RBAC permissions don't seem to be hierarchical as documentation has made it to be #60
Description
I have a user with a role assigned as this:
name: "my_role"
permission_grants:
-
resource_uid: "pack:<my special pack>"
permission_types:
- "pack_all"
- "sensor_type_all"
- "action_all"
- "action_alias_all"
- "rule_all"In the documentation under pack its lead to believe that action_all will allow the execution of any action under that pack but this is not the case.
from st2api.log
2021-10-06 09:56:21,637 140650525596712 ERROR router [-] Failed to call controller function "post" for operation "st2api.controllers.v1.actionexecutions:action_execution_rerun_controller.post": User "<user>" doesn't have required permission "action_execute" on resource "action:<my special pack>:<my action>"
Traceback (most recent call last):
File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 621, in __call__
resp = func(**kw)
File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionexecutions.py", line 675, in post
show_secrets=show_secrets,
File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionexecutions.py", line 130, in _handle_schedule_execution
permission_type=permission_type,
File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2rbac_backend/utils.py", line 127, in assert_user_has_resource_db_permission
permission_type=permission_type)
st2common.exceptions.rbac.ResourceAccessDeniedError: User "<user>" doesn't have required permission "action_execute" on resource "action:<my special pack>:<my action>"
So action_all is ignored with the pack resource.