Collecting st2-rbac-backend
  Cloning https://github.com/StackStorm/st2-rbac-backend.git (to revision master) to /tmp/pip-install-uiium15i/st2-rbac-backend_0a2a4584a2ba46e584e078cd4bc7fe30
  Running command git clone -q https://github.com/StackStorm/st2-rbac-backend.git /tmp/pip-install-uiium15i/st2-rbac-backend_0a2a4584a2ba46e584e078cd4bc7fe30
  Resolved https://github.com/StackStorm/st2-rbac-backend.git to commit 15111880591283b520570b6752edef994bc272e8
  Installing build dependencies: started
  Installing build dependencies: finished with status 'done'
  Getting requirements to build wheel: started
  Getting requirements to build wheel: finished with status 'error'
  ERROR: Command errored out with exit status 1:
   command: /root/virtualenv/bin/python /root/virtualenv/lib/python3.6/site-packages/pip/_vendor/pep517/in_process/_in_process.py get_requires_for_build_wheel /tmp/tmp5zm3l78q
       cwd: /tmp/pip-install-uiium15i/st2-rbac-backend_0a2a4584a2ba46e584e078cd4bc7fe30
  Complete output (4 lines):
  Failed to import pip: No module named 'pip'

---
    name: "chatbot"
    description: "Mr. Chatbot"
    enabled: true
    permission_grants:
        -
            resource_uid: "action:packs:show"
            permission_types:
               - "action_execute"
        -
            permission_types:
               - "action_list"
               - "rule_list"
               - "action_alias_help"

---
username: "bot
roles:
- "chatbot"

2021-02-08 15:24:46,700 140311874581616 INFO logging [-] f9a6d8e1-17c6-4fcc-8615-f01b8dc204e2 - GET /v1/actionalias/help with query={'x-auth-token': '********'} (method='GET',path='/v1/actionalias/help',remote_addr='127.0.0.1',query={'x-auth-token': '********'},request_id='f9a6d8e1-17c6-4fcc-8615-f01b8dc204e2')
2021-02-08 15:24:46,714 140311874581616 ERROR router [-] Failed to call controller function "help" for operation "st2api.controllers.v1.actionalias:action_alias_controller.help": 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 516, in __call__
    resp = func(**kw)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionalias.py", line 105, in help
    aliases_resp = super(ActionAliasController, self)._get_all(**kwargs)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 564, in _get_all
    requester_user=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 184, in _get_all
    limit = validate_limit_query_param(limit=limit, requester_user=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 625, in validate_limit_query_param
    user_is_admin = rbac_utils.user_is_admin(user_db=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 194, in user_is_admin
    is_system_admin = RBACUtils.user_is_system_admin(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 214, in user_is_system_admin
    return RBACUtils.user_has_role(user_db=user_db, role=SystemRole.SYSTEM_ADMIN)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 232, in user_has_role
    user_role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/service.py", line 87, in get_roles_for_user
    queryset = UserRoleAssignment.query(user=user_db.name)
AttributeError: 'NoneType' object has no attribute 'name'
2021-02-08 15:24:46,715 140311874581616 ERROR error_handling [-] API call failed: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/middleware/error_handling.py", line 49, in __call__
    return self.app(environ, start_response)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/middleware/streaming.py", line 48, in __call__
    return self.app(environ, start_response)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 599, in as_wsgi
    resp = self(req)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 524, in __call__
    raise e
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 516, in __call__
    resp = func(**kw)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionalias.py", line 105, in help
    aliases_resp = super(ActionAliasController, self)._get_all(**kwargs)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 564, in _get_all
    requester_user=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 184, in _get_all
    limit = validate_limit_query_param(limit=limit, requester_user=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/resource.py", line 625, in validate_limit_query_param
    user_is_admin = rbac_utils.user_is_admin(user_db=requester_user)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 194, in user_is_admin
    is_system_admin = RBACUtils.user_is_system_admin(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 214, in user_is_system_admin
    return RBACUtils.user_has_role(user_db=user_db, role=SystemRole.SYSTEM_ADMIN)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/utils.py", line 232, in user_has_role
    user_role_dbs = rbac_service.get_roles_for_user(user_db=user_db)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2_rbac_backend-3.4.dev0-py3.6.egg/st2rbac_backend/service.py", line 87, in get_roles_for_user
    queryset = UserRoleAssignment.query(user=user_db.name)
AttributeError: 'NoneType' object has no attribute 'name' (_exception_class='AttributeError',_exception_message="'NoneType' object has no attribute 'name'",_exception_data={})
2021-02-08 15:24:46,715 140311874581616 INFO logging [-] f9a6d8e1-17c6-4fcc-8615-f01b8dc204e2 - 500 46 15.714ms (method='GET',path='/v1/actionalias/help',remote_addr='127.0.0.1',status=500,runtime=15.714,content_length=46,request_id='f9a6d8e1-17c6-4fcc-8615-f01b8dc204e2')

# sample RBAC role file, see https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
---
name: "sample"
description: "Example Role which contains no permission grants and serves for demonstration purposes"
permission_grants:
  - resource_uid: "action:core:echo"
    permission_types:
      - "action_execute"

root@a24bf10f204e:/opt/stackstorm# st2-apply-rbac-definitions --config-file /etc/st2/st2.docker.conf
Loading RBAC definitions
2022-07-26 20:29:53,876 INFO [-] Connecting to database "st2" @ "mongo:27017" as user "None".
2022-07-26 20:29:53,880 INFO [-] Successfully connected to database "st2" @ "mongo:27017" as user "None".
2022-07-26 20:29:54,083 INFO [-] Loading role definitions from "/opt/stackstorm/rbac/roles/"
Traceback (most recent call last):
  File "/usr/bin/st2-apply-rbac-definitions", line 15, in <module>
    sys.exit(apply_rbac_definitions.main(sys.argv[1:]))
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/cmd/apply_rbac_definitions.py", line 60, in main
    apply_definitions()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/cmd/apply_rbac_definitions.py", line 42, in apply_definitions
    result = loader.load()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/loader.py", line 61, in load
    result["roles"] = self.load_role_definitions()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/loader.py", line 79, in load_role_definitions
    role_definition_api = self.load_role_definition_from_file(file_path=file_path)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2rbac_backend/loader.py", line 159, in load_role_definition_from_file
    role_definition_api = role_definition_api.validate()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/api/rbac.py", line 170, in validate
    cleaned = super(RoleDefinitionFileFormatAPI, self).validate()
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/models/api/base.py", line 75, in validate
    cleaned = util_schema.validate(
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/util/schema/__init__.py", line 370, in validate
    instance = assign_default_values(instance=instance, schema=schema)
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/util/schema/__init__.py", line 255, in assign_default_values
    instance[property_name] = assign_default_values(
  File "/opt/stackstorm/st2/lib/python3.8/site-packages/st2common/util/schema/__init__.py", line 249, in assign_default_values
    array_instance = instance.get(property_name, None)
AttributeError: 'list' object has no attribute 'get'

2021-10-06 09:56:21,637 140650525596712 ERROR router [-] Failed to call controller function "post" for operation "st2api.controllers.v1.actionexecutions:action_execution_rerun_controller.post": User "<user>" doesn't have required permission "action_execute" on resource "action:<my special pack>:<my action>"
Traceback (most recent call last):
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2common/router.py", line 621, in __call__
    resp = func(**kw)
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionexecutions.py", line 675, in post
    show_secrets=show_secrets,
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2api/controllers/v1/actionexecutions.py", line 130, in _handle_schedule_execution
    permission_type=permission_type,
  File "/opt/stackstorm/st2/lib/python3.6/site-packages/st2rbac_backend/utils.py", line 127, in assert_user_has_resource_db_permission
    permission_type=permission_type)
st2common.exceptions.rbac.ResourceAccessDeniedError: User "<user>" doesn't have required permission "action_execute" on resource "action:<my special pack>:<my action>"

2021-05-11 15:33:16,873 INFO [-] Loading role definitions from "/opt/stackstorm/rbac/roles/"
2021-05-11 15:33:16,873 INFO [-] Loading user role assignments from "/opt/stackstorm/rbac/assignments/"
2021-05-11 15:33:16,874 INFO [-] Loading group to role map definitions from "/opt/stackstorm/rbac/mappings/"
2021-05-11 15:33:16,874 INFO [-] Synchronizing roles...

2021-05-11 15:33:36,197 INFO [-] Loading role definitions from "/opt/stackstorm/rbac/roles/"
2021-05-11 15:33:36,197 INFO [-] Loading user role assignments from "/opt/stackstorm/rbac/assignments/"
2021-05-11 15:33:36,197 INFO [-] Loading group to role map definitions from "/opt/stackstorm/rbac/mappings/"
2021-05-11 15:33:36,197 DEBUG [-] Loading group to role mapping from: /opt/stackstorm/rbac/mappings/stormers.yaml
2021-05-11 15:33:36,263 INFO [-] Synchronizing roles...

permission_grants:
    -
        resource_uid: "pack:example"
        permission_types:
           - "pack_all"
           - "sensor_type_all"
           - "rule_all"
           - "action_all"

~]# grep rbac /etc/st2/st2.conf -A2
[rbac]
sync_remote_groups = True

~]# cat /opt/stackstorm/rbac/mappings/stormers.yaml
---
  group: "cn=GROUP_NAME,ou=groups,o=ldaporg"
  roles:
    - "observer"

    > use st2
    switched to db st2
    > db.group_to_role_mapping_d_b.find()
    { "_id" : ObjectId("62deaa7b77bfe684352d1d3a"), "group" : "cn=GROUP_NAME,ou=groups,o=ldaporg", "roles" : [ "observer" ], "source" : "mappings/stormers.yaml", "enabled" : true }

  ~ % ldapsearch -H ldap://ldap.myorg.net:389 -x -ZZ -LLL -b ou=Users,o=ldaporg "cn=my_username"
  dn: cn=my_username,ou=Users,o=ldaporg
  memberOf: cn=GROUP_NAME,ou=Groups,o=ldaporg