-
-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not include example RBAC files in values. #230
Comments
The way the default RBAC configuration should work for an average user is to just set: This conforms with the other deployment methods we have and the documentation https://docs.stackstorm.com/rbac.html#enabling-rbac I'd recommend overriding the Helm values individually in your configuration for the first st2 deployment to avoid these items being created. |
How do I override the values so that these files don't get created? The dictionaries get merged together. I'm happy to learn a new helm trick :) I just couldn't figure out how to do that. Hopefully it's obvious and I just missed it. |
By default, we include
st2admin
andstanley
users. However, those are optional and can be changed with custom images and modified values. If using an external auth source (I use ldap), those user accounts might not be allowed, or might be for something/someone else (thinking ofstanley
). So, some environments might not want to assignstanley
to be asystem_user
.For something like
st2.packs.images
it is easy to override the list with an empty list[]
. That doesn't work forst2.rbac.*
becausest2.rbac.roles
andst2.rbac.assignments
are dicts/hashes which get merged together--st2.rbac.mappings
is also a dict/hash, but it doesn't have any samples in it, so that needs no changes. So, there is not a clean way to removest2.rbac.roles["sample.yaml"]
,st2.rbac.assignments["st2admin.yaml"]
, orst2.rbac.assignments["stanley.yaml"]
.It's fairly simple to drop those entries but leave them commented as examples in the values. That way there is no inadvertent granting of privileges to the wrong
stanley
user, or to a non-existentst2admin
user.I have a branch with this fix prepared: https://github.com/cognifloyd/stackstorm-ha/tree/no-default-rbac-files
I will submit a PR later.
The text was updated successfully, but these errors were encountered: