search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.93k stars 5.46k forks source link

RBAC on Logs viewing does not work as expected with oidc and roles #16409

Open andrei-radulescu opened 11 months ago

andrei-radulescu commented 11 months ago

Checklist:

Describe the bug Cannot set permissions on log viewing on more than 2 created roles after enabling log rbac according to documentation.

To Reproduce Following policy example can be applied (logs are not shown anywhere, although explicitly set for admin) g, incoming_admin_role, role:admin p, role:admin, applications, *, */*, allow p, role:admin, logs, get, */*, allow g, incoming_app_operator_role, role:app-operator p, role:app-operator, applications, *, */*, allow p, role:app-operator, logs, get, */*, deny g, incoming_readonly_role, role:readonly p, role:readonly, applications, get, */*, allow p, role:readonly, logs, get, */*, deny

Workaround is to remove one role: g, incoming_admin_role, role:admin p, role:admin, logs, get, */*, allow g, incoming_app_operator_role, role:app-operator p, role:app-operator, applications, *, */*, allow The workaround will show logs for admin and not for app-operator.

Expected behavior Expectation is that rbac on log viewing si to be handled by the policy.csv when using oidc with specific roles. Configuring more than two roles will produce unexpected results.

Version

v2.7.10+469f257.
christoffer-eide commented 2 months ago

In your first example, you're doing this:

incoming_readonly_role, role:readonly

role:readonly is a built in role which gives p, role:readonly, logs, get, */*, allow https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv

Also, check if the setting server.rbac.log.enforce.enable is set to true

kaiyuanlim commented 2 months ago

In your first example, you're doing this:

incoming_readonly_role, role:readonly

role:readonly is a built in role which gives p, role:readonly, logs, get, */*, allow https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv

Also, check if the setting server.rbac.log.enforce.enable is set to true

Yes, server.rbac.log.enforce.enable was set to true.

andrii-korotkov-verkada commented 3 days ago

ArgoCD versions 2.10 and below have reached EOL. Can you upgrade and let us know if the issue is still present, please?