Skip to content

Apply RBAC to rendering of KVP during action execution #5764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
m4dcoder merged 11 commits into from
Oct 24, 2022
Merged

Apply RBAC to rendering of KVP during action execution #5764

m4dcoder merged 11 commits into from
Oct 24, 2022

Conversation

@m4dcoder
Copy link
Contributor

@m4dcoder m4dcoder commented Oct 9, 2022
edited
Loading

RBAC for key-value pairs in the datastore was recently introduced. The RBAC policy needs to be applied to rendering of KVP during action and workflow execution.
@m4dcoder
Apply RBAC to rendering of KVP during action execution
11e836d 
RBAC for key-value pairs in the datastore was recently instroduced. The
RBAC policy needs to be applied to rendering of KVP during action and
workflow execution.
@m4dcoder
Changes made by black format
7b77c62
@m4dcoder m4dcoder added the WIP label Oct 9, 2022
@pull-request-size pull-request-size bot added the size/M PR that changes 30-99 lines. Good size to review. label Oct 9, 2022
@arm4b arm4b added this to the 3.8.0 milestone Oct 10, 2022
@arm4b arm4b added the RBAC label Oct 10, 2022
@pull-request-size pull-request-size bot added size/L PR that changes 100-499 lines. Requires some effort to review. and removed size/M PR that changes 30-99 lines. Good size to review. labels Oct 15, 2022
@m4dcoder m4dcoder removed the WIP label Oct 16, 2022
cognifloyd
cognifloyd approved these changes Oct 16, 2022
View reviewed changes
Copy link
Member

@cognifloyd cognifloyd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks sane based on reading the code.
@amanda11
Copy link
Contributor

amanda11 commented Oct 17, 2022
edited
Loading

I wasn't sure if within a workflow if it uses a Jinja expression to execute a key/value pair should it check that the user has permission or not.
If workflow A calls actions B&C. Then if a user has permission to execute workflowA but not actions B&C, they can still run workflowA - they don't have to explicitly also be given permissions for individual actions.
So if workflowA accesses keyD, if a user has permission to execute workflowA, should they be able to run it - even if they don't have access to keyD.

If I thought the rules for key access were same as action access then I would expect them to have permission, even without explicit permission to keyD. This allows them to run a workflow that might need to say access sensitive information to perform its function, but we don't want them to actually be able to inquire and get the value of that sensitive info.

We would definitely want the RBAC check on the inputs to the workflow, but if the body of the workflow accessed them, then I'm not so sure.

I'm not sure which is best, so not added as a review comment that needs to be addressed. It maybe that the TSC thinks it's better to also need the key/value permission (even though for actions you don't need access to each individual action) - but we'll need to document whichever way we go.
For me, it would be more consistent with the current RBAC permissions with workflows if the RBAC change on key/value was only on the parameters to the workflow and actions, but not within the workflow itself.
@hnanchahal
Copy link
Contributor

hnanchahal commented Oct 17, 2022

@armab Is there a plan to add this to a release. We have urgent need of this getting to master and test it out as its a big security flaw in the current setup.
@arm4b
Copy link
Member

arm4b commented Oct 20, 2022
edited
Loading

@hnanchahal Yes, it's scheduled as part of the upcoming v3.8 release.
amanda11
amanda11 approved these changes Oct 24, 2022
View reviewed changes
Copy link
Contributor

@amanda11 amanda11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
@arm4b
Copy link
Member

arm4b commented Oct 24, 2022
edited
Loading

Here is the conclusion based on internal @StackStorm/tsc conversations about whether granting RBAC access to the workflow should give access to subsequent K/V lookups in that workflow as we do for actions:

Looking at the docs it is consistent that Workflow run grants permissions to dependent actions. Here, workflow is considered an action:

Keep in mind that in StackStorm a workflow is just an action so if you want someone to be able to execute a particular workflow, you simply need to grant them action_execute permission on that workflow.

Then, because of the execution inheritance, workflow run inherits subsequent action runs:
https://docs.stackstorm.com/rbac.html?highlight=rbac#permission-inheritance

Permission Inheritance
Executions
Executions inherit permissions from the action they belong to and from the action’s parent pack. This means that if you grant action_view permission on a particular action, the user will be able to view all the executions which belong to that action. Similarly, if you grant action_view to the parent pack which the action execution belongs to, the user will be able to view all the executions which belong to the action with that parent pack.
On top of that, granting action_execute on a particular pack or action also grants execution_rerun and execution_stop to all the executions which belong to that action.

Next, for the K/V pairs RBAC: https://docs.stackstorm.com/rbac.html?highlight=rbac#key-value-pairs we have this documentation which makes explicit that K/V permissions will need an explicit RBAC grant:

By default, a user has access to his/her own user scoped KVPs without requiring specific permission grants. A non-admin user by default cannot access system scoped KVPs or other users’ KVPs. A non-admin user can be explicitly granted permission to one or more system scoped KVPs similar to how access to other resources are granted to users. Currently, there is no option or plan to grant non-admin user access to another user’s set of KVPs.

This however has some usability issues highlighted by @amanda11 when granting RBAC access to the workflow run,
StackStorm administrator needs to also grant access to all the K/V pairs manually used by this workflow and actions.
@amanda11
Copy link
Contributor

amanda11 commented Oct 24, 2022

@armab In the upgrade notes section we should probably add something about granting key/value permission to users that can run workflows that use key/values. Similar to last bullet we put in 3.7 in regard to change needed for sensors: https://docs.stackstorm.com/upgrade_notes.html#st2-v3-7.
@arm4b
Copy link
Member

arm4b commented Oct 24, 2022

+1 adding some hints to the upgrade notes
@m4dcoder m4dcoder merged commit 9abb54b into master Oct 24, 2022
@m4dcoder m4dcoder deleted the action-execution-kvp-rbac branch October 24, 2022 16:54
@hnanchahal
Copy link
Contributor

hnanchahal commented Dec 15, 2022

@armab @m4dcoder Have a question on this RBAC:

Does the config support tagging a role to multiple secrets?

Doc says:

name: key1_write_role
description: Role that allow users to set system key1
enabled: true
permission_grants:
- resource_uid: "key_value_pair:st2kv.system:key1"
permission_types:
- "key_value_pair_set"

is something like this supported?

--
name: key1_write_role
description: Role that allow users to set system key1
enabled: true
permission_grants:
- resource_uid: "key_value_pair:st2kv.system:key1, key_value_pair:st2kv.system:key1"
permission_types:
- "key_value_pair_set"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

RBAC size/L PR that changes 100-499 lines. Requires some effort to review.

7 participants

@m4dcoder @amanda11 @hnanchahal @arm4b @cognifloyd @nzlosh