Dynamic User Access control to Action executions


(Giorgos Karagkounis) #1

Is there a way I can dynamically on runtime allow or disallow action execution to a User? Should I create a role for every Action and then assign roles to the user?

(Lindsay Hill) #2

Where would that information to decide if a user is allowed to execute an action live? Presumably you would have to do some sort of lookup against some database or system, to decide if that user was a valid user for executing that action?

It feels like there might be a wider idea in mind here. What’s the high-level problem you’re trying to solve?

(Giorgos Karagkounis) #3

This might can be done with JWT which is stateless. I am not sure.

The case is that I would like to have a central ST2 installation for many users and be able to control their access to the actions dynamically at runtime.

(Lindsay Hill) #4

You have to do a lookup somewhere to determine what access they are allowed. What is your planned source of truth here? What are you going to do a lookup against?

A more normal design pattern would be to use RBAC combined with LDAP groups. User’s LDAP groups map to their roles, which then map to allowed permissions.

(Giorgos Karagkounis) #5

But can I have dynamically change role permissions at runtime? The lookup can be done in the scope claim of JWT. Is there a way to access headers in action python-runner?

(Giorgos Karagkounis) #6

In your question about the source of truth, I was thinking the MongoDB or some kind of config in StackSotrm so the admin can enable disable the action like sensors. In the JWT situation, the authorization will be done by an external service.

(Lindsay Hill) #7

or some kind of config in StackSotrm so the admin can enable disable the action

So…pretty much what RBAC is designed to do then?

(Giorgos Karagkounis) #8

Yes, what RBAC do but I would like to do it dynamically at runtime with an API call. Not with a static file or with predefined roles.

(Lindsay Hill) #9

An API call to what?

If you wanted, you could add another step to your workflow that calls some external service, but I’m still a bit lost as to what this is actually giving you. What’s the benefit here?

Or are you just trying to implement RBAC for free?

(Giorgos Karagkounis) #10

Haven’t noticed that RBAC is only Enterprise edition. I guess I will do the access control with an external service.