Unable to render KV store params in actions when RBAC is enabled

[jschoewe]

SUMMARY

After enabling RBAC in version 3.8 we are not able to run actions that look up parameters from the KV store. The issue appears to occur when there's a period in the key name such as test.key1 and using keys with underscores instead (like test_key1) still works. This also appears to be an issue when loading values from pack configs.

ERROR: 400 Client Error: Bad Request
MESSAGE: Failed to render parameter "message": 'NoneType' object has no attribute 'scope' for url: http://127.0.0.1:9101/v1/executions

STACKSTORM VERSION

st2 3.8.0, on Python 3.8.13

OS, environment, install method

RHEL8, one-line install

Steps to reproduce the problem

Install stackstorm, enable RBAC, create action that looks up parameter from KV store

Test Action:
/opt/stackstorm/packs/core/actions/echo_jinja.yaml

---
description: Action that executes the Linux echo command on the localhost.
runner_type: "local-shell-cmd"
enabled: true
entry_point: ''
name: echo_jinja
parameters:
  message:
    description: The message that the command will echo.
    type: string
    required: true
    default: "{{ st2kv.system.test.key1 }}"
  cmd:
    description: Arbitrary Linux command to be executed on the local host.
    required: true
    type: string
    default: 'echo "{{ message }}"'
    immutable: true

st2 key set test.key1 'HELLO'
st2 pack register core
st2 run core.echo_jinja

Actual Results

After running the test action above I get the following error:

ERROR: 400 Client Error: Bad Request
MESSAGE: Failed to render parameter "message": 'NoneType' object has no attribute 'scope' for url: http://127.0.0.1:9101/v1/executions

According to the st2api.log it doesn't seem to be looking for the whole key:

2023-03-13 11:27:27,121 140238292154672 DEBUG keyvalues [-] Lookup system kv: scope: st2kv.system and key: test

Also, when I add another key with st2 key add test '0', the action does run successsfully after looking up both the test and test.key1 keys:

2023-03-13 09:55:50,616 140707953123744 DEBUG keyvalues [-] Lookup system kv: scope: st2kv.system and key: test
2023-03-13 09:55:50,621 140707953123744 DEBUG keyvalues [-] Got value 0 from datastore.
2023-03-13 09:55:50,622 140707953123744 DEBUG resolvers [-] KeyValuePermissionsResolver.user_has_resource_db_permission: Checking user resource permissions (user_db={'id': None, 'is_service': False, 'name': 'john.schoewe_priv@dev.encore.tech', 'nicknames': {}},resource_db={'description': None, 'expire_timestamp': None, 'id': '640f2935f75484a3c44fa528', 'name': 'test', 'scope': 'st2kv.system', 'secret': '********', 'uid': 'key_value_pair:st2kv.system:test', 'value': '0'},permission_type='key_value_pair_view',resolver='KeyValuePermissionsResolver')
2023-03-13 09:55:50,628 140707953123744 DEBUG resolvers [-] KeyValuePermissionsResolver.user_has_resource_db_permission: Found a matching grant via system role (user_db={'id': None, 'is_service': False, 'name': 'john.schoewe_priv@dev.encore.tech', 'nicknames': {}},resource_db={'description': None, 'expire_timestamp': None, 'id': '640f2935f75484a3c44fa528', 'name': 'test', 'scope': 'st2kv.system', 'secret': '********', 'uid': 'key_value_pair:st2kv.system:test', 'value': '0'},permission_type='key_value_pair_view',resolver='KeyValuePermissionsResolver')
2023-03-13 09:55:50,628 140707953123744 DEBUG keyvalues [-]
2023-03-13 09:55:50,659 140707953123744 DEBUG keyvalues [-] Lookup system kv: scope: st2kv.system and key: test.key1
2023-03-13 09:55:50,671 140707953123744 DEBUG keyvalues [-] Got value HELLO from datastore.
2023-03-13 09:55:50,672 140707953123744 DEBUG resolvers [-] KeyValuePermissionsResolver.user_has_resource_db_permission: Checking user resource permissions (user_db={'id': None, 'is_service': False, 'name': 'john.schoewe_priv@dev.encore.tech', 'nicknames': {}},resource_db={'description': None, 'expire_timestamp': None, 'id': '640f1b93f75484a3c44fa51c', 'name': 'test.key1', 'scope': 'st2kv.system', 'secret': '********', 'uid': 'key_value_pair:st2kv.system:test.key1', 'value': 'HELLO'},permission_type='key_value_pair_view',resolver='KeyValuePermissionsResolver')
2023-03-13 09:55:50,675 140707953123744 DEBUG resolvers [-] KeyValuePermissionsResolver.user_has_resource_db_permission: Found a matching grant via system role (user_db={'id': None, 'is_service': False, 'name': 'john.schoewe_priv@dev.encore.tech', 'nicknames': {}},resource_db={'description': None, 'expire_timestamp': None, 'id': '640f1b93f75484a3c44fa51c', 'name': 'test.key1', 'scope': 'st2kv.system', 'secret': '********', 'uid': 'key_value_pair:st2kv.system:test.key1', 'value': 'HELLO'},permission_type='key_value_pair_view',resolver='KeyValuePermissionsResolver')
2023-03-13 09:55:50,675 140707953123744 DEBUG param [-] Render complete: HELLO

I also found that it runs successfully when I replace the periods with underscores in the keys.

[vonec]

+1 can you guys look into it, we are also facing a similar issue ... any work around for this

[jschoewe]

I found the cause of the issue and created a PR for it here:
#5936