[RFC] "action_execute" should also grant "execution_view" on all the corresponding executions #25
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
directly on the action or on the pack implicity grants "action_execute" to the corresponding action or all actions inside a particular pack.
action or pack also grants "execution_view" on all the executions for that particular action / actions which are parent of that particular pack.
arm4b
approved these changes
Aug 14, 2019
There was a problem hiding this comment.
I'm good with this change 👍
However changing st2 CLI to make appropriate execution re-run API request (with no additional execution view API request) would be more appropriate IMO and less disturbing per https://github.com/extremenetworks/st2-enterprise-rbac-backend/issues/23#issuecomment-521213478.
|
@armab Was this merged in somewhere or no? |
|
I think deleting the branch closed this PR automatically. Let me restore it. With that, not sure if I feel lucky enough to merge this PR after 1yr of stale. |
|
I merged in master. |
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #23
This pull request updates RBAC resolvers code and updates it so now
action_executepermission either on the action directly or on a pack, implicitly grantsexecution_viewpermission for all the executions which belong to that particular action (or to all the actions which belong to a particular pack).This was implemented, because of the discussion in #23.
It's worth noting that this is not a bug fix.
This is a new functionality / change of behavior which has security implications (see my comment here https://github.com/extremenetworks/st2-enterprise-rbac-backend/issues/23#issuecomment-521204374).
I think that change is reasonable since we already have some other implicit grants in other places, but it could surprise users so it's important all the implications are documented.
With this change, if user A has
action_executepermission on Action 1, that user will also be able to view all the executions for that action, even the ones which are triggered by other users ifrbac.permission_isolationis not enabled (it's disabled by default).I personally think that's a reasonable behavior (since it's already the case for
execution_re_runandexecution_stop), but we should probably also enablerbac.permission_isolationby default at some point in the future.What do others think?
TODO