-
-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC for ChatOps in StackStorm #128
Comments
Hi! First of all, thank you for the thoughtful description—I appreciate you taking the time to write the user story in detail, and also review our codebase! Our relationship with ChatOps auth is, admittedly, complicated. Since it's an often-requested feature, I'll try to answer your questions in as much detail as possible, expand on them, and provide some additional context for future reference. Hopefully, other people will benefit from having detailed and definitive answers to these questions, too. Brace yourself! Here comes an unexpectedly massive wall of text. ChatOps access control in StackStorm1. Native RBAC
The short answer: StackStorm does not have a native or "official" way of implementing access control in ChatOps yet, but to some extent it is possible, given you are willing to experiment a bit. I am going to give the long answer, too—quite a lengthy and curious story, in fact—but first I am going to answer the rest of the questions so that you could just skip the story if you feel like it. 2. 2FA with Hubot
Disclaimer: this feature is undocumented and unsupported: it relies on experimental properties, and will change when we implement better access control. Yes, it's possible to use 2FA with ChatOps aliases. To be precise, it's launch confirmation rather than 2FA, because there's no "first" auth method, but it's a common term for any "external" auth nowadays. Someone called it 2FA, and we just kinda rolled with it. ¯_(ツ)_/¯ @jjm and I built this as a demo a while ago, and while it never been released officially, it's fully functional. I'll be very descriptive and technical here: you're pretty much entering uncharted waters, so it wouldn't hurt to have as much information as possible. You will need three things for 2FA to work:
Restart everything, and you should have it working. Here's what's going to happen when you issue a command:
That's it! If you followed the links, you must've noticed that the 2FA implementation is not specific to Duo: you can build your own workflow, as long as it accepts the same set of parameters from Hubot and sends either a stream announcement or a failure message as a final step. What's inside the workflow is irrelevant to Hubot: you can launch Duo actions or you can use the Again, this syntax will change in the future, because aliases shouldn't contain user-specific data: they are supposed to be shared and reused across all users and teams. On the other hand, when we decide it's time to change it, it will most likely mean we have a better feature in place, so if you end up using 2FA, don't worry: we won't leave you hanging. So, about your use case.
You'll have to enable 2FA for the aliases that aren't supposed to be public, and build a workflow in such a way that only you and the stakeholder can confirm the request it sends. Could be Duo or something else. The workflow might require a bit of tinkering, but shouldn't be too hard. Admittedly, using 2FA as a substitute for access control is a very peculiar way of solving this problem, but if you come up with a workflow that's simple and convenient enough for you to use, I can't see why not. 3. Other ways to implement access control
hubot-rbac might work: it's middleware-based, so it's going to verify your access even before the command propagates to our own hubot-auth exposes methods for auth, and expects other scripts to use those methods, as far as I can tell. Not a good choice unless you want to modify I might not be able to help further, since we don't support third-party scripts, but if you're determined to see this through and figure out a decent way to implement ChatOps access control with StackStorm—and maybe write a guest post about it in our blog—let me know, I'm really interested. Consider dropping by our community chat in Slack! It's fun, and there's a few people who can tell more about ChatOps auth, too. @jjm and @tonybaloney are auth experts by now, and @pixelrebel has his own implementation of limiting aliases to channels. The storyNow, the story about why we don't have ChatOps access control yet. I mentioned earlier that StackStorm having no access control in ChatOps is not just an oversight: as you can probably guess, this feature is requested quite often, and we are well aware of its importance. Most hierarchical companies or large teams have a need to limit access to the bot. For some, it's a necessity—especially when StackStorm runs mission-critical workflows—or even a requirement mandated by a security policy. If so, why don't we have it implemented yet? The reason is twofold. 1. It must be done rightAccess control in ChatOps is a major architectural change: we need to map chat users to StackStorm users, assign permissions per alias (possibly even per format string), implement permissions for service users, and tie this functionality into core StackStorm RBAC. That's not to mention a multitude of smaller additions and changes. As if it's not enough, consider the fact that we are building a security layer. Naturally, every security feature is extensively scrutinized: StackStorm often controls mission-critical infrastructure, and we have to make sure it is reliable and safe. No feature at the security layer gets developed, let alone released, until we are absolutely sure we have the time and resources for it. That said, we are (spoiler alert!) making progress on the issue. But there's another peculiar problem. 2. StackStorm RBAC is not open sourceElephant in the room time! Role-based access control in the StackStorm core is an enterprise-only feature, and ChatOps access verification is supposed to tie into the StackStorm core. Oh no! What are we going to do now? Are we going to introduce a crippled version of access control that only allows three and a half users? Are we going to give everything away and work for $1 a year? (I kinda hope not.) Are we going to offer a 30-day trial, wiping the entire access list and sending a channel-wide notification about it the moment it's expired? Are we going to ask everyone trying to run a bot to buy a commercial license for a gazillion dollars? (Yes, please. My paypal is [email protected].) Shhhh... I'm not telling you. It's a mystery! But whatever we do, Customer Satisfaction Guaranteed. Future plansNo promises here, but there's a pretty good chance this is going to be implemented in StackStorm 2.2. We have a great PR by @tonybaloney that lays the groundwork for ChatOps auth, and after we release 2.1 (in a few weeks!), ChatOps access control is one of the candidates to become the next release focus. About time, isn't it? Well, I hope I was able to answer your question. If you end up doing something interesting with access control in ChatOps, you should definitely let me know! And sorry that was such a long response completely out of the blue. 😛 Good luck! — Ed |
@emedvedev answer here is very helpful, so I renamed Issue title for better search. But for now leaving it opened as a great piece of information. |
hubot-rbac isn't going to work because they rely on the listener id in hubot to perform the authorization. In stackstorm, all commands are funneled into one listener with a broad regex which then further matches it to a stackstorm command from there. I assume this was done to support reloading the commands on the fly. |
I created a fork, which is heavily refactored here: https://github.com/silverbp/hubot-stackstorm. I pulled the 2FA stuff out for now as well as the ability to reload commands. The refactor though does register each command as a separate ID allowing hubot middleware plugins to work better with it such as hubot-rbac. I intend on adding the 2FA and reloading of commands back in as well as fixing up the tests as I get time. |
Awesome job! Please let us know how we can help, and keep us posted :) As soon as you add the missing functionality back, we can help with tests and such. |
I'm going to create a pull request so we can track it from there, I have some questions. I've also switched to using hubot-auth and hubot-middleware-auth-ext since the hubot-rbac is deny only. I have it working where you can set the roles and possibly rooms in the action-alias and hubot-stackstorm picks it up. |
@armab said in slack (talking to @namachieli):
My usecase: |
This would be an excellent capability in my environment. Being able to have other teams invite my bot and query the network, while safely only be able to execute workflows and actions that I deem acceptable would greatly expand the ways in which I could utilize stackstorm. |
User Story
As a privileged user (ops/sysadmin) I want to be able to apply one off commands (for debugging/fixes) and/or run my configuration management solution through Chatops/Slack/Rocketchat. At the same time I want to grant read only or a layer of both authentication and authorization to other stakeholders/single channel users. Also restrict/limit the specific calls a user can make to the channel bots and/or list which commands unprivileged users could access (better example may be 2 channels for two authorizations steps or 2 bots in one channel). Ideally security/auditing could; ping, status, metrics, report, etc. to the channel or render reports/audits/charts/etc, or only make available lower risk commands (e.g. ansible playbook w/o declaring git branch or arbitrary cmd - where code being applied can only come from master branch) to restrict team members to only be able to push "approved" code.
Issue
The text was updated successfully, but these errors were encountered: