argocd RBAC misunderstanding

[artarik]

Checklist:

• [ x ] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [ x ] I've included steps to reproduce the bug.
• [ x ] I've pasted the output of argocd version.

Describe the bug

I have this config in argocd-rbac-cm

...
p, user@domain.com, applications, get, system/*, allow
p, user@domain.com, applications, sync, system/metrics-server*, allow
p, user@domain.com, applications, update, system/metrics-server*, allow
p, user@domain.com, applications, delete, system/metrics-server*, allow
p, user@domain.com, applications, create, system/metrics-server*, allow 
...

but user see clean page in Argocd without any applications If he tries to access via direct link he gets an error with permissions denied and in argocd-server logs I see

"msg":"user tried to get application which they do not have access to: rpc error: code = PermissionDenied desc = permission denied: applications, get, system/metrics-server-dal.cluster

but if i check permissions via argocd cli it's give me that everything OK

❯ argocd admin settings rbac can user@domain.com get applications 'system/metrics-server-dal.cluster' -n argocd
Yes

I tries to restart argocd-server but it doesn't help

To Reproduce

Expected behavior

User get access to requested resources

Version

❯ argocd version
argocd: v2.9.16+eb77b70
  BuildDate: 2024-05-23T14:12:01Z
  GitCommit: eb77b7028cf49935162199f7ba342b131feba283
  GitTreeState: clean
  GoVersion: go1.21.10
  Compiler: gc
  Platform: linux/amd64
argocd-server: v2.9.16+eb77b70
  BuildDate: 2024-05-23T14:12:01Z
  GitCommit: eb77b7028cf49935162199f7ba342b131feba283
  GitTreeState: clean
  GoVersion: go1.21.10
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: could not get kustomize version: exec: "kustomize": executable file not found in $PATH
  Helm Version: v3.12.2+g1e210a2
  Kubectl Version: v0.24.17
  Jsonnet Version: v0.20.0

[artarik]

as a workaround I can do this

p, role:test-user, applications, get, system/*, allow
p, role:test-user, applications, sync, system/metrics-server*, allow
p, role:test-user, applications, update, system/metrics-server*, allow
p, role:test-user, applications, delete, system/metrics-server*, allow
p, role:test-user, applications, create, system/metrics-server*, allow 
...
g, user@domain.com, role:test-user

and it's works, but I don't understand why it's not works without creating role

[sravanakinapally]

We have a similar error where the server should say not found but API responds back permission denied with response code 403

The expectation is it should respond with not found and 404 code

❯ argocd version
argocd: v2.3.0+fe42780.dirty
  BuildDate: 2022-03-07T05:19:43Z
  GitCommit: fe427802293b090f43f91f5839393174df6c3b3a
  GitTreeState: dirty
  GoVersion: go1.17.8
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v2.9.6+ba62a0a
  BuildDate: 2024-02-02T19:17:57Z
  GitCommit: ba62a0a86d19f71a65ec2b510a39ea55497e1580
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v5.2.1 2023-10-19T20:13:51Z
  Helm Version: v3.13.2+g2a2fb3b
  Kubectl Version: v0.24.17
  Jsonnet Version: v0.20.0

This user have argo admin built in role assigned

 ❯ argocd app get vanessatest-nonprod-3
FATA[0000] rpc error: code = PermissionDenied desc = permission denied

argocd server logs says not found

2024-07-23T16:46:47.959 argocd-server-xxxxxxx-xlspf:server time=“2024-07-23T21:46:47Z” level=info msg=“received unary call /application.ApplicationService/Get” grpc.method=Get grpc.request.content=“name:\“vanessatest-nonprod-3\” resourceVersion:\“\” selector:\“\” repo:\“\” ” grpc.service=application.ApplicationService grpc.start_time=“2024-07-23T21:46:47Z” span.kind=server system=grpc
2024-07-23T16:46:47.966 argocd-server-xxxxxxx-xlspf:server time=“2024-07-23T21:46:47Z” level=warning msg=“application does not exist” application=vanessatest-nonprod-3 namespace=dx-argocd

[KasnocknDave]

I opened an issue regarding this topic: https://github.com/argoproj/argo-cd/issues/20005

[andrii-korotkov-verkada]

I think it's just how casbin works, i.e. you need a role. Not 100% sure though.