Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC LDAP Mapping causes rule creation to fail when the workflow is not available #3572

Closed
sibirajal opened this issue Jul 17, 2017 · 3 comments · Fixed by #3573
Closed

RBAC LDAP Mapping causes rule creation to fail when the workflow is not available #3572

sibirajal opened this issue Jul 17, 2017 · 3 comments · Fixed by #3573
Assignees
@Kami
Labels
bug

Comments

@sibirajal
Copy link

sibirajal commented Jul 17, 2017
edited
Loading

Hello Team,

We have integrated St2 authentication with enterprise LDAP and users are mapped with RBAC in AD. I've created a new rule with trigger/criteria/workflow and however the workflow is not created for the rule.

When I try to create a rule it failed with below internal error. My account is part of "admin" role and its mapped to LDAP. The same rule creation is succeeded If I disable the RBAC in st2.conf or create the workflow before the rule. Please take a look at the below failures and investigate the cause of the issue.

st2 rule create dns_alert.yaml

ERROR: 500 Server Error: Internal Server Error
MESSAGE: Internal Server Error for url: http://127.0.0.1:9101/v1/rules

RBAC Mapping
cat /opt/stackstorm/rbac/mappings/sysadmin.yaml

group: "CN=xxxx,xxxx,xxxx"
description: "Automatically grant observer role to all sysadmin group members."
roles:
- "admin"

Rule:

name: dns_alert
pack: ops
description: Check alert for dns and trigger remediation
enabled: true
trigger:
type: ops.event_handler
criteria:
trigger.Hostname:
pattern: "testdns1"
type: matchregex
trigger.AlertType:
pattern: "alert"
type: matchregex
trigger.Severity:
pattern: "(white|blue)"
type: regex
action:
ref: ops.remediate_dns_alert_workflow
parameters:
hostname: "{{ trigger.Hostname }}"
alertsid: "{{ trigger.AlertsID }}"

Failure log in st2api:
2017-07-17 04:56:18,340 77894832 INFO logging [-] 5837c4eb-01e7-43ca-aaec-12998458e349 - POST /v1/rules with query={} (remote_addr='127.0.0.1',method='POST',request_id='5837c4eb-01e7-43ca-aaec-12998458e349',query={},path='/v1/rules')
2017-07-17 04:56:18,345 77894832 AUDIT auth [-] Token with id "xxxxxxxxxxxxxxxx" is validated.
2017-07-17 04:56:18,399 77894832 ERROR router [-] Failed to call controller function "post" for operation "st2api.controllers.v1.rules:rule_controller.post": 'NoneType' object has no attribute 'get_uid'
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 414, in call
resp = func(**kw)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2api/controllers/v1/rules.py", line 103, in post
rule_api=rule)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/utils.py", line 206, in assert_user_has_rule_trigger_and_action_permission
action_ref=action_ref)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/utils.py", line 172, in user_has_rule_action_permission
user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/resolvers.py", line 407, in user_has_resource_db_permission
action_uid = resource_db.get_uid()
AttributeError: 'NoneType' object has no attribute 'get_uid'
2017-07-17 04:56:18,400 77894832 ERROR error_handling [-] API call failed: 'NoneType' object has no attribute 'get_uid'
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/middleware/error_handling.py", line 46, in call
return self.app(environ, start_response)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 445, in as_wsgi
resp = self(req)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 418, in call
raise e
AttributeError: 'NoneType' object has no attribute 'get_uid' (_exception_data={},_exception_class='AttributeError',_exception_message="'NoneType' object has no attribute 'get_uid'")
2017-07-17 04:56:18,401 77894832 INFO logging [-] 5837c4eb-01e7-43ca-aaec-12998458e349 - 500 46 61.774ms
{
"faultstring": "Internal Server Error"
} (result='{\n "faultstring": "Internal Server Error"\n}',content_length=46,request_id='5837c4eb-01e7-43ca-aaec-12998458e349',runtime=61.774,remote_addr='127.0.0.1',status=500,method='POST',path='/v1/rules')
2017-07-17 04:56:39,980 77894832 INFO logging [-] d989b4b3-c945-4920-b395-f4245d8120e5 - POST /v1/rules with query={} (remote_addr='127.0.0.1',method='POST',request_id='d989b4b3-c945-4920-b395-f4245d8120e5',query={},path='/v1/rules')
2017-07-17 04:56:39,986 77894832 AUDIT auth [-] Token with id "596c43808888b26e2c7a7f45" is validated.
2017-07-17 04:56:40,038 77894832 ERROR router [-] Failed to call controller function "post" for operation "st2api.controllers.v1.rules:rule_controller.post": 'NoneType' object has no attribute 'get_uid'
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 414, in call
resp = func(**kw)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2api/controllers/v1/rules.py", line 103, in post
rule_api=rule)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/utils.py", line 206, in assert_user_has_rule_trigger_and_action_permission
action_ref=action_ref)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/utils.py", line 172, in user_has_rule_action_permission
user_db=user_db, resource_db=action_db, permission_type=PermissionType.ACTION_EXECUTE)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/rbac/resolvers.py", line 407, in user_has_resource_db_permission
action_uid = resource_db.get_uid()
AttributeError: 'NoneType' object has no attribute 'get_uid'
2017-07-17 04:56:40,039 77894832 ERROR error_handling [-] API call failed: 'NoneType' object has no attribute 'get_uid'
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/middleware/error_handling.py", line 46, in call
return self.app(environ, start_response)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 445, in as_wsgi
resp = self(req)
File "/opt/stackstorm/st2/lib/python2.7/site-packages/st2common/router.py", line 418, in call
raise e
AttributeError: 'NoneType' object has no attribute 'get_uid' (_exception_data={},_exception_class='AttributeError',_exception_message="'NoneType' object has no attribute 'get_uid'")
@Kami
Copy link
Member

Kami commented Jul 17, 2017

Thanks for reporting this.

It looks like a general RBAC issue on rule creation - will look into it.

@Kami Kami self-assigned this Jul 17, 2017
@Kami
Copy link
Member

Kami commented Jul 17, 2017

Small thing - next time please use Github gist for code snippets, etc. - https://gist.github.com/

This way indentation, etc. is preserved so it's easier to look into it.

Kami added a commit that referenced this issue Jul 17, 2017
@Kami
Add a test case which replicates issue described in #3572
7632d60 
(user can't create rules which reference actions which don't exist in
the system when RBAC is enabled).
@Kami Kami mentioned this issue Jul 17, 2017
Merged
@Kami
Copy link
Member

Kami commented Jul 17, 2017

Bug fix in #3573, thanks again for reporting this.

@arm4b arm4b added the bug label Jul 17, 2017
Kami added a commit that referenced this issue Jul 19, 2017
@Kami
Add a test case which replicates issue described in #3572
e5e06e1 
(user can't create rules which reference actions which don't exist in
the system when RBAC is enabled).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kami Kami

Labels
bug
Projects
None yet
Milestone
No milestone
3 participants
@Kami @arm4b @sibirajal