Merge pull request #319 from mamercad/issue-318

Add support for RBAC mappings
StackStorm · Jul 7, 2022 · 8f83ad7 · 8f83ad7
2 parents 209b260 + 2ea9015
commit 8f83ad7
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -49,7 +49,7 @@ Below is the list of variables you can redefine in your playbook to customize st
 | `st2_auth_password`      | `testp`       | Password used by StackStorm standalone authentication.
 | `st2_save_credentials`   | `yes`         | Save credentials for local CLI in `/root/.st2/config` file.
 | `st2_rbac_enable`        | `no`          | Enable RBAC. |
-| `st2_rbac`               | [See `st2_rbac` variable in role defaults](roles/st2/defaults/main.yml) | RBAC roles and assignments. This is a dictionary with two keys `roles` and `assignments`. `roles` and `assignments` are in turn both arrays. Each element in the array follows the exact YAML schema for [roles](https://docs.stackstorm.com/rbac.html#user-permissions) and [assignments](https://docs.stackstorm.com/rbac.html#defining-user-role-assignments) defined in ST2 documentation.
+| `st2_rbac`               | [See `st2_rbac` variable in role defaults](roles/st2/defaults/main.yml) | RBAC roles and assignments. This is a dictionary with three keys `roles`, `assignments`, and `mappings` (based on LDAP group membership). `roles`, `assignments`, and `mappings` are arrays. Each element in the array follows the exact YAML schema for [roles](https://docs.stackstorm.com/rbac.html#user-permissions), [assignments](https://docs.stackstorm.com/rbac.html#defining-user-role-assignments) defined in ST2 documentation. [mappings](https://docs.stackstorm.com/rbac.html#automatically-granting-roles-based-on-ldap-group-membership) are slightly different, they use a `name` and a `mapping` key, see [./roles/StackStorm.st2/defaults/main.yml](./roles/StackStorm.st2/defaults/main.yml) for an example.
 | `st2_ldap_enable`        | `no`          | Enable LDAP authentication backend. |
 | `st2_ldap`               | [See `st2_ldap` variable in role defaults](roles/st2/defaults/main.yml) | Settings for LDAP authentication backend. `st2_ldap` is a dictionary and has one item `backend_kwargs`. `backend_kwargs` should be provided as exactly listed in ST2 documentation for [LDAP configuration](https://docs.stackstorm.com/authentication.html#ldap).
 | `st2_packs`              | `[ st2 ]`     | List of packs to install. This flag does not work with a `--python3` only pack.

diff --git a/roles/StackStorm.st2/defaults/main.yml b/roles/StackStorm.st2/defaults/main.yml
@@ -54,6 +54,19 @@ st2_ldap:
 # The schema for roles and assignments follow the exact schema definition
 # define in https://docs.stackstorm.com/latest/rbac.html#defining-roles-and-permission-grants
 # and https://docs.stackstorm.com/latest/rbac.html#defining-user-role-assignments
+# Mappings are pushed as YML files to /opt/stackstorm/rbac/mappings/
+# The schema for mappings takes on the following format:
+#   - The well-defined "name" key is used as the filename, e.g., the example below creates /opt/stackstorm/rbac/mappings/domain-admins.yaml
+#   - The well-defined "mapping" key defines the mapping itself
+# The reason for this convention drift is to avoid attempting to use "cn=domain-admins,ou=groups,dc=stackstorm,dc=com" as the basis for the filename
+#   st2_rbac:
+#     mappings:
+#       - name: domain-admins
+#         mapping:
+#           group: cn=domain-admins,ou=groups,dc=stackstorm,dc=com
+#           description: Grant admin role to all domain-admin members
+#           roles:
+#             - admin
 st2_rbac_enable: no
 # "enable" is not a key of st2_rbac because the defaults would be lost if any key in the dictionary is changed
 st2_rbac:
@@ -65,7 +78,7 @@ st2_rbac:
     - name: "{{ st2_auth_username }}"
       roles:
         - system_admin
-
+  mappings: []
 
 # Save credentials in ~/.st2/config file
 st2_save_credentials: yes

diff --git a/roles/StackStorm.st2/tasks/auth-rbac.yml b/roles/StackStorm.st2/tasks/auth-rbac.yml
@@ -1,5 +1,5 @@
 ---
-- name: Create directory to store roles and assignments
+- name: Create directory to store roles, assignments, and mappings
   become: yes
   file:
     path: "/opt/stackstorm/rbac/{{ item }}"
@@ -8,6 +8,7 @@
   loop:
     - roles
     - assignments
+    - mappings
   when: st2_rbac_enable|bool
 
 - name: Copy defined RBAC roles to /opt/stackstorm/rbac/roles directory
@@ -34,6 +35,18 @@
   notify:
     - reload rbac
 
+- name: Copy RBAC mappings to /opt/stackstorm/rbac/mappings directory
+  become: true
+  template:
+    src: rbac_mappings/mappings.yml.j2
+    dest: /opt/stackstorm/rbac/mappings/{{ item.name }}.yaml
+    owner: st2
+    group: st2
+  loop: "{{ st2_rbac.mappings }}"
+  when: st2_rbac_enable|bool
+  notify:
+    - reload rbac
+
 - name: Enable RBAC in st2 configuration
   become: yes
   ini_file:
@@ -48,6 +61,22 @@
     - restart st2auth
     - reload rbac
 
+- name: Enable RBAC sync_remote_groups in st2 configuration
+  become: true
+  ini_file:
+    dest: /etc/st2/st2.conf
+    section: rbac
+    option: sync_remote_groups
+    value: True
+    backup: yes
+  when:
+    - st2_rbac_enable|bool
+    - st2_rbac.mappings | length > 0
+  notify:
+    - restart st2api
+    - restart st2auth
+    - reload rbac
+
 - name: Set RBAC backend to default in st2 configuration
   become: yes
   ini_file:

diff --git a/roles/StackStorm.st2/templates/rbac_mappings/mappings.yml.j2 b/roles/StackStorm.st2/templates/rbac_mappings/mappings.yml.j2
@@ -0,0 +1,3 @@
+---
+
+{{ item.mapping | to_nice_yaml(2) }}