Giters

StackStorm / st2

StackStorm (aka "IFTTT for Ops") is event-driven automation for auto-remediation, incident responses, troubleshooting, deployments, and more for DevOps and SREs. Includes rules engine, workflow, 160 integration packs with 6000+ actions (see https://exchange.stackstorm.org) and ChatOps. Installer at https://docs.stackstorm.com/install/index.html

Home Page:https://stackstorm.com/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Organisation fo ST2

philipphomberger opened this issue · comments

commented

Hi Community,
I think this Idea is maybe very complex. I don't know if it's possible.
It would be nice if you could Create different Orgs in Stackstorm. Do you Know AWX and Ansible Automation Platform? There you can create an Org as a top Level Domain. So you can create Orgs for different Teams in a Company.
The Idea would be that I can log in to ST2 and then Switch Between Orgs with a Button.
So then I am in Org Customer1 I see all Packs, History, and all that was done in this Context and then I swish to Org Customer2 I can only see that Stuff.
This would make it easier to create the right RBAC rules.
What do you think about it?

commented

Can't I currently do something like this with LDAP mapping to RBAC roles?

commented

It's possible to add map roles to a ldap group. But there are some limitation with RBAC. (Please correct me if Iam wrong with it)

  1. Key Value Store: I have set up a role for any System Namespace Scope. I can not create any Team Namespace.
  2. To Use the UI I need setup Global Read for List View on Rules, Executions, Action, Packs to use the UI. Would be better to have a Kind of filter View that users only see the stuff belong to there Teams.

At the moment I'am working on a POC to build a MultiTeam Shared Stackstorm Instance. In The past we had many but that generate a lot of cost in the cloud.

commented

I agree with the Key Value Store, and it would add (or I'd like to see) a feature for auto-deleting the values if a team is un-assigned from the instance. Overall this is a good idea, as client / user data separation is a good practice in corporate environments.

commented

What I would perhaps also like to see, if you're going to implement team segmentation like this, is to be able to segment the workspace of the users. My current setup has ST2 instance running on a server with manually added team-specific folders into st2.conf packs_base_paths. Since ST2 allows for creation of workflows in the UI, but does not allow for creation of python actions, I've also put JupyterHub (that spawns user-specific jupyter notebook server via docker) onto the same host. This way I can have team specific folders mounted into Jupyter and people can create or modify py scripts without having access to the server.