search

StackStorm / st2

StackStorm (aka "IFTTT for Ops") is event-driven automation for auto-remediation, incident responses, troubleshooting, deployments, and more for DevOps and SREs. Includes rules engine, workflow, 160 integration packs with 6000+ actions (see https://exchange.stackstorm.org) and ChatOps. Installer at https://docs.stackstorm.com/install/index.html
https://stackstorm.com/
Apache License 2.0
6.1k stars 746 forks source link

Ability to grant permission on all resources of a specific type #4066

Open Kami opened 6 years ago

Kami commented 6 years ago

We should add ability to grant permissions on all resources of a specific type to the RBAC permission assignment files.

Right now, user can already grant permissions on the pack basis. This works for a majority of the use cases (e.g. ability to execute all the actions in pack Y, ability to view all the rules in pack X, etc.), but in some scenarios user may want to grant permission on all the resources of a specific type which don't necessary belong to the same pack.

Some ideas how we could handle that:

Approach 1

name: "pack_search_role"
description: "Role which grants pack_search permission to all packs"
permission_grants:
    -
        resource_uid: "packs:*"
        permission_types:
           - "pack_search"
name: "view_all_rulws"
description: "Role which grants rule_view permission on all the rules in the system"
permission_grants:
    -
        resource_uid: "rule:*"
        permission_types:
           - "rule_view"

Approach 2

In this scenario no resource_id is provided.

That's how we handle global permission types right now (permission which are global and don't apply to a specific resource) so doing that for all the resources could be confusing and we should probably avoid it.

name: "pack_search_role"
description: "Role which grants pack_search permission to all packs"
permission_grants:
    -
        permission_types:
           - "pack_search"

If we go with the first approach, we should probably implement simple "all or nothing" glob matching to being with.

Down the road, we could implement more complex glob matching, but I'm not a big fan of it since it's more complex, opaque and and has negative performance implications in case of complex glob patterns.

One thing which I'm 100% against is using regular expressions instead of globs. I would argue that regular expressions should very rarely be exposed to the end user (if someone exposes it, I treat is as a bad and potentially insecure UX), they increase complexity and there are many edge cases which can result in DDoS and similar resource exhaustion attacks.

Related issue #4063 and comment https://github.com/StackStorm/st2/issues/4063#issuecomment-378837810.

bigmstone commented 6 years ago

I'm in favor of approach 1. IAM perms in AWS come to mind.

stale[bot] commented 5 years ago

Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically marking is as stale. If this issue is not relevant or applicable anymore (problem has been fixed in a new version or similar), please close the issue or let us know so we can close it. On the contrary, if the issue is still relevant, there is nothing you need to do, but if you have any additional details or context which would help us when working on this issue, please include it as a comment to this issue.

cognifloyd commented 3 years ago

Another possibility would be to use a separate field instead of a glob.

Approach 3

name: "rule_manager_role"
description: "Role which grants rule_all permission to all rules"
permission_grants:
    -
        resource_type: "rule"
        permission_types:
           - "rule_all"
name: "policy_manager_role"
description: "Role which grants policy_all permission on all the policies in the system"
permission_grants:
    -
        resource_type: "policy"
        permission_types:
           - "policy_all"