Documented instructions for RBAC role permissions are incorrect

[satellite-no]

Hi,

Maybe this is something I'm doing wrong but been playing with this for awhile and seems pretty straight forward but no matter what the permissions to an object are, none get applied only global level permissions work (action_list, execution_list, etc.)

The below is the commands I ran w/output and the st2.conf, nothing is special about this its basiclly copy and paste from RBAC documentations. https://docs.stackstorm.com/rbac.html#using-rbac-example

Command ran and output

st2.conf

[amanda11]

it's a bit difficult without the RBAC roles, and assignment files. Could you also add those?

[satellite-no]

For sure @amanda11,
As I mentioned I just followed the exact role and assignments from the documentation "Using RBAC Example" linked previously. I tried lots of other combinations but this is the easiest to show it doesn't work as expected since its the "example".

/opt/stackstorm/rbac/roles/example_pack_owner.yaml

---
name: "example_pack_owner"
description: "Owner of pack example"
enabled: true
permission_grants:
    -
        resource_uid: "pack:example"
        permission_types:
           - "pack_all"
           - "sensor_type_all"
           - "rule_all"
           - "action_all"

/opt/stackstorm/rbac/assignments/rbac_user1.yaml

---
username: "rbac_user1"
description: "Grant example_pack_owner role to rbac_user1 user."
enabled: true
roles:
    - "example_pack_owner"

[amanda11]

So in your output it indicates the permissions that are missing:

[root@stackstorm example]# st2 rule create rules/sample_rule_with_timer.yaml
ERROR: 403 Client Error: Forbidden
MESSAGE: User "rbac_user1" doesn't have required (action_execute) permission to use action core.local for url: http://127.0.0.1:9101/v1/rules
[root@stackstorm example]# st2 rule get example.sample_rule_with_timer.yaml

So you have not granted the user rbac_user1 the action_execute permission on the action core.local. To create objects you need more than permissions on the pack.

If you create the rule first with another user, then with your permissions they should then have permission to run the command. Or alternatively look at the error in detail to see which permission and objects it is reporting on.

[satellite-no]

I understand it outputs what permission is missing but that goes against what is in the example docs which makes me believe it's not working as intended (i.e a bug). For example never in the doc example does it say it needs action_list or action_execute but yet it says I should be able to accomplish both of these actions based off the role as configured. If thats not the case then the docs are out of date.

Either way something needs to be updated, correct?

[root@stackstorm rbac]# st2 action list
ERROR: 403 Client Error: Forbidden
MESSAGE: User "rbac_user1" doesn't have required permission "action_list" for url: http://127.0.0.1:9101/v1/actions?include_attributes=ref%2Cpack%2Cdescription
[root@stackstorm rbac]# cd /opt/stackstorm/packs/

[amanda11]

So it looks like there are some problems in the documentation...

1. In the docs the pack.yaml and requirements.txt should be created in /opt/stackstorm/packs/example not /opt/stackstorm/packs - but I've verified that that makes no difference
2. I've reproduced the problem, and in fact what happens is that the error that is reported is about the action that is mentioned in the rule. So to create a rule you have to have the permission for the object that you are trying to create - else you get this error.
   The example you followed, doesn't account for that. Though earlier it is mentioned.

           # Note: To be able to create a rule user also needs to have an "action_execute" permission
            # on the action used inside the rule. In case the rule trigger type is a webhook, user also
            # needs to have "webhook_create" permission on the corresponding webhook."

But that wasn't included in the example further down, so the documentation needs to add permission for the core.local action. And make that clearer.

So in the case of the rule the example acts, as the rule calls core.local, you also need to have action_execute permission on the core.local action.

This is by design, and required. For instance, otherwise you could be creating a timer rule that would run the action core.local, so it would be a way for you to be able to run an action you didn't have permission to - so this is incorrect in the example, and not documented clearly.

3. If I use the following permissions, then I am able to successfully create the rule:

---
name: "example_pack_owner"
description: "Owner of pack example"
enabled: true
permission_grants:
    -
        resource_uid: "pack:example"
        permission_types:
           - "pack_all"
           - "sensor_type_all"
           - "rule_all"
           - "action_all"
    -
        resource_uid: "pack:core"
        permission_types:
           - "action_execute"

@satellite-no Could you update the description with the version of ST2 that you are using and the O/S?

I think if you add the permission to be able to execute the action the rule is trying to run, then you should find that the rule can now be created by that user.

• Update role
• Apply rbac definitions
• Relogin rbac_user1 user
• Re-test

You don't need to give the whole core pack action_execute permission, just the action that the rule references.

The example is also wrong, in suggesting the user has permissions to do a full global action list, as that permission hasn't been granted, so the user of "st2 action list" in the example is also wrong in the documentation.

If you can re-test, and we can confirm that it is documentation that is wrong, then we can move this issue to the st2docs repo. But I want to first have it confirmed that its documentation for the version you are using as well.

[satellite-no]

Version

Updated the description and here st2 3.6.0, on Python 3.6.8. :)

OS is:

NAME="Rocky Linux"
VERSION="8.5 (Green Obsidian)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.5"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Rocky Linux 8.5 (Green Obsidian)"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:rocky:rocky:8.5:GA"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
ROCKY_SUPPORT_PRODUCT="Rocky Linux"
ROCKY_SUPPORT_PRODUCT_VERSION="8"

Config Updates

after updating role to match yours posted it works for me as well. 👍

[root@stackstorm example]# st2 rule create rules/sample_rule_with_timer.yaml
+---------------+--------------------------------------------------------+
| Property      | Value                                                  |
+---------------+--------------------------------------------------------+
| id            | 61f43b6b4627e13174f185b8                               |
| name          | sample_rule_with_timer                                 |
....etc...

Followup on Listing

If I include the below it works and lists all actions. Though the way the docs read using resource_uid: "pack:example" with pack_all one would think it would only list the actions that are in the pack (I know we established docs need updating). But that functionality would be IMO a better implementation of RBAC. A user should not be able to even list items from a pack they dont have permissions to much less view or execute.

I know this is more of a feature at this point but you know food for thought. :)

    -
        permission_types:
           - "action_list"

[amanda11]

Thanks for the update. If your amenable I think we should split this into two issues:

1. An issue in st2docs - so that the documentation can be updated, so that its clearer on the action permission needed for rules, and the commands for the example are rectified to be what will work with the current implemention.

2. I think there is a second issue about reviewing the way the action list permissions work.

There is the point you mentioned, as to whether action_list should allow you to see all, if you only have list permissions on certain packs.

Alternatively, I think there is another interpreation whereby you might think that with your original permissions, that the following command would work:
st2 action list -p example
But even though only asked for actions of one pack, I get permission denied.

So I think as it currently stands you can only perform an action list if you have the global permission, and there isn't a way to just see the actions in a pack you are permitted to list.

If that sounds ok with you, then I suggest we fork this out into two separate issues for the two areas. If that sounds ok, I can convert this one into st2docs for the documentation update, and a related one in this repo for the action list for a particular pack.

[satellite-no]

@amanda11,
That sounds like a good plan to me, thanks for the help in tracking down these items!

[amanda11]

This issue will now solely deal with the issue that the example in st2docs for RBAC is incorrect, and should be amended as per details above.
The desire to be able to restrict list to actions will be discussed under StackStorm/st2-rbac-backend#64