Skip to content

Unable to render KV store params in actions when RBAC is enabled #5934

New issue
New issue
Closed
#5936
Closed
Unable to render KV store params in actions when RBAC is enabled#5934
#5936
Labels
bug
@jschoewe

Description

@jschoewe
jschoewe
opened on Mar 13, 2023

SUMMARY

After enabling RBAC in version 3.8 we are not able to run actions that look up parameters from the KV store. The issue appears to occur when there's a period in the key name such as test.key1 and using keys with underscores instead (like test_key1) still works. This also appears to be an issue when loading values from pack configs.

ERROR: 400 Client Error: Bad Request
MESSAGE: Failed to render parameter "message": 'NoneType' object has no attribute 'scope' for url: http://127.0.0.1:9101/v1/executions

STACKSTORM VERSION

st2 3.8.0, on Python 3.8.13

OS, environment, install method

RHEL8, one-line install

Steps to reproduce the problem

Install stackstorm, enable RBAC, create action that looks up parameter from KV store

Test Action:
/opt/stackstorm/packs/core/actions/echo_jinja.yaml

---
description: Action that executes the Linux echo command on the localhost.
runner_type: "local-shell-cmd"
enabled: true
entry_point: ''
name: echo_jinja
parameters:
  message:
    description: The message that the command will echo.
    type: string
    required: true
    default: "{{ st2kv.system.test.key1 }}"
  cmd:
    description: Arbitrary Linux command to be executed on the local host.
    required: true
    type: string
    default: 'echo "{{ message }}"'
    immutable: true

st2 key set test.key1 'HELLO'
st2 pack register core
st2 run core.echo_jinja

Actual Results

After running the test action above I get the following error:

ERROR: 400 Client Error: Bad Request
MESSAGE: Failed to render parameter "message": 'NoneType' object has no attribute 'scope' for url: http://127.0.0.1:9101/v1/executions

According to the st2api.log it doesn't seem to be looking for the whole key:

2023-03-13 11:27:27,121 140238292154672 DEBUG keyvalues [-] Lookup system kv: scope: st2kv.system and key: test

Also, when I add another key with st2 key add test '0', the action does run successsfully after looking up both the test and test.key1 keys:

2023-03-13 09:55:50,616 140707953123744 DEBUG keyvalues [-] Lookup system kv: scope: st2kv.system and key: test
2023-03-13 09:55:50,621 140707953123744 DEBUG keyvalues [-] Got value 0 from datastore.
2023-03-13 09:55:50,622 140707953123744 DEBUG resolvers [-] KeyValuePermissionsResolver.user_has_resource_db_permission: Checking user resource permissions (user_db={'id': None, 'is_service': False, 'name': 'john.schoewe_priv@dev.encore.tech', 'nicknames': {}},resource_db={'description': None, 'expire_timestamp': None, 'id': '640f2935f75484a3c44fa528', 'name': 'test', 'scope': 'st2kv.system', 'secret': '********', 'uid': 'key_value_pair:st2kv.system:test', 'value': '0'},permission_type='key_value_pair_view',resolver='KeyValuePermissionsResolver')
2023-03-13 09:55:50,628 140707953123744 DEBUG resolvers [-] KeyValuePermissionsResolver.user_has_resource_db_permission: Found a matching grant via system role (user_db={'id': None, 'is_service': False, 'name': 'john.schoewe_priv@dev.encore.tech', 'nicknames': {}},resource_db={'description': None, 'expire_timestamp': None, 'id': '640f2935f75484a3c44fa528', 'name': 'test', 'scope': 'st2kv.system', 'secret': '********', 'uid': 'key_value_pair:st2kv.system:test', 'value': '0'},permission_type='key_value_pair_view',resolver='KeyValuePermissionsResolver')
2023-03-13 09:55:50,628 140707953123744 DEBUG keyvalues [-]
2023-03-13 09:55:50,659 140707953123744 DEBUG keyvalues [-] Lookup system kv: scope: st2kv.system and key: test.key1
2023-03-13 09:55:50,671 140707953123744 DEBUG keyvalues [-] Got value HELLO from datastore.
2023-03-13 09:55:50,672 140707953123744 DEBUG resolvers [-] KeyValuePermissionsResolver.user_has_resource_db_permission: Checking user resource permissions (user_db={'id': None, 'is_service': False, 'name': 'john.schoewe_priv@dev.encore.tech', 'nicknames': {}},resource_db={'description': None, 'expire_timestamp': None, 'id': '640f1b93f75484a3c44fa51c', 'name': 'test.key1', 'scope': 'st2kv.system', 'secret': '********', 'uid': 'key_value_pair:st2kv.system:test.key1', 'value': 'HELLO'},permission_type='key_value_pair_view',resolver='KeyValuePermissionsResolver')
2023-03-13 09:55:50,675 140707953123744 DEBUG resolvers [-] KeyValuePermissionsResolver.user_has_resource_db_permission: Found a matching grant via system role (user_db={'id': None, 'is_service': False, 'name': 'john.schoewe_priv@dev.encore.tech', 'nicknames': {}},resource_db={'description': None, 'expire_timestamp': None, 'id': '640f1b93f75484a3c44fa51c', 'name': 'test.key1', 'scope': 'st2kv.system', 'secret': '********', 'uid': 'key_value_pair:st2kv.system:test.key1', 'value': 'HELLO'},permission_type='key_value_pair_view',resolver='KeyValuePermissionsResolver')
2023-03-13 09:55:50,675 140707953123744 DEBUG param [-] Render complete: HELLO

I also found that it runs successfully when I replace the periods with underscores in the keys.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions