Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Groups can only be assigned permissions if they're assigned to a role first #7952

Open
3 tasks done
thatsmydoing opened this issue Dec 16, 2021 · 2 comments
Open
3 tasks done
Labels
bug Something isn't working component:rbac Issues related to Openshift and Racher type:bug

Comments

@thatsmydoing
Copy link
Contributor

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

Upgrading from 2.0.5 to 2.1.8, the RBAC doesn't seem to allow p lines to reference groups unless the group has been assigned to a role first.

p, someorg:team, projects, get, myproject, allow

does not let someone in someorg:team access myproject but

g, someorg:team, role:foobar
p, someorg:team, projects, get, myproject, allow

does.

With 2.1.8, using argocd admin settings rbac can 'someorg:team' get project myproject results in Yes for both but argocd account can-i get projects myproject is only yes for the latter.

Version

argocd: v2.1.8+2fdaf7a
  BuildDate: 2021-12-13T23:17:51Z
  GitCommit: 2fdaf7a9add4ba6d6657d28dc32228419cb8b8f5
  GitTreeState: clean
  GoVersion: go1.16.5
  Compiler: gc
  Platform: linux/amd64
argocd-server: v2.1.8+2fdaf7a
  BuildDate: 2021-12-13T23:17:51Z
  GitCommit: 2fdaf7a9add4ba6d6657d28dc32228419cb8b8f5
  GitTreeState: clean
  GoVersion: go1.16.5
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: v4.2.0 2021-06-30T22:49:26Z
  Helm Version: v3.6.0+g7f2df64
  Kubectl Version: v0.21.0
  Jsonnet Version: v0.17.0
@thatsmydoing thatsmydoing added the bug Something isn't working label Dec 16, 2021
@chengfang
Copy link
Contributor

Since RBAC is role-based, I would think any permission assignment directly to user or group is no longer supported. Users will need to grant a user or group certain roles that have the desired permissions.

Here is another somewhat related PR #11964, which seems to assume this:

Can't we just assume that there are two types of policies right now:

Grants (g), which has two fields (the grantee and the role granted)
Policy (p), which has five fields (the role, the resource type, the verb, the resource name pattern and the action)

WDYT?

@alexmt alexmt added component:rbac Issues related to Openshift and Racher type:bug labels Jul 18, 2024
@chengfang
Copy link
Contributor

From reading https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md , it seems it's supported and documented to directly assign permissions to user or group. For ex, the following are from the above linked doc:

Syntax: p, <role/user/group>, <resource>, <action>, <object>, <effect>

Local users are assigned access by either grouping them with a role or by assigning policies directly to them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working component:rbac Issues related to Openshift and Racher type:bug
Projects
None yet
Development

No branches or pull requests

3 participants