st2client error when installing pack with a restricted user #5303
Comments
minsis
changed the title
|
I tried with a 3.5dev install, and when I do the pack install with that role I get an error indicating that the user doesn't have pack view permission on the pack they tried to install. @minsis Could you see what happens if you add permissions for pack_view on the pack you are trying to install - to determine if that resolves the error, e.g. |
|
@amanda11 I did what you asked but I still get the same error. Unless my user is an admin I can't properly install packs using my limited roles. I am able to execute Overall the RBAC system seems unnecessarily complicated and the lack of documentation for it makes it really difficult to navigate and configure. Probably a discussion in a different forum. |
As another user of the RBAC backend, I agree wholeheartedly. Not trying to shut you down here, I'm just trying to point you to the right place to discuss RBAC - it's the RBAC backend repo. The RBAC backend desperately needs some love/updating/improvements/features, but I honestly think that RBAC isn't really the best fit for an authorization backend for ST2. I think something like an ACL system might be better. Unfortunately, anything I've designed in my head ends up looking suspiciously like Unix file permissions and extended attributes, but there isn't a great way to simply wrap and utilize those, so we may be reinventing the wheel here. There might be a generic Python authorization library we can use like Oso (on GitHub). |
|
@blag I have an similar feature opened which I guess goes along this lines of changing the RBAC system. Also, the RBAC repo seems to go unnoticed by core devs as issues dont seem to get responses or tagged or anything. So I guess my issue here is some obscure RBAC issue. I'm going to upgrade to 3.5.0 today if I can as I'm having some other issues in another ticket with pack installs dependency conflicts. Hopefully the upgrade can fix this issue as well. |
|
@amanda11 I upgraded to 3.5 and am still having this issue. So I'm not sure where the issue is at this point. Is it with RBAC or is it something with st2client, something missing on my end? I'm guessing its RBAC related since admin role works, but I have no clue what permissions are missing here to make this work. |
|
When you login as that user and try to do a pack install, do you get any errors? When I did it on 3.5 I got a clear error about what permission was reported. Can you:
|
|
So here I dont login I use an API key for this user - not sure if that makes a difference or not. doing
With permissions st2user@<redacted> ~ $ st2 pack get bitbucket
/opt/stackstorm/st2/lib/python3.6/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host '<url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
+-------------+-----------------------------------------------+
| Property | Value |
+-------------+-----------------------------------------------+
| name | bitbucket |
| version | 1.0.1 |
| author | Aamir |
| email | raza.aamir01@gmail.com |
| keywords | [ |
| | "bitbucket", |
| | "vcs", |
| | "mercurial", |
| | "git", |
| | "source control" |
| | ] |
| description | Pack which allows integration with Bitbucket. |
+-------------+-----------------------------------------------+Without permissions st2user@<redacted> ~ $ st2 pack get bitbucket
/opt/stackstorm/st2/lib/python3.6/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host '<url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2client/commands/resource.py", line 199, in get_resource_by_pk
instance = self.manager.get_by_id(pk, **kwargs)
File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2client/models/core.py", line 42, in decorate
return func(*args, **kwargs)
File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2client/models/core.py", line 238, in get_by_id
self.handle_error(response)
File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2client/models/core.py", line 195, in handle_error
response.raise_for_status()
File "/opt/stackstorm/st2/lib/python3.6/site-packages/requests/models.py", line 943, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden
MESSAGE: User "svc-st2" doesn't have required permission "pack_view" on resource "pack:bitbucket" for url: https://<urL>/api/v1/packs/bitbucket
Pack "bitbucket" is not found.
ERROR: Resource bitbucket not found.
The error is the same one outlined in the OP. The st2client fails as a python attribute error. Even with this failure the pack still installs just fine. st2user@<redacted> ~ $ st2 pack install bitbucket
/opt/stackstorm/st2/lib/python3.6/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host '<url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
For the "bitbucket" pack, the following content will be registered:
actions | 16
rules | 1
sensors | 1
aliases | 0
triggers | 0
Installation may take a while for packs with many items.
/opt/stackstorm/st2/lib/python3.6/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host '<url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
/opt/stackstorm/st2/lib/python3.6/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host '<url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
ERROR: 'Execution' object has no attribute 'result'
None of the executions fail. The pack will still install regardless of the st2user getting a traceback on st2client st2user@<redacted> ~ $ st2 execution get 6109728a42f81337b39bdf0b
/opt/stackstorm/st2/lib/python3.6/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host '<url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
/opt/stackstorm/st2/lib/python3.6/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host '<url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
id: 6109728a42f81337b39bdf0b
action.ref: packs.install
parameters:
packs:
- bitbucket
status: succeeded (36s elapsed)
start_timestamp: Tue, 03 Aug 2021 16:44:58 UTC
end_timestamp: Tue, 03 Aug 2021 16:45:34 UTC
log:
- status: requested
timestamp: '2021-08-03T16:44:58.110000Z'
- status: scheduled
timestamp: '2021-08-03T16:44:58.222000Z'
- status: running
timestamp: '2021-08-03T16:44:58.271000Z'
- status: succeeded
timestamp: '2021-08-03T16:45:34.560000Z'
result:
output:
conflict_list: []
message: Successfully installed packs
packs_list:
- bitbucket
warning_list: []
+--------------------------+-------------------------+-----------------------------------+-----------------------------+-------------------------------+
| id | status | task | action | start_timestamp |
+--------------------------+-------------------------+-----------------------------------+-----------------------------+-------------------------------+
| 6109728a1e53fd99aedc70f2 | succeeded (0s elapsed) | init_task | core.noop | Tue, 03 Aug 2021 16:44:58 UTC |
| 6109728b5f5ba424862603d4 | succeeded (3s elapsed) | download_pack | packs.download | Tue, 03 Aug 2021 16:44:59 UTC |
| 6109728e5f5ba424862603e3 | succeeded (0s elapsed) | make_a_prerun | packs.virtualenv_prerun | Tue, 03 Aug 2021 16:45:02 UTC |
| 6109728e5f5ba424862603f2 | succeeded (1s elapsed) | get_pack_dependencies | packs.get_pack_dependencies | Tue, 03 Aug 2021 16:45:02 UTC |
| 6109728f5f5ba42486260401 | succeeded (1s elapsed) | check_dependency_and_conflict_lis | core.noop | Tue, 03 Aug 2021 16:45:03 UTC |
| | | t | | |
| 610972905f5ba42486260410 | succeeded (27s elapsed) | install_pack_requirements | packs.setup_virtualenv | Tue, 03 Aug 2021 16:45:04 UTC |
| 610972ab5f5ba4248626041f | succeeded (1s elapsed) | get_pack_warnings | packs.get_pack_warnings | Tue, 03 Aug 2021 16:45:31 UTC |
| 610972ac5f5ba4248626042e | succeeded (2s elapsed) | register_pack | packs.load | Tue, 03 Aug 2021 16:45:32 UTC |
+--------------------------+-------------------------+-----------------------------------+-----------------------------+-------------------------------+
I've uninstalled/installed the bitbucket pack a lot of times. Doesn't matter if its already installed or not I get the same issue. PSI've noticed that I get an https insecure warning on the same user, but when logged in as an admin user I dont see this error. I find this as odd behavior. st2user st2user@<redacted> ~ $ st2 execution get 6109728a42f81337b39bdf0b
/opt/stackstorm/st2/lib/python3.6/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host '<url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
/opt/stackstorm/st2/lib/python3.6/site-packages/urllib3/connectionpool.py:1020: InsecureRequestWarning: Unverified HTTPS request is being made to host '<url>'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,
id: 6109728a42f81337b39bdf0badmin user (my account) me@<redacted> ~ $ st2 execution get 6109728a42f81337b39bdf0b
id: 6109728a42f81337b39bdf0b |
|
I will try and give it a go with the APIKEY to see if I can reproduce the error, as that's the only difference I can see.... The error indicates that the output doesn't include a result, but from your st2 execution get then it does... If it's not because it's an API key, then the only thing I can think of is whether there's some timing problem or buffering, but then that doesn't explain why only with the non admin user (unless the apikey is the thing...). The only other thing is to add in extra debug into the /opt/stackstorm/st2/lib/python3.6/site-packages/st2client/commands/pack.py to see what you have in that result object at the time st2client is trying to retrieve it. I'm interested at what we have at this bit in the PackInstallCommand class: |
|
I've managed to reproduce it... |
|
I don't think its related to the apikey login versus the username login, as I managed to reproduce today with both methods. Added in debug, and it looks like its not waiting for the pack to be installed, as its trying to get the result when the execution result is in Requested state. That would explain why it can't find the execution result. So it looks like ST2 is trying to output the result at the point we've requested it to do a pack install, rather than waiting for the result in this case. Not sure if that's a timing issue, as I didn't see this the other day. |
|
@minsis Found something in the st2stream logs: So can you try adding stream_view permission, and see if that resolves the issue. It appears to have for me... |
|
@amanda11 Looks like this was it. I guess that explains why I didn't see any errors in the API log since it was in the st2stream. I didn't think about it switching to st2stream for this. Thanks and appreciate your help in this! The global stream_view permission isn't documented. I would imagine this should still be a bug though as st2stream doesn't report a permissions error back to st2client so it just fails out. |
|
Oh, also to note this will still fail if the user doesn't have the pack_view permissions for the pack itself. This makes it counterintuitive as this user is free to install packs but obviously not allowed to edit its own role. This makes my automation process of keeping our clusters in sync across our datacenters more tricky to deal with. |
|
Glad we found the problem, so sounds like this has shown a few things:
Anything else I missed? I think now we know root cause it might be worth separating the points out - so we can try and close off some of the simple ones quickly, so that at least if someone else gets the problem they don't have to repeat all our troubleshooting. |
Let me know how you want to handle point 3 and I'll close out this ticket, unless you feel like its covered with the other two raised issues. |
|
Actually re-reading what I wrote for point 3, I guess the answer would be RBAC since that's where it the effective permission would be resolved. I guess another discussion would spawn out of this as to whether or its even supposed to do that. It seems like stream view shouldn't be a blocker for running actions. If you have those permissions defined in your role then it wouldn't make sense to error out your entire workflow because you can't view it over stream. Overall I think stream_veiw doesn't make a whole lot of sense to me. It was added in 2.4.0 which is 4 years ago this month, so its hard to say what the intention was. |
|
Point 3 is an odd one. I originally was thinking it was about rbac, but its not its about st2 client doing an async call but then not having the permissions to check the stream. So in hindsight perhaps 1) would cover this, as if we got the error back it would be clear. But the fact that for pack install you have to have the :pack_view permission to be able to install, is probably another point to add to StackStorm/st2-rbac-backend#53. I don't have strong opinion, so happy for you to disagree. |
|
While RBAC in the end blocks the stream_view on the backend, it doesn't prevent any other actions in the workflow from breaking as long as you have the permissions. Looking at my debug output you can see the failed call is made to In the end there's just a list of issues with point 3 that contributes to what is happening here. But the root cause of the initial error wouldn't be RBAC it would be something between st2stream and st2client. |
|
Same issue for me Not able to install basic packs like linux email observing above error. |
|
Thanks for contributing to this issue. As it has been 90 days since the last activity, we are automatically marking is as stale. If this issue is not relevant or applicable anymore (problem has been fixed in a new version or similar), please close the issue or let us know so we can close it. On the contrary, if the issue is still relevant, there is nothing you need to do, but if you have any additional details or context which would help us when working on this issue, please include it as a comment to this issue. |
SUMMARY
I have a restricted user that should only have permissions to install packs. The pack install works fine but the client returns a python error
If I do the install with an admin level user everything is fine. The other issue here is that the pack gets installed just fine. The API logs has no errors and produces a 200 response (I do not have it in debug mode).
STACKSTORM VERSION
Paste the output of
st2 --version: st2 3.4.1, on Python 3.6.8OS, environment, install method
Post what OS you are running this on, along with any other relevant information/
Steps to reproduce the problem
Create a user with the following role and install a pack:
Expected Results
While the package does in fact get installed, the output should reflect it:
Actual Results
While the package does in fact get installed there's a python error for a missing attribute on an object.
Here is the full output of st2client in debug:
Thanks!
The text was updated successfully, but these errors were encountered: