Issue/personal keys #5859
Issue/personal keys #5859
Conversation
…sonal_keys' flag is added
Merging master into this branch
pull-request-size
bot
added
the
size/L
|
Can someone help me on 'ci/circleci:packages' and 'Orquesta CI/Integration Tests' errors? And also where to add changes in CHANGELOG.rst? |
There was a problem hiding this comment.
Some minor comments but in addition:
- It would be good if the PR could mention the use-case for this
- Need to add changelog entry - needs to go into the in development section, in the added section. Just a new bullet that matches the others in there for formatting
- Not sure why the init.py from dummy_pack_23 has been removed
- I think it needs some more tests to verify behaviour depending on value of personal_keys and whether the rbac backend allows user or not.
- I think we need to consider the cases where RBAC is not enabled. That may just be a reverse of some logic you have added, but I've not considered it deeply - just think that it is missing
- In general, then should this be a global setting. Why is it a global setting as to whether personal key is amended. Perhaps that would be explained by more information in the PR, but need to understand use-case and why it has been added as a global setting rather than say another RBAC permission that is given to individual users.
on the failres. I've re-run the failing integration job and the CircleCI jobs, let's see if they pass. As it didn'nt seem to be related to the code changes.
st2api/st2api/controllers/v1/auth.py
Outdated
| @@ -126,18 +136,42 @@ def get_all(self, requester_user, show_secrets=None, limit=None, offset=0): | |||
|
|
|||
| return resp | |||
|
|
|||
| def checkPersonalAPIKeyPermission(self, api_key_api, requester_user): | |||
| """ | |||
| Checks whether requested user is the creating/updating/fetching/deleting the api key. This is used when | |||
There was a problem hiding this comment.
| Checks whether requested user is the creating/updating/fetching/deleting the api key. This is used when | |
| Checks whether requested user is creating/updating/fetching/deleting the api key. This is used when |
st2api/st2api/controllers/v1/auth.py
Outdated
| def checkPersonalAPIKeyPermission(self, api_key_api, requester_user): | ||
| """ | ||
| Checks whether requested user is the creating/updating/fetching/deleting the api key. This is used when | ||
| 'personal_keys' flag is set of 'rbac' group in conf file. |
There was a problem hiding this comment.
| 'personal_keys' flag is set of 'rbac' group in conf file. | |
| 'personal_keys' flag is set in 'rbac' group in conf file. |
| @@ -126,18 +136,42 @@ def get_all(self, requester_user, show_secrets=None, limit=None, offset=0): | |||
|
|
|||
| return resp | |||
|
|
|||
| def checkPersonalAPIKeyPermission(self, api_key_api, requester_user): | |||
There was a problem hiding this comment.
api_key_api seems an odd name, is there a more expressive name for variable we can use?
| ) | ||
| if not isKeyCreationAllowed: | ||
| LOG.exception( | ||
| "User does not have permission to view apikey=%s.", api_key_db |
There was a problem hiding this comment.
Can we use python 3 f-strings instead of the older method of formatting up strings?
conf/st2.dev.conf
Outdated
| @@ -43,6 +43,7 @@ stream_output = True | |||
|
|
|||
| [rbac] | |||
| enable = False | |||
| personal_keys = True | |||
There was a problem hiding this comment.
Do we want the default to be True, or should it be False for backwards compatibility?
st2common/st2common/config.py
Outdated
| @@ -72,6 +72,11 @@ def register_opts(ignore_errors=False): | |||
| "executions. All resources can only be viewed or executed by the owning user " | |||
| "except the admin and system_user who can view or run everything.", | |||
| ), | |||
| cfg.BoolOpt( | |||
| "personal_keys", | |||
| default=True, | |||
There was a problem hiding this comment.
As above do we want default to be True? As that's not backwards compatible with previous versions of STackStorm?
| resource_db=api_key_db, | ||
| permission_type=permission_type, | ||
| ) | ||
| if cfg.CONF.rbac.personal_keys: |
There was a problem hiding this comment.
I think having this in here rather than in rbac_utils doesn't work with the idea that the rbac is optional.
So for instance if we were configured without rbac, then the no-op rbac backend would be being used, and then the options like this would always be allowed.
This now means that if I don't have RBAC backend I have to have the personal_api_keys set in the config.
Perhaps would be better that we always use rbac_utils to ask if user has db permission, and only if that returns false then you'd want to check the personal keys.
There was a problem hiding this comment.
Can you help me as to where to add the code? I cannot understand where the rbac_utils methods are implemented.I have checked base.py in st2common/st2common/rbac/backends/ . Do I need to add the method there, check if conf.rbac.enabled is true and proceed?
There was a problem hiding this comment.
I was more suggesting that you reverse the order in this method. e.g. First call rbac_utils method to see if they have permission to access database. Then if the rbac_utils calls says No, you add in your check for personal keys.
That way when the noop backend is used (which will always say yes to permission), you don't need to check personal keys - and can keep personal keys default to false.
There are multiple rbac backends, so if you wanted to add a new method you would need to add into all implementations. The base.py is just the base rbac class which always says not implemented. The noop.py is a always yes utils. Then in the st2-rbac-backend GIT repo you will find the implementation that is used when you really do use RBAC - which uses the rbac roles and auth files.
|
In general, I'd like some consideration from the @StackStorm/tsc as to whether it makes sense to keep this as is - eg. global option that allows if set, so that all users can manage their own keys. OR if there is a use-case where you want to make it an RBAC permission, such that some users can create their own keys but others can't. For example, if we are adding the ability to give permission to manage your own api keys, would it be better to be added as a RBAC permission, e.g. USER_API_KEY_VIEW etc - which allows user to manage their own keys. That way, you can allow some non-admins to manage their keys, but others not. This would be more flexible, and more in keeping with having the permissions scheme we already have. For example, if you want all non-admins to have that, then you'd give that permission to a role that all users had. I'm just not sure about starting trend of having some permissions controlled by role, and others by system flags. Think it might complicate things long term, and the change to introduce a new permission in my view would be more in sync with current system. If we went down this route, then this would mean that the change would move to the st2-rbac-backend repo, in the implementation of the assert_user_has_resource_db_permission method (though may need a similar method, or extend the signature of the method so you can see what user's api key they are trying to manage). This would be my preference, but I'd wait for feedback from others, as it will require a bigger change. But I'd welcome other TSC members views. |
|
I agree with the points @amanda11 has made to keep the feature in the RBAC security model. It's unfortunate the user ownership feature can't be used directly https://docs.stackstorm.com/rbac.html#restricting-users-to-only-view-resources-they-own-or-created to allow users to manage their own keys but perhaps it could be used to inspire an implementation. |
|
@bharath-orchestral Fine-grained control for users to manage their own API keys is an excellent addition! It would be nice to have it in the st2 core 👍 I totally agree about the interface and implementation with @amanda11 and @nzlosh that it's best to have this functionality as a new RBAC permission, instead of the |
|
I agree with @amanda11 also. I think this fits the bill more in RBAC then in the st2.conf. We are seeing more and more people turn on RBAC controls to help manage users coming into the platform and using it. I think this falls right inline with that. I like @nzlosh idea about the ownership feature and would be a great implementation as well. |
|
Thanks for the updates... @bharath-orchestral I think its worth taking a look at the ownership feature that @nzlosh mentioned, and also take a look at the st2-rbac-backend GIT repo, in there you'll see in there a ./st2rbac_backend/utils.py which is where the current checking on the role permissions is done. So if its implemented as a new role permission then it would be around there that would be added. It would be great to get this feature in, but consensus seems to be agreed to try and move this from the st2.conf into a proper RBAC feature. Hope, this has given some guidance of how to move that into the main RBAC, but we'll help where we can to assist you moving this. |
Code to add feature where Users(non-admin) can manage their own keys.
Added a key in config file(personal_keys under rbac). When the key is enabled, Users(non-admin) can create/update/delete/view their own keys and cannot create/update/delete/view other user's keys.
If the 'personal_keys' key is disabled everything behaves as before. Nothing is changed in regards to admins.
My client requirement is such that every user(non-admin) in system should manage their own keys. Current implementation of StackStorm is such that if a user(non-admin) is given apikey 'create' permission that user can create apikeys for every other user. But we need it such that every user(non-admin) manages only their own keys(should not be able to create for others).
Example: Assume 3 users: 'user1', 'user2','user3'.
'user1' is admin, 'user2' has apikey create permission, 'user3' has no permissions attached to him. We need a scenario: