System users in StackStorm deployment: st2, stanley and root

We are using the docker setup of stackstorm, but we’re a bit confused by the users used to run different components in stackstorm. We identified 3 users: root, stanley and st2.

A quick scan of the users used by the init scripts gave us this list:

/etc/init/st2actionrunner-worker.conf:setuid root
/etc/init/st2api.conf:setuid st2
/etc/init/st2auth.conf:setuid st2
/etc/init/st2chatops.conf:setuid st2
/etc/init/st2garbagecollector.conf:setuid st2
/etc/init/st2notifier.conf:setuid st2
/etc/init/st2resultstracker.conf:setuid st2
/etc/init/st2rulesengine.conf:setuid st2
/etc/init/st2scheduler.conf:setuid st2
/etc/init/st2sensorcontainer.conf:setuid st2
/etc/init/st2stream.conf:setuid st2
/etc/init/st2timersengine.conf:setuid st2
/etc/init/st2workflowengine.conf:setuid st2

You can clearly see that all services are ran by st2, except for st2actionrunner-worker, which is ran by root and nothing by stanley. During development of our own packs, we were sometimes confused by this setup. There seem to be some inconsistency between different packs. We observed that most packs are run as root, while checking $(id) with core.echo produces 1000 (aka stanley).

These inconsistencies confuse us and hinder our development.

  • Can someone from the developer team explain the rational behind these accounts?
  • In which situations can we expect our code to run as either root, stanley or st2?
  • Is it strictly necessary to run all workers as root? Except for local administrative commands, we do not see the need to run packs as root by default.

Bump! Can anyone of the dev team give an explanation of this behavior? This is one of the main reasons we’re reconsidering whether we want to fully adopt stackstorm or not. Authenticating a stackstorm workflow to run certain tasks on another service (e.g. through kerberos) is not straight forward if the task that does authentication is not run as the same user as the task that perform the actions on the remote service.
Building a stackstorm setup from scratch might give us more control over what is run by whom, but there should be an architectural decision behind this setup and we would really like to know why things work this way in a vanilla setup.

System users in Docker deployment are configured in the same way as default/normal installer, powered initially by the deb/rpm packages (GitHub - StackStorm/st2-packages: StackStorm deb/rpm packages (automated docker build pipeline)).

st2 is just a user for running/starting the stackstorm services in the system. Some services need root, while stanley is a system user expected to exec action executions themselves or ssh remote actions, see SSH Troubleshooting — StackStorm 3.1.0 documentation for more details.
Privilege escalation is happening on core + sudo executions.

I could find an issue with clarifies many details and reasons behind the different users. Please take a look at full discussion here and pointers from that thread: Pack Install Doesn't Honor System user · Issue #3298 · StackStorm/st2 · GitHub

TLDR there are some real reasons, while some are historical and definitely could be improved in the platform. You can try to run the st2actionrunner with no root in a custom environment. Something might need more detailed configuration and some functionality will be limited, but its all doable and we know that some orgs are doing similar custom deployments and hardened configurations.