Add RBAC to action-alias help api. #6022

nzlosh · 2023-09-14T20:40:12Z

No description provided.

cognifloyd

These st2-specific x-* keys are odd.

cognifloyd · 2023-10-17T00:50:30Z

st2common/st2common/openapi.yaml.j2

@@ -802,6 +802,11 @@ paths:
          description: Object containing the format to be matched.
          schema:
            $ref: '#/definitions/ActionAliasMatchRequest'
+      x-parameters:


I see x-permissions above. I wonder why that isn't triggering the permission check.

nzlosh · 2023-11-18T09:49:38Z

@cognifloyd You're right, the x-parameters aren't required. RBAC is being applied to the help/match endpoints using x-permission. Closing this PR as redundant.

nzlosh · 2023-11-18T10:28:31Z

I just tested further, the RBAC tests inside the function calls for help/match aren't required because they're checked earlier in the router functions. However, the openapi spec does require x-parameters to be present in the specification for the requester_user to be handled correctly. Without the x-parameters the following error is encountered:

2023-11-18 10:59:36,539 140126632707184 DEBUG resolvers [-] ActionAliasPermissionsResolver._user_has_global_permission: Checking user permissions (user_db={'id': '64f1b454654977b68c7d2738', 'is_s
ervice': False, 'name': 'errbot', 'nicknames': {}},permission_type='action_alias_help',resolver='ActionAliasPermissionsResolver')
2023-11-18 10:59:36,540 140126632707184 DEBUG resolvers [-] ActionAliasPermissionsResolver._user_has_global_permission: Found a matching grant via system role (user_db={'id': '64f1b454654977b68c7
d2738', 'is_service': False, 'name': 'errbot', 'nicknames': {}},permission_type='action_alias_help',resolver='ActionAliasPermissionsResolver')
2023-11-18 10:59:36,541 140126632707184 ERROR router [-] Failed to call controller function "help" for operation "st2api.controllers.v1.actionalias:action_alias_controller.help": 'NoneType' objec
t has no attribute 'name'
Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 632, in __call__
    resp = func(**kw)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionalias.py", line 110, in help
    aliases_resp = super(ActionAliasController, self)._get_all(**kwargs)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 717, in _get_all
    requester_user=requester_user,
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 194, in _get_all
    limit = validate_limit_query_param(limit=limit, requester_user=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 792, in validate_limit_query_param
    user_is_admin = rbac_utils.user_is_admin(user_db=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2rbac_backend/utils.py", line 201, in user_is_admin
    is_system_admin = RBACUtils.user_is_system_admin(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2rbac_backend/utils.py", line 221, in user_is_system_admin
    return RBACUtils.user_has_role(user_db=user_db, role=SystemRole.SYSTEM_ADMIN)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2rbac_backend/utils.py", line 239, in user_has_role
    user_role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2rbac_backend/service.py", line 85, in get_roles_for_user
    queryset = UserRoleAssignment.query(user=user_db.name)
AttributeError: 'NoneType' object has no attribute 'name'

pull-request-size bot added the size/M PR that changes 30-99 lines. Good size to review. label Sep 14, 2023

nzlosh marked this pull request as draft September 14, 2023 20:40

nzlosh force-pushed the st2help_rbac branch 2 times, most recently from e969b44 to 5d710f3 Compare September 14, 2023 21:00

nzlosh added this to the 3.9.0 milestone Sep 14, 2023

nzlosh force-pushed the st2help_rbac branch 4 times, most recently from 95ca54e to 781a03d Compare September 15, 2023 05:55

nzlosh requested review from cognifloyd, guzzijones and amanda11 October 5, 2023 20:21

cognifloyd reviewed Oct 24, 2023

View reviewed changes

nzlosh closed this Nov 18, 2023

nzlosh reopened this Nov 18, 2023

nzlosh force-pushed the st2help_rbac branch 2 times, most recently from 3f46cab to d964dcf Compare November 18, 2023 10:37

pull-request-size bot added size/S PR that changes 10-29 lines. Very easy to review. and removed size/M PR that changes 30-99 lines. Good size to review. labels Nov 18, 2023

arm4b mentioned this pull request Dec 11, 2023

Promote Carlos (@nzlosh) to Senior Maintainers #6087

Merged

nzlosh force-pushed the st2help_rbac branch from 47baf09 to ff55640 Compare December 21, 2023 09:27

Fix RBAC to action-alias help and match api.

6b95e99

nzlosh force-pushed the st2help_rbac branch from ff55640 to 6b95e99 Compare December 21, 2023 10:01

nzlosh marked this pull request as ready for review December 21, 2023 10:43

nzlosh added 3 commits January 27, 2024 14:41

Merge branch 'master' into st2help_rbac

e4bbe05

Merge branch 'master' into st2help_rbac

6560e3a

Merge branch 'master' into st2help_rbac

9c548d9

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add RBAC to action-alias help api. #6022

Add RBAC to action-alias help api. #6022

nzlosh commented Sep 14, 2023

cognifloyd left a comment

cognifloyd Oct 17, 2023

nzlosh commented Nov 18, 2023

nzlosh commented Nov 18, 2023

Add RBAC to action-alias help api. #6022

Are you sure you want to change the base?

Add RBAC to action-alias help api. #6022

Conversation

nzlosh commented Sep 14, 2023

cognifloyd left a comment

Choose a reason for hiding this comment

cognifloyd Oct 17, 2023

Choose a reason for hiding this comment

nzlosh commented Nov 18, 2023

nzlosh commented Nov 18, 2023