Do not include example RBAC files in values. #230
Comments
|
The way the default RBAC configuration should work for an average user is to just set: This conforms with the other deployment methods we have and the documentation https://docs.stackstorm.com/rbac.html#enabling-rbac I'd recommend overriding the Helm values individually in your configuration for the first st2 deployment to avoid these items being created. |
How do I override the values so that these files don't get created? The dictionaries get merged together. I'm happy to learn a new helm trick :) I just couldn't figure out how to do that. Hopefully it's obvious and I just missed it. |
By default, we include
st2adminandstanleyusers. However, those are optional and can be changed with custom images and modified values. If using an external auth source (I use ldap), those user accounts might not be allowed, or might be for something/someone else (thinking ofstanley). So, some environments might not want to assignstanleyto be asystem_user.For something like
st2.packs.imagesit is easy to override the list with an empty list[]. That doesn't work forst2.rbac.*becausest2.rbac.rolesandst2.rbac.assignmentsare dicts/hashes which get merged together--st2.rbac.mappingsis also a dict/hash, but it doesn't have any samples in it, so that needs no changes. So, there is not a clean way to removest2.rbac.roles["sample.yaml"],st2.rbac.assignments["st2admin.yaml"], orst2.rbac.assignments["stanley.yaml"].It's fairly simple to drop those entries but leave them commented as examples in the values. That way there is no inadvertent granting of privileges to the wrong
stanleyuser, or to a non-existentst2adminuser.I have a branch with this fix prepared: https://github.com/cognifloyd/stackstorm-ha/tree/no-default-rbac-files
I will submit a PR later.
The text was updated successfully, but these errors were encountered: