Open eidmantas opened 9 months ago
I' m faceing the same issue. In my case we allow access to projects for certain groups, that differ on each project. These groups are not to be considered in argocd-server rbac config but only in projects.
I tried adding repositories, get, *
permissions in the project, but this didn't work.
Same issue here using Azure oidc and default role is '' (no permissions)
Just wanted to add that we're kinda hitting this as well. Our Argo CD deployment compartmentalizes users using projects mapped to SSO roles so regular accounts have limited permissions, something like:
p, role:x, applications, get, x-project/*, allow
p, role:x, applications, sync, x-project/*, allow
p, role:x, logs, get, x-project/*, allow
p, role:x, exec, create, x-project/*, allow
p, role:x, projects, get, x-project, allow
As reported here those users are unable to use properly the "history and rollback" functionality. For us it is not feasible either to give unlimited get
access to all repositories as they're not shared across projects.
I imagine that the clean (but not trivial) solution is to add functionality to be able to classify all Argo CD resources into projects (not only apps, but repositories, clusters, etc), that way we should be able to add something like:
p, role:x, repositories, get, x-project/*, allow
to get the history and rollback view to work.
Replying to myself, I just learnt that the above is actually (partially) doable -- I was just looking in the wrong place. It's indeed possible to map repositories to projects and declare ACLs on them. This is not documented in the RBAC documentation but in the projects' one :). There's a couple of drawbacks, though:
Checklist:
argocd version
.Describe the bug
If an user only has permissions through ArgoCD Projects, not through policy.csv he/she is not able to use History & Rollback function and gets
To Reproduce
Create a new project.
In default role adjust. 2.1) ACTION: *, 2.2) Application some-application/*, 2.3) Permission: allow.
Use OIDC group like sample-team@sample-company.com.
Create any application in that project go to History & Rollback and get error.
Add
and assign to user in policy.csv - and it starts working.
Expected behavior
Screenshots
Version
Logs
Call is being made to /api/dex at the same time as well.