st2 icon indicating copy to clipboard operation
st2 copied to clipboard
verified publisher icon StackStorm

RBAC Not working properly for pack installations

Open hnanchahal opened this issue 5 years ago • 4 comments

SUMMARY

I have a role defined for the pack and have pack_all permission but when i try to install it errors stating that the access to action_execute for packs.install is missing. If i add that, that opens up pack install/uninstall access for all packs even those not assigned to the role.

role.yaml: |

name: “role” description: “” enabled: true permission_grants: - resource_uid: “pack:automation” permission_types: - “pack_all” - “sensor_type_all” - “action_all” - “action_alias_all” - “rule_all”

STACKSTORM VERSION

3.2.0

OS, environment, install method

Kubernetes, Stackstorm HA

Expected Results

pack_all role should allow the user to install/uninstall and register the pack for which the role is assigned.

hnanchahal avatar Jul 13 '20 17:07 hnanchahal

I believe that this is not actually a bug - and that this is working exactly as intended. The pack_install and pack_uninstall permission grants are global permission types, and therefore cannot and do not apply to individual packs.

However, our RBAC documentation definitely needs to be updated, and the fact that PACK_ALL permission grants do not grant pack_install and pack_uninstall as well needs to be made more clear.

blag avatar Sep 04 '20 23:09 blag

Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically marking is as stale. If this issue is not relevant or applicable anymore (problem has been fixed in a new version or similar), please close the issue or let us know so we can close it. On the contrary, if the issue is still relevant, there is nothing you need to do, but if you have any additional details or context which would help us when working on this issue, please include it as a comment to this issue.

stale[bot] avatar Dec 06 '20 05:12 stale[bot]

+1 on the RBAC documentation. I been struggling with this for several hours today trying to understand how the global permission types are supposed to work. Adding pack_install to a role doesn't give the user any actual permissions to install a pack or anything relating to the install.

minsis avatar Jun 23 '21 18:06 minsis

Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically marking is as stale. If this issue is not relevant or applicable anymore (problem has been fixed in a new version or similar), please close the issue or let us know so we can close it. On the contrary, if the issue is still relevant, there is nothing you need to do, but if you have any additional details or context which would help us when working on this issue, please include it as a comment to this issue.

stale[bot] avatar Apr 16 '22 05:04 stale[bot]