search

StackStorm / stackstorm-k8s

K8s Helm Chart that codifies StackStorm (aka "IFTTT for Ops" https://stackstorm.com/) Highly Availability fleet as a simple to use reproducible infrastructure-as-code app
https://helm.stackstorm.com/
Apache License 2.0
105 stars 106 forks source link

Problem with role asigment on ldap auth #258

Closed elsopapa closed 3 years ago

elsopapa commented 3 years ago

I have a problem in the role assigment when i use ldap as auth backend I have a test site with a standard instalation ,( without kubernetes, and the conf works well and take the roles ) 

# Custom StackStorm config (st2.user.conf) which will apply settings on top of default st2.conf
  config: |
    [api]
    allow_origin = '*'

    [auth]
    mode = standalone
    backend = ldap
    backend_kwargs = {"bind_dn": "CN=XXXXXXX,OU=XXXXX,DC=xxxx,DC=xxxx,DC=com,DC=ar", "bind_password": "XXXXXX", "base_ou": "OU=xxxx,DC=xxxx,DC=xxxx,DC=com,DC=ar", "group_dns": ["cn=_gg_arq_inf_bue,ou=grupos tier 2,ou=grupos,ou=sistemas,ou=sectores,ou=xxxx,dc=xxxx,dc=xxxx,dc=com,dc=ar"], "id_attr": "userPrincipalName", "group_dns_check": "or", "host": "ldap.xxxx.xxxx.com.ar", "port": 389, "debug": "true"}
    enable = True
    use_ssl = False
    logging = /etc/st2/logging.auth.conf
    api_url = http://stackstorm-st2api:9101/
    debug = True

    #[rbac]
    # enable = True
    #backend = ldap
    #sync_remote_groups = True

# StackStorm Role Based Access Control settings (https://docs.stackstorm.com/rbac.html)
  rbac:
    enabled: true
    backend: ldap
    sync_remote_groups: true

    # Custom StackStorm RBAC roles, shipped in '/opt/stackstorm/rbac/roles/'
    # See https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
    roles:
      sample.yaml: |
        # sample RBAC role file, see https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
        ---
        name: "sample"
        description: "Example Role which contains no permission grants and serves for demonstration purposes"

    # Custom StackStorm RBAC role assignments, shipped in '/opt/stackstorm/rbac/assignments/'
    # See: https://docs.stackstorm.com/rbac.html#defining-user-role-assignments
    assignments:

# StackStorm RBAC LDAP groups-to-roles mapping rules, shipped in '/opt/stackstorm/rbac/mappings/'
    # See RBAC Roles Based on LDAP Groups: https://docs.stackstorm.com/rbac.html#automatically-granting-roles-based-on-ldap-group-membership
    mappings:
      _gg_arq_inf_bue.yaml: |
        ---
        group: "cn=_gg_arq_inf_bue,ou=grupos tier 2,ou=grupos,ou=sistemas,ou=sectores,ou=xxxx,dc=xxxx,dc=xxxx,dc=com,dc=ar"
        description: "Automatically grant admin role to all arq_inf group members."
        roles:
          - "admin"
2021-10-21 18:12:19,618 INFO [-] Connecting to database "st2" @ "stackstorm-mongodb-0.stackstorm-mongodb-headless:27017,stackstorm-mongodb-1.stackstorm-mongodb-headless:27017,stackstorm-mongodb-2.stackstorm-mongodb-headless:27017 (replica set)" as user "st2-admin".
2021-10-21 18:12:19,634 INFO [-] Successfully connected to database "st2" @ "stackstorm-mongodb-0.stackstorm-mongodb-headless:27017,stackstorm-mongodb-1.stackstorm-mongodb-headless:27017,stackstorm-mongodb-2.stackstorm-mongodb-headless:27017 (replica set)" as user "st2-admin".
2021-10-21 18:12:19,634 DEBUG [-] Ensuring database indexes...
2021-10-21 18:12:20,056 DEBUG [-] Skipping index cleanup for blacklisted model "PermissionGrantDB"...
2021-10-21 18:12:20,124 DEBUG [-] Indexes are ensured for models: ActionAliasDB, ActionAliasDB, ActionDB, ActionExecutionDB, ActionExecutionDB, ActionExecutionOutputDB, ActionExecutionSchedulingQueueItemDB, ActionExecutionStateDB, ActionExecutionStateDB, ApiKeyDB, ConfigDB, ConfigSchemaDB, GroupToRoleMappingDB, KeyValuePairDB, LiveActionDB, LiveActionDB, PackDB, PermissionGrantDB, PolicyDB, PolicyTypeDB, RoleDB, RuleDB, RuleEnforcementDB, RunnerTypeDB, RunnerTypeDB, SensorTypeDB, TaskExecutionDB, TokenDB, TraceDB, TriggerDB, TriggerInstanceDB, TriggerTypeDB, UserDB, UserRoleAssignmentDB, WorkflowExecutionDB
2021-10-21 18:12:20,125 DEBUG [-] Registering exchanges...
2021-10-21 18:12:20,125 DEBUG [-] Using SSL context for RabbitMQ connection: {}
2021-10-21 18:12:20,149 DEBUG [-] Start from server, version: 0.9, properties: {'capabilities': {'publisher_confirms': True, 'exchange_exchange_bindings': True, 'basic.nack': True, 'consumer_cancel_notify': True, 'connection.blocked': True, 'consumer_priorities': True, 'authentication_failure_close': True, 'per_consumer_qos': True, 'direct_reply_to': True}, 'cluster_name': 'rabbit@stackstorm-rabbitmq-0.stackstorm-rabbitmq-headless.st2.svc.cluster.local', 'copyright': 'Copyright (c) 2007-2020 VMware, Inc. or its affiliates.', 'information': 'Licensed under the MPL 2.0. Website: https://rabbitmq.com', 'platform': 'Erlang/OTP 22.3', 'product': 'RabbitMQ', 'version': '3.8.9'}, mechanisms: [b'PLAIN', b'AMQPLAIN'], locales: ['en_US']
2021-10-21 18:12:20,151 DEBUG [-] using channel_id: 1
2021-10-21 18:12:20,152 DEBUG [-] Channel open
2021-10-21 18:12:20,155 DEBUG [-] Registered exchange st2.actionexecutionstate ({'exchange': 'st2.actionexecutionstate', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,155 DEBUG [-] Registered exchange st2.announcement ({'exchange': 'st2.announcement', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,163 DEBUG [-] Registered exchange st2.execution ({'exchange': 'st2.execution', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,165 DEBUG [-] Registered exchange st2.liveaction ({'exchange': 'st2.liveaction', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,165 DEBUG [-] Registered exchange st2.liveaction.status ({'exchange': 'st2.liveaction.status', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,166 DEBUG [-] Registered exchange st2.trigger ({'exchange': 'st2.trigger', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,167 DEBUG [-] Registered exchange st2.trigger_instances_dispatch ({'exchange': 'st2.trigger_instances_dispatch', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,168 DEBUG [-] Registered exchange st2.sensor ({'exchange': 'st2.sensor', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,168 DEBUG [-] Registered exchange st2.workflow ({'exchange': 'st2.workflow', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,169 DEBUG [-] Registered exchange st2.workflow.status ({'exchange': 'st2.workflow.status', 'type': 'topic', 'durable': True, 'auto_delete': False, 'arguments': None, 'nowait': False, 'passive': False}).
2021-10-21 18:12:20,169 DEBUG [-] Closed channel #1
2021-10-21 18:12:20,169 DEBUG [-] using channel_id: 1
2021-10-21 18:12:20,170 DEBUG [-] Channel open
2021-10-21 18:12:20,170 DEBUG [-] Predeclaring queue for exchange "st2.liveaction.status"
2021-10-21 18:12:20,172 DEBUG [-] Predeclared queue for exchange "st2.liveaction.status"
2021-10-21 18:12:20,172 DEBUG [-] Predeclaring queue for exchange "st2.liveaction.status"
2021-10-21 18:12:20,175 DEBUG [-] Predeclared queue for exchange "st2.liveaction.status"
2021-10-21 18:12:20,175 DEBUG [-] Predeclaring queue for exchange "st2.liveaction.status"
2021-10-21 18:12:20,176 DEBUG [-] Predeclared queue for exchange "st2.liveaction.status"
2021-10-21 18:12:20,176 DEBUG [-] Predeclaring queue for exchange "st2.execution"
2021-10-21 18:12:20,178 DEBUG [-] Predeclared queue for exchange "st2.execution"
2021-10-21 18:12:20,178 DEBUG [-] Predeclaring queue for exchange "st2.actionexecutionstate"
2021-10-21 18:12:20,180 DEBUG [-] Predeclared queue for exchange "st2.actionexecutionstate"
2021-10-21 18:12:20,180 DEBUG [-] Predeclaring queue for exchange "st2.trigger_instances_dispatch"
2021-10-21 18:12:20,182 DEBUG [-] Predeclared queue for exchange "st2.trigger_instances_dispatch"
2021-10-21 18:12:20,182 DEBUG [-] Predeclaring queue for exchange "st2.announcement"
2021-10-21 18:12:20,187 DEBUG [-] Predeclared queue for exchange "st2.announcement"
2021-10-21 18:12:20,187 DEBUG [-] Predeclaring queue for exchange "st2.execution"
2021-10-21 18:12:20,191 DEBUG [-] Predeclared queue for exchange "st2.execution"
2021-10-21 18:12:20,191 DEBUG [-] Predeclaring queue for exchange "st2.liveaction"
2021-10-21 18:12:20,196 DEBUG [-] Predeclared queue for exchange "st2.liveaction"
2021-10-21 18:12:20,196 DEBUG [-] Predeclaring queue for exchange "st2.execution.output"
2021-10-21 18:12:20,199 DEBUG [-] Predeclared queue for exchange "st2.execution.output"
2021-10-21 18:12:20,199 DEBUG [-] Predeclaring queue for exchange "st2.workflow.status"
2021-10-21 18:12:20,201 DEBUG [-] Predeclared queue for exchange "st2.workflow.status"
2021-10-21 18:12:20,201 DEBUG [-] Predeclaring queue for exchange "st2.workflow.status"
2021-10-21 18:12:20,202 DEBUG [-] Predeclared queue for exchange "st2.workflow.status"
2021-10-21 18:12:20,202 DEBUG [-] Predeclaring queue for exchange "st2.trigger"
2021-10-21 18:12:20,203 DEBUG [-] Predeclared queue for exchange "st2.trigger"
2021-10-21 18:12:20,203 DEBUG [-] Predeclaring queue for exchange "st2.sensor"
2021-10-21 18:12:20,205 DEBUG [-] Predeclared queue for exchange "st2.sensor"
2021-10-21 18:12:20,205 DEBUG [-] Closed channel #1
2021-10-21 18:12:20,212 INFO [-] Loading role definitions from "/opt/stackstorm/rbac/roles/"
2021-10-21 18:12:20,213 DEBUG [-] Loading role definition from: /opt/stackstorm/rbac/roles/sample.yaml
2021-10-21 18:12:20,215 INFO [-] Loading user role assignments from "/opt/stackstorm/rbac/assignments/"
2021-10-21 18:12:20,215 INFO [-] Loading group to role map definitions from "/opt/stackstorm/rbac/mappings/"
2021-10-21 18:12:20,215 DEBUG [-] Loading group to role mapping from: /opt/stackstorm/rbac/mappings/_gg_arq_inf_bue.yaml
2021-10-21 18:12:20,216 INFO [-] Synchronizing roles...
2021-10-21 18:12:20,218 DEBUG [-] New roles: set()
2021-10-21 18:12:20,218 DEBUG [-] Updated roles: {'sample'}
2021-10-21 18:12:20,219 DEBUG [-] Removed roles: set()
2021-10-21 18:12:20,219 DEBUG [-] Deleting 1 stale roles
2021-10-21 18:12:20,226 DEBUG [-] Deleted 1 stale roles
2021-10-21 18:12:20,226 DEBUG [-] Deleting 0 stale permission grants
2021-10-21 18:12:20,228 DEBUG [-] Deleted 0 stale permission grants
2021-10-21 18:12:20,228 DEBUG [-] Creating 1 new roles
2021-10-21 18:12:20,231 DEBUG [-] Created 1 new roles
2021-10-21 18:12:20,231 INFO [-] Roles synchronized (0 created, 1 updated, 0 removed)
2021-10-21 18:12:20,231 INFO [-] Synchronizing users role assignments...
2021-10-21 18:12:20,234 DEBUG [-] New assignments for user "perrettaa": set()
2021-10-21 18:12:20,234 DEBUG [-] Updated assignments for user "perrettaa": set()
2021-10-21 18:12:20,234 DEBUG [-] Removed assignments for user "perrettaa": set()
2021-10-21 18:12:20,234 DEBUG [-] New assignments for user "sensors_container": set()
2021-10-21 18:12:20,234 DEBUG [-] Updated assignments for user "sensors_container": set()
2021-10-21 18:12:20,234 DEBUG [-] Removed assignments for user "sensors_container": set()
2021-10-21 18:12:20,234 DEBUG [-] New assignments for user "espinosac": set()
2021-10-21 18:12:20,234 DEBUG [-] Updated assignments for user "espinosac": set()
2021-10-21 18:12:20,234 DEBUG [-] Removed assignments for user "espinosac": set()
2021-10-21 18:12:20,234 DEBUG [-] New assignments for user "camilo.espinosa@xxx.com.ar": set()
2021-10-21 18:12:20,234 DEBUG [-] Updated assignments for user "camilo.espinosa@xxx.com.ar": set()
2021-10-21 18:12:20,234 DEBUG [-] Removed assignments for user "camilo.espinosa@xxx.com.ar": set()
2021-10-21 18:12:20,234 DEBUG [-] New assignments for user "st2admin": set()
2021-10-21 18:12:20,234 DEBUG [-] Updated assignments for user "st2admin": set()
2021-10-21 18:12:20,234 DEBUG [-] Removed assignments for user "st2admin": {('system_admin', 'assignments/st2admin.yaml')}
2021-10-21 18:12:20,236 DEBUG [-] Removed role "system_admin" from "assignments/st2admin.yaml" for user "st2admin".
2021-10-21 18:12:20,236 DEBUG [-] User "stanley" doesn't exist in the DB, creating assignment anyway
2021-10-21 18:12:20,236 DEBUG [-] New assignments for user "stanley": set()
2021-10-21 18:12:20,236 DEBUG [-] Updated assignments for user "stanley": set()
2021-10-21 18:12:20,236 DEBUG [-] Removed assignments for user "stanley": {('admin', 'assignments/stanley.yaml')}
2021-10-21 18:12:20,237 DEBUG [-] Removed role "admin" from "assignments/stanley.yaml" for user "stanley".
2021-10-21 18:12:20,237 DEBUG [-] New assignments for user "ostritf": set()
2021-10-21 18:12:20,238 DEBUG [-] Updated assignments for user "ostritf": set()
2021-10-21 18:12:20,238 DEBUG [-] Removed assignments for user "ostritf": set()
2021-10-21 18:12:20,238 DEBUG [-] New assignments for user "alejandro.perretta@xx.com.ar": set()
2021-10-21 18:12:20,238 DEBUG [-] Updated assignments for user "alejandro.perretta@xxxx.com.ar": set()
2021-10-21 18:12:20,238 DEBUG [-] Removed assignments for user "alejandro.perretta@xxxx.com.ar": set()
2021-10-21 18:12:20,238 INFO [-] User role assignments synchronized
2021-10-21 18:12:20,238 INFO [-] Synchronizing group to role maps...
2021-10-21 18:12:20,243 INFO [-] Group to role map definitions synchronized.
cognifloyd commented 3 years ago

Is this log from the k8s install or from your other instance?

elsopapa commented 3 years ago

from the k8s install

cognifloyd commented 3 years ago

I don't see errors in that log. What problem are you experiencing?

elsopapa commented 3 years ago

the problem is In the standard vm installation (same version and config but without k8s) the role assigment works ok . In the k8s install i can login but i dont have any role asigned .

cognifloyd commented 3 years ago

Try something like this:

   config: |
 ...
-    #[rbac]
-    # enable = True
-    #backend = ldap
-    #sync_remote_groups = True
+    [rbac]
+    sync_remote_groups = True
 ...
   rbac:
     enabled: true
-    backend: ldap
-    sync_remote_groups: true

Why: Specific rbac settings go in the config section. But the chart needs to know if rbac is enabled, so that setting is managed in its own spot. Also the rbac backend is always "default" -- only auth can work with ldap. Plus the chart automatically sets the rbac backend when rbac is enabled, so you don't need to do that.

elsopapa commented 3 years ago

I already did that test , and it doesnt work. i will try again.

elsopapa commented 3 years ago

Solved, the problem was a casesentive configuration in the group's name ( works in the standar installation but not in k8s).