Rbac integration

[hnanchahal]

Integrate RBAC backend https://github.com/StackStorm/st2-rbac-backend into st2 core natively.

[arm4b]

Thanks for the contribution!

I left a comment below that'll help to integrate the rbac py package into st2.

[arm4b]

As we're still waiting for TravisCI, wondering that there is also a need to test for RBAC presence via st2-packaging tests.
Additionally, looks like RBAC ships the st2-apply-rbac-defintions binary required to apply the rbac rules.

@hnanchahal Can you please open a PR against the st2-packages to include something along the lines there:
StackStorm/st2-packages@0bf2076

This will ensure that st2-apply-rbac-defintions binary is shipped with the st2 deb/rpm package and test it.

[arm4b]

CI reports some real issues. Please check the https://travis-ci.org/github/StackStorm/st2/jobs/744939156#L1775-L1787 with the instructions. Similar to previous PR, this needs another make requirements to update it all properly.

[arm4b]

st2-packages still needs a change for enabling apply-rbac-defintions, described here in details: #5086 (comment)
@hnanchahal Can you please compose that PR to ensure we're shipping all the RBAC bits with the packages?

[arm4b]

To recap the blockers for this PR:

• st2-packages need a change for enabling apply-rbac-defintions, described here in details: Rbac integration #5086 (comment)
• Some Unit Tests related to RBAC should be fixed, according to CI failure: https://travis-ci.org/github/StackStorm/st2/jobs/745513542#L2227

[hnanchahal]

@armab I think the Unit test is failing because its not getting "default" from available_rbac_backends. Any pointers?

def validate_rbac_is_correctly_configured():
"""
Function which verifies that RBAC is correctly set up and configured.
"""
if not cfg.CONF.rbac.enable:
return True

from st2common.rbac.backends import get_available_backends
available_rbac_backends = get_available_backends()

# 1. Verify auth is enabled
if not cfg.CONF.auth.enable:
    msg = ('Authentication is not enabled. RBAC only works when authentication is enabled. '
           'You can either enable authentication or disable RBAC.')
    raise ValueError(msg)

# 2. Verify default backend is set
if cfg.CONF.rbac.backend != 'default':
    msg = ('You have enabled RBAC, but RBAC backend is not set to "default". '
           'For RBAC to work, you need to install "st2-rbac-backend" package, set '
           '"rbac.backend" config option to "default" and restart st2api service.')
    raise ValueError(msg)

# 2. Verify default RBAC backend is available
if 'default' not in available_rbac_backends:
    msg = ('"default" RBAC backend is not available. Make sure '
           '"st2-rbac-backend" system packages are installed.')
    raise ValueError(msg)

[arm4b]

@hnanchahal Right, the new state is that RBAC is now part of the st2 core and those tests need an adjustment to reflect the integration.

For instance, instructions like:

For RBAC to work, you need to install "st2-rbac-backend" package, set rbac.backend" config option to "default" and restart st2api service

recommends installing the st2-rbac-backend, while it's not needed anymore.

[hnanchahal]

@hnanchahal Right, the new state is that RBAC is now part of the st2 core and those tests need an adjustment to reflect the integration.

For instance, instructions like:

Understood that part. But since the rbac-backend package is being included in the requirements for st2common, why the driver_loader is failing to pick up rbac backend.
I assume
from st2common.rbac.backends import get_available_backends
available_rbac_backends = get_available_backends()

is not returning the default rbac backend.

[arm4b]

Are you referring to this https://travis-ci.org/github/StackStorm/st2/jobs/745513542#L2230-L2236 unit test failure case?

   AssertionError: ValueError not raised by validate_rbac_is_correctly_configured

From what I understand, the test enables rbac, auth and expects that it'll raise an error because previously RBAC wasn't available in the default installation.

st2/st2api/tests/unit/test_validation_utils.py

Lines 54 to 61 in 24ad843

	def test_validate_rbac_is_correctly_configured_default_backend_not_available(self):
	cfg.CONF.set_override(group='rbac', name='enable', override=True)
	cfg.CONF.set_override(group='rbac', name='backend', override='default')
	cfg.CONF.set_override(group='auth', name='enable', override=True)
	expected_msg = ('"default" RBAC backend is not available. ')
	self.assertRaisesRegexp(ValueError, expected_msg,
	validate_rbac_is_correctly_configured)

Because RBAC package is now part of the core, I think the unit test case there should not expect error message (ValueError) anymore.

Let's start from the point you mentioned, like more explicitly check that default is now in get_available_backends() for RBAC in the Unit tests?

[arm4b]

The Unit tests are passing now, - that's some good progress 👍

However linting is unhappy due to minor formatting issues. Check the instructions here: https://travis-ci.org/github/StackStorm/st2/jobs/745963664#L1642-L1646 about how to fix it.

I also provided other minor comments we'll need to fix before merging this PR.

[arm4b]

Looks good now.

I've tested the produced packages myself and can confirm that RBAC worked.

[arm4b]

@hnanchahal Thanks for working on this integration!

We'll need st2docs update for the RBAC feature as a next step, see more details here: StackStorm/st2docs#1038