Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ArgoCD v2.6.9+3f1e7d4 - permission denied for ListLinks service #13936

Open
ekaparulin opened this issue Jun 7, 2023 · 4 comments
Open

ArgoCD v2.6.9+3f1e7d4 - permission denied for ListLinks service #13936

ekaparulin opened this issue Jun 7, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@ekaparulin
Copy link

Hi,

I have upgraded to version v2.6.9 (from 2.4 to 2.5 to 2.6) and observe a strange issue with permission denied for ListLinks. When I click in the UI on the application the info is shown, but there is also an error message:

Screenshot 2023-06-07 at 08 09 43

As you can see, the content of "LINKS" is not being displayed. The logs show a corresponding warning:

time="2023-06-07T05:10:51Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = permission denied" grpc.code=PermissionDenied grpc.method=ListLinks grpc.service=application.ApplicationService grpc.start_time="2023-06-07T05:10:51Z" grpc.time_ms=11.956 span.kind=server system=grpc

  • I did not find anything in Google regarding this.
  • I did not find any specific setting in the policy.csv according to https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/ allowing the links to be listed...
  • I do not use the links in the argocd-cm config map.
  • The error does not appear for the admin user
  • The custom user policy is like this:
      p, role:test-admins, applications, *, test/*, allow
      p, role:test-admins, applicationsets, *, test/*, allow
      p, role:test-admins, logs, get, test/*, allow
      p, role:test-admins, exec, create, test/*, allow
      p, role:test-admins, projects, get, test, allow
      p, role:test-admins, projects, update, test, allow
      p, role:development-admins, repositories, create, *, allow

      g, argo-cd:Test-Admins, role:test-admins

To Reproduce

I have no idea whether it can be reproduced. I guess with the policies.csv from above and ArgoCD of this version:

Argo CD: v2.6.9+3f1e7d4
Build Date: 2023-06-05T19:03:22Z
Go Version: go1.19.7
Go Compiler: gc
Platform: linux/amd64
jsonnet: v0.19.1
kustomize: v4.5.7 2022-08-02T16:35:54Z
Helm: v3.10.3+g835b733
kubectl: v0.24.2

Expected behavior

I expect to have a clear set of permission polices applicable to resources: clusters, projects, applications, applicationsets, repositories, certificates, accounts, gpgkeys, logs, exec, extensions

Links seem to be part of many of those things and the permission specification is not transparent.

Version

argocd-server: v2.6.9+3f1e7d4
  BuildDate: 2023-06-05T19:03:22Z
  GitCommit: 3f1e7d401e4a23bc2060b88aaef33e034bf9ec3e
  GitTreeState: clean
  GoVersion: go1.19.7
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v4.5.7 2022-08-02T16:35:54Z
  Helm Version: v3.10.3+g835b733
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.19.1
@ekaparulin ekaparulin added the bug Something isn't working label Jun 7, 2023
@crenshaw-dev
Copy link
Member

Looks like this may be related: #13694

@crenshaw-dev
Copy link
Member

I'm queued up Geoffrey's fix for 2.6.13.

@jgwest
Copy link
Member

jgwest commented Apr 4, 2024

Referenced PR has been merged, has this issue resolved?

@vladsf
Copy link

vladsf commented May 30, 2024

not resolved 2.9.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants