f944969243abaf56c0a63f0df903
vagrant@st2test:~$ st2 pack install twilio
ERROR: 403 Client Error: Forbidden
MESSAGE: User "stanley" doesn't have required permission "action_execute" on resource "action:packs:install" for url: http://127.0.0.1:9101/v1/packs/install

st2api.log

2017-08-22 01:25:02,482 139896769722320 INFO logging [-] c6281e1d-5c0b-4a9c-864a-54a272bd24cc - POST /v1/packs/install with query={} (remote_addr='127.0.0.1',method='POST',request_id='c6281e1d-5c0b-4a9c-864a-54a272bd24cc',query={},path='/v1/packs/install')
2017-08-22 01:25:02,483 139896769722320 DEBUG router [-] Recieved call with WebOb: POST /v1/packs/install HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 37
Content-Type: application/json
Host: 127.0.0.1:9101
User-Agent: python-requests/2.14.2
X-Auth-Token: 7d41ec29c4b44c09b63e6602d4af9fed
X-Request-Id: c6281e1d-5c0b-4a9c-864a-54a272bd24cc

{"force": false, "packs": ["twilio"]}
2017-08-22 01:25:02,486 139896769722320 DEBUG router [-] Match path: /v1/packs/install
2017-08-22 01:25:02,595 139896769722320 DEBUG router [-] Parsed endpoint: {'x-permissions': 'pack_install', 'operationId': 'st2api.controllers.v1.packs:packs_controller.install.post', 'responses': {'default': {'description': 'Unexpected error', 'schema': {'$ref': '#/definitions/Error'}}, '202': {'schema': {'$ref': '#/definitions/AsyncRequest'}, 'examples': {'application/json': {'ref': 'core.webhook'}}, 'description': 'Pack installation request has been accepted'}}, 'parameters': [{'in': 'body', 'description': 'Packs to be installed', 'name': 'pack_install_request', 'schema': {'$ref': '#/definitions/PacksInstall'}}], 'description': 'Install new packs..\n'}
2017-08-22 01:25:02,596 139896769722320 DEBUG router [-] Parsed path_vars: {}
2017-08-22 01:25:02,605 139896769722320 AUDIT auth [-] Token with id "599b86da55fc8c63202ee828" is validated.
2017-08-22 01:25:02,620 139896769722320 DEBUG resolvers [-] PackPermissionsResolver._user_has_global_permission: Checking user permissions (resolver='PackPermissionsResolver',user_db={'is_service': False, 'id': '599b61b455fc8c3787e8c1ff', 'nicknames': {}, 'name': u'st2admin'},permission_type='pack_install')
2017-08-22 01:25:02,637 139896769722320 DEBUG resolvers [-] PackPermissionsResolver._user_has_global_permission: Found a matching grant via system role (resolver='PackPermissionsResolver',user_db={'is_service': False, 'id': '599b61b455fc8c3787e8c1ff', 'nicknames': {}, 'name': u'st2admin'},permission_type='pack_install')
2017-08-22 01:25:02,639 139896769722320 DEBUG router [-] Missing x-api-model definition for st2api.controllers.v1.packs:packs_controller.install.post, using generic Body model.
2017-08-22 01:25:02,646 139896769722320 DEBUG resolvers [-] ActionPermissionsResolver._user_has_resource_permission: Checking user resource permissions (resolver='ActionPermissionsResolver',pack_uid=u'pack:packs',resource_uid=u'action:packs:install',user_db={'is_service': False, 'id': None, 'nicknames': {}, 'name': u'stanley'},resource_type='action',permission_type='action_execute')
2017-08-22 01:25:02,648 139896769722320 DEBUG resolvers [-] ActionPermissionsResolver._user_has_resource_permission: Checking grants via system role permissions (resolver='ActionPermissionsResolver',pack_uid=u'pack:packs',resource_uid=u'action:packs:install',user_db={'is_service': False, 'id': None, 'nicknames': {}, 'name': u'stanley'},resource_type='action',permission_type='action_execute')
2017-08-22 01:25:02,651 139896769722320 DEBUG resolvers [-] ActionPermissionsResolver._user_has_resource_permission: Checking direct grans on the specified resource (resolver='ActionPermissionsResolver',pack_uid=u'pack:packs',resource_uid=u'action:packs:install',user_db={'is_service': False, 'id': None, 'nicknames': {}, 'name': u'stanley'},resource_type='action',permission_type='action_execute')
2017-08-22 01:25:02,660 139896769722320 DEBUG resolvers [-] ActionPermissionsResolver._user_has_resource_permission: Checking grants on the parent resource (resolver='ActionPermissionsResolver',pack_uid=u'pack:packs',resource_uid=u'action:packs:install',user_db={'is_service': False, 'id': None, 'nicknames': {}, 'name': u'stanley'},resource_type='action',permission_type='action_execute')
2017-08-22 01:25:02,675 139896769722320 DEBUG resolvers [-] ActionPermissionsResolver._user_has_resource_permission: No matching grants found (resolver='ActionPermissionsResolver',pack_uid=u'pack:packs',resource_uid=u'action:packs:install',user_db={'is_service': False, 'id': None, 'nicknames': {}, 'name': u'stanley'},resource_type='action',permission_type='action_execute')
2017-08-22 01:25:02,677 139896769722320 ERROR router [-] Failed to call controller function "post" for operation "st2api.controllers.v1.packs:packs_controller.install.post": User "stanley" doesn't have required permission "action_execute" on resource "action:packs:install"
Traceback (most recent call last):
  File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2common/router.py", line 426, in __call__
    resp = func(**kw)
  File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2api/controllers/v1/packs.py", line 90, in post
    requester_user=None)
  File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2api/controllers/v1/actionexecutions.py", line 105, in _handle_schedule_execution
    permission_type=PermissionType.ACTION_EXECUTE)
  File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2common/rbac/utils.py", line 142, in assert_user_has_resource_db_permission
    permission_type=permission_type)
ResourceAccessDeniedError: User "stanley" doesn't have required permission "action_execute" on resource "action:packs:install"
2017-08-22 01:25:02,678 139896769722320 DEBUG error_handling [-] API call failed: User "stanley" doesn't have required permission "action_execute" on resource "action:packs:install" (exception_message='User "stanley" doesn\'t have required permission "action_execute" on resource "action:packs:install"',exception_data={'user_db': <UserDB: UserDB(id=None, is_service=False, name="stanley", nicknames={})>, 'resource_db': <ActionDB: ActionDB(description="Installs or upgrades a pack into local content repository, either by git URL or a short name matching an index entry. Will download pack, load the actions, sensors and rules from the pack. Note that install requires reboot of some st2 services.", enabled=True, entry_point="workflows/install.yaml", id=599b61a755fc8c3822099430, name="install", notify=NotifySchema@139896768265552(on_complete="None", on_success="None", on_failure="None"), pack="packs", parameters={u'register': {u'default': u'all', u'type': u'string', u'description': u'Possible options are all, sensors, actions, rules, aliases, runners, triggers, rule_types, policiy_types, policies, configs.'}, u'force': {u'default': False, u'required': False, u'type': u'boolean', u'description': u'Set to True to force install the pack and skip StackStorm version compatibility check and also delete and ignore lock file if one exists.'}, u'env': {u'required': False, u'type': u'object', u'description': u'Optional environment variables.'}, u'packs': {u'items': {u'type': u'string'}, u'required': True, u'type': u'array', u'description': u'Name of the pack in Exchange or a git repo URL.'}}, ref="packs.install", runner_type={u'name': u'action-chain'}, tags=[], uid="action:packs:install")>, 'permission_type': 'action_execute'},exception_class='ResourceAccessDeniedError')
2017-08-22 01:25:02,693 139896769722320 DEBUG error_handling [-] Traceback (most recent call last):
  File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2common/middleware/error_handling.py", line 46, in __call__
    return self.app(environ, start_response)
  File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2common/router.py", line 472, in as_wsgi
    resp = self(req)
  File "/opt/stackstorm/st2/local/lib/python2.7/site-packages/st2common/router.py", line 430, in __call__
    raise e
ResourceAccessDeniedError: User "stanley" doesn't have required permission "action_execute" on resource "action:packs:install"

[LindsayHill]

I think that this PR is related: https://github.com/StackStorm/bwc-installer/pull/21

In the installer script, we now automatically create an admin role for stanley. But we haven't updated the docs to note this. Looks like we should update st2docs, to include role assignment in the manual install section, and update docs.stackstorm.com/rbac.html to remove the "automatic admin assignment for stanley" section. Probably also add something there about needing to create that manually.

I have a suspicion that there is still a code issue here though. If a pack install is started by a user, then that user's permissions should be used all the way through that. It should only be falling back to stanley if the pack install was started by a rule.

[theuiz]

Here's more info. I added the stanley user with role=admin and performed the following:

$ st2 auth -t myuser
Password:
7609cdfcaef3400c9427de84a6412986

$ export ST2_AUTH_TOKEN=7609cdfcaef3400c9427de84a6412986 && st2 pack install https://myrepo/my_action_pack.git

When I checked the UI, it had "stanley" vs "myuser" as the user who executed the above pack installation. This was unexpected.

When I install the pack via the UI as "myuser", the UI shows "myuser" as the one who executed the pack installation (as expected).

[Kami]

Could be a bug with the way user is handled when the action is executed using the CLI - will look into it.

[Kami]

I was able to reproduce it - it looks like it's a regression which has been introduced when we moved to the /v1/packs/install API.