ArgoCD project level role permissions not enough to use History & Rollback button

[eidmantas]

Checklist:

• [X] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [X] I've included steps to reproduce the bug.
• [X] I've pasted the output of argocd version.

Describe the bug

If an user only has permissions through ArgoCD Projects, not through policy.csv he/she is not able to use History & Rollback function and gets

Unable to load data: permission denied: repositories, get, https://sample-company.com/samples/sample-application/kubernetes.git, sub: ChUxMDyesyesyesBmdvb2dsZQ, iat: 2023-12-01T08:51:27Z

To Reproduce

1. Create a new project.

2. In default role adjust. 2.1) ACTION: *, 2.2) Application some-application/*, 2.3) Permission: allow.

3. Use OIDC group like sample-team@sample-company.com.

4. Create any application in that project go to History & Rollback and get error.

5. Add

   p, role:sample-app-writes, repositories, get, *, allow

   and assign to user in policy.csv - and it starts working.

Expected behavior

1. I would expect that it is enough to only use Project permissions and not Dex policy.csv to use basic functions in GUI.

Screenshots

Version

argocd@argocd-server-6d7d96d8b5-w26jq:~$ argocd version
argocd: v2.9.1+58b04e5
  BuildDate: 2023-11-14T15:08:20Z
  GitCommit: 58b04e5e11d007b0518853029ff7612c24a2eb35
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64
FATA[0000] Argo CD server address unspecified           
argocd@argocd-server-6d7d96d8b5-w26jq:~$ 

Logs

Unable to load data: permission denied: repositories, get, https://some-company.com/samples/sample-application/kubernetes.git, sub: ChUxMDyesyesyesBmdvb2dsZQ, iat: 2023-12-01T08:51:27Z

Call is being made to /api/dex at the same time as well.

[bakito]

I' m faceing the same issue. In my case we allow access to projects for certain groups, that differ on each project. These groups are not to be considered in argocd-server rbac config but only in projects.

I tried adding repositories, get, * permissions in the project, but this didn't work.

[adamshawvipps]

Same issue here using Azure oidc and default role is '' (no permissions)

[nbarrientos]

Just wanted to add that we're kinda hitting this as well. Our Argo CD deployment compartmentalizes users using projects mapped to SSO roles so regular accounts have limited permissions, something like:

      p, role:x, applications, get, x-project/*, allow
      p, role:x, applications, sync, x-project/*, allow
      p, role:x, logs, get, x-project/*, allow
      p, role:x, exec, create, x-project/*, allow
      p, role:x, projects, get, x-project, allow

As reported here those users are unable to use properly the "history and rollback" functionality. For us it is not feasible either to give unlimited get access to all repositories as they're not shared across projects.

I imagine that the clean (but not trivial) solution is to add functionality to be able to classify all Argo CD resources into projects (not only apps, but repositories, clusters, etc), that way we should be able to add something like:

      p, role:x, repositories, get, x-project/*, allow

to get the history and rollback view to work.

[nbarrientos]

Replying to myself, I just learnt that the above is actually (partially) doable -- I was just looking in the wrong place. It's indeed possible to map repositories to projects and declare ACLs on them. This is not documented in the RBAC documentation but in the projects' one :). There's a couple of drawbacks, though:

• For this to work all repositories must be explicitly declared, regardless of them requiring authentication, OCI, etc or not.
• It does not work for repositories coming from repository credentials declarations so if any of the sources of the application uses a repository derived from a repocreds then the issue persists.