Skip to content

Rbac key value pair doc #1092

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
m4dcoder merged 4 commits into from
Dec 10, 2021
Merged

Rbac key value pair doc #1092

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f33d042
Added section to describe the RBAC behavior for key value pairs
ashwini-orchestral Oct 19, 2021
3051c72
Merge branch 'StackStorm:master' into rbac_key_value_pair_doc
ashwini-orchestral Oct 19, 2021
02b55d9
Merge branch 'master' into rbac_key_value_pair_doc
m4dcoder Dec 10, 2021
047acc6
Minor change to organization and wording to KVP section in RBAC
m4dcoder Dec 10, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 15 additions & 9 deletions docs/source/_includes/available_permission_types.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ Global
+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| **execution_views_filters_list** | Ability view all the distinct execution filters. |
+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| **key_value_pair_list** | Ability to list (view all) Key-Value Pairs. |
+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| **webhook_list** | Ability to list (view all) webhooks. |
+----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+
| **timer_list** | Ability to list (view all) timers. |
Expand Down Expand Up @@ -223,15 +225,19 @@ Api Key
Key Value Pair
~~~~~~~~~~~~~~

+---------------------------+-----------------------------------------------+
| Permission name | Description |
+===========================+===============================================+
| **key_value_pair_view** | Ability to view Key-Value Pairs. |
+---------------------------+-----------------------------------------------+
| **key_value_pair_set** | Ability to set a Key-Value Pair. |
+---------------------------+-----------------------------------------------+
| **key_value_pair_delete** | Ability to delete an existing Key-Value Pair. |
+---------------------------+-----------------------------------------------+
+---------------------------+----------------------------------------------------------------------+
| Permission name | Description |
+===========================+======================================================================+
| **key_value_pair_list** | Ability to list (view all) Key-Value Pairs. |
+---------------------------+----------------------------------------------------------------------+
| **key_value_pair_view** | Ability to view Key-Value Pairs. |
+---------------------------+----------------------------------------------------------------------+
| **key_value_pair_set** | Ability to set a Key-Value Pair. |
+---------------------------+----------------------------------------------------------------------+
| **key_value_pair_delete** | Ability to delete an existing Key-Value Pair. |
+---------------------------+----------------------------------------------------------------------+
| **key_value_pair_all** | Ability to perform all the supported operations on a Key-Value Pair. |
+---------------------------+----------------------------------------------------------------------+

Rule
~~~~
Expand Down
2 changes: 1 addition & 1 deletion docs/source/_includes/runner_parameters/quick_reference.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
.. table::
.. table::

+--------------+-------------------+---------------------+-------------------+---------------------+---------------------+---------------------+---------------------+
| Runner | local-shell-cmd | local-shell-script | remote-shell-cmd | remote-shell-script | winrm-cmd | winrm-ps-cmd | winrm-ps-script |
Expand Down
38 changes: 36 additions & 2 deletions docs/source/rbac.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,11 +138,15 @@ Permission grants can be applied to the following resource types:
* executions
* webhooks
* inquiries
* key value pairs

.. note::
The support of key value pairs is only available in |st2| v3.7.0 and above.

A resource is identified by a ``uid``, and referenced as such in permission grants. UID is an
identifier which is unique for each resource in the |st2| installation. UIDs follow this format:
``<resource type>:<resource specific identifier value>`` (e.g. ``pack:libcloud``,
``action:libcloud:list_vms``, etc.).
``action:libcloud:list_vms``, ``key_value_pair:st2kv.system:key1``, ``key_value_pair:st2kv.user:key2`` etc.).

You can retrieve the UID of a particular resource by listing all the resources of a particular
type or by retrieving details of a single resource using either API or CLI.
Expand Down Expand Up @@ -227,7 +231,6 @@ There are some exceptions, described below:
``/aliasexecutions/``) using hubot is the |st2| user that is configured in hubot
(``ST2_AUTH_USERNAME`` - by default that is ``chatops_bot``).


Enabling RBAC
-------------

Expand Down Expand Up @@ -310,6 +313,37 @@ In the example above we assign two roles to the user named ``user4``:
* ``role_one`` (a custom role which needs to be defined as described above) and
* ``observer`` (system role).

Key Value Pairs
~~~~~~~~~~~~~~~

.. note::
This functionality is only available in |st2| v3.7.0 and above.

Users with admin and system_admin roles have all access to system scoped KVPs. In v3.6.0
and before, users with admin role have full access to other users' KVPs. This behavior is
unchanged.

By default, a user has access to his/her own user scoped KVPs without requiring specific
permission grants. A non-admin user by default cannot access system scoped KVPs or other
users' KVPs. A non-admin user can be explicitly granted permission to one or more system
scoped KVPs similar to how access to other resources are granted to users. Currently,
there is no option or plan to grant non-admin user access to another user's set of KVPs.

The following is an example to assign a ``system scoped`` KVP to a role.
Create ``/opt/stackstorm/rbac/roles/key1_write_role.yaml`` with the
following content. Assign this role to a user and then apply the RBAC definitions.

.. sourcecode:: yaml

---
name: key1_write_role
description: Role that allow users to set system key1
enabled: true
permission_grants:
- resource_uid: "key_value_pair:st2kv.system:key1"
permission_types:
- "key_value_pair_set"

Applying RBAC Definitions
-------------------------

Expand Down