This site is in read only mode. Please continue to browse, but replying, likes, and other actions are disabled for now.

⚠️ We've moved!

Hi there!

To reduce project dependency on 3rd party paid services the StackStorm TSC has decided to move the Q/A from this forum to Github Discussions. This will make user experience better integrated with the native Github flow, as well as the questions closer to the community where they can provide answers.

Use 🔗 Github Discussions to ask your questions.

RBAC permissions implications

I have a limited user account that has only permissions to install and sync packs. But there seems to maybe be some implications that are missing when you’re limiting a user role like this which is failing the install the pack(s)

name: pack_management
description: Allows a user to install, register, and modify packs only
permission_grants:
  -
    permission_types:
       - "pack_list"
       - "pack_install"
       - "pack_uninstall"
       - "pack_create"
       - "pack_register"
       - "pack_config"
       - "pack_search"
       - "pack_views_index_health"
  -
    resource_uid: "action:packs.install"
    permission_types:
       - "action_execute"

But because there’s no execution_view permissions the pack install fails

st2@st2appl01 ~ $ st2 pack install ansible

For the "ansible" pack, the following content will be registered:

actions   |  8
rules     |  0
sensors   |  0
aliases   |  0
triggers  |  0

Installation may take a while for packs with many items.
ERROR: 403 Client Error: Forbidden
MESSAGE: User "<user>" doesn't have required permission "execution_view" on resource "execution:60d34c08d795d3d021105294" for url: http://127.0.0.1:9101/v1/executions/60d34c08d795d3d021105294

I’ve tried doing permissions like:

---
  -
    resource_uid: "execution:"
    permission_types:
       - "execution_view"

---
  -
    resource_uid: "execution:*"
    permission_types:
       - "execution_view"

But none of these are working. I dont know if there’s a specific uid to use for something like this or if I need to register this as a type of permission bug.

Did you try using the global permission execution_list, e.g.
permission_types:
- “execution_list”