RBAC LDAP Mapping causes rule creation to fail when the workflow is not available #3572
Description
Hello Team,
We have integrated St2 authentication with enterprise LDAP and users are mapped with RBAC in AD. I've created a new rule with trigger/criteria/workflow and however the workflow is not created for the rule.
When I try to create a rule it failed with below internal error. My account is part of "admin" role and its mapped to LDAP. The same rule creation is succeeded If I disable the RBAC in st2.conf or create the workflow before the rule. Please take a look at the below failures and investigate the cause of the issue.
st2 rule create dns_alert.yaml
ERROR: 500 Server Error: Internal Server Error
MESSAGE: Internal Server Error for url: http://127.0.0.1:9101/v1/rules
RBAC Mapping
cat /opt/stackstorm/rbac/mappings/sysadmin.yaml
group: "CN=xxxx,xxxx,xxxx"
description: "Automatically grant observer role to all sysadmin group members."
roles:
- "admin"
Rule:
name: dns_alert
pack: ops
description: Check alert for dns and trigger remediation
enabled: true
trigger:
type: ops.event_handler
criteria:
trigger.Hostname:
pattern: "testdns1"
type: matchregex
trigger.AlertType:
pattern: "alert"
type: matchregex
trigger.Severity:
pattern: "(white|blue)"
type: regex
action:
ref: ops.remediate_dns_alert_workflow
parameters:
hostname: "{{ trigger.Hostname }}"
alertsid: "{{ trigger.AlertsID }}"
Failure log in st2api:
2017-07-17 04:56:18,340 77894832 INFO logging [-] 5837c4eb-01e7-43ca-aaec-12998458e349 - POST /v1/rules with query={} (remote_addr='127.0.0.1',method='POST',request_id='5837c4eb-01e7-43ca-aaec-12998458e349',query={},path='/v1/rules')
2017-07-17 04:56:18,345 77894832 AUDIT auth [-] Token with id "xxxxxxxxxxxxxxxx" is validated.
2017-07-17 04:56:18,399 77894832 ERROR router [-] Failed to call controller function "post" for operation "st2api.controllers.v1.rules:rule_controller.post": 'NoneType' object has no attribute 'get_uid'
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 414, in call
resp = func(**kw)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2api/controllers/v1/rules.py", line 103, in post
rule_api=rule)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/utils.py", line 206, in assert_user_has_rule_trigger_and_action_permission
action_ref=action_ref)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/utils.py", line 172, in user_has_rule_action_permission
user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/resolvers.py", line 407, in user_has_resource_db_permission
action_uid = resource_db.get_uid()
AttributeError: 'NoneType' object has no attribute 'get_uid'
2017-07-17 04:56:18,400 77894832 ERROR error_handling [-] API call failed: 'NoneType' object has no attribute 'get_uid'
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/middleware/error_handling.py", line 46, in call
return self.app(environ, start_response)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 445, in as_wsgi
resp = self(req)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 418, in call
raise e
AttributeError: 'NoneType' object has no attribute 'get_uid' (_exception_data={},_exception_class='AttributeError',_exception_message="'NoneType' object has no attribute 'get_uid'")
2017-07-17 04:56:18,401 77894832 INFO logging [-] 5837c4eb-01e7-43ca-aaec-12998458e349 - 500 46 61.774ms
{
"faultstring": "Internal Server Error"
} (result='{\n "faultstring": "Internal Server Error"\n}',content_length=46,request_id='5837c4eb-01e7-43ca-aaec-12998458e349',runtime=61.774,remote_addr='127.0.0.1',status=500,method='POST',path='/v1/rules')
2017-07-17 04:56:39,980 77894832 INFO logging [-] d989b4b3-c945-4920-b395-f4245d8120e5 - POST /v1/rules with query={} (remote_addr='127.0.0.1',method='POST',request_id='d989b4b3-c945-4920-b395-f4245d8120e5',query={},path='/v1/rules')
2017-07-17 04:56:39,986 77894832 AUDIT auth [-] Token with id "596c43808888b26e2c7a7f45" is validated.
2017-07-17 04:56:40,038 77894832 ERROR router [-] Failed to call controller function "post" for operation "st2api.controllers.v1.rules:rule_controller.post": 'NoneType' object has no attribute 'get_uid'
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 414, in call
resp = func(**kw)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2api/controllers/v1/rules.py", line 103, in post
rule_api=rule)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/utils.py", line 206, in assert_user_has_rule_trigger_and_action_permission
action_ref=action_ref)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/utils.py", line 172, in user_has_rule_action_permission
user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/resolvers.py", line 407, in user_has_resource_db_permission
action_uid = resource_db.get_uid()
AttributeError: 'NoneType' object has no attribute 'get_uid'
2017-07-17 04:56:40,039 77894832 ERROR error_handling [-] API call failed: 'NoneType' object has no attribute 'get_uid'
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/middleware/error_handling.py", line 46, in call
return self.app(environ, start_response)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 445, in as_wsgi
resp = self(req)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 418, in call
raise e
AttributeError: 'NoneType' object has no attribute 'get_uid' (_exception_data={},_exception_class='AttributeError',_exception_message="'NoneType' object has no attribute 'get_uid'")