jannfis
commented
4 years ago Hm, this is an interesting proposal and I can see the need for it - users tend to click quickly, hitting the wrong buttons, mayhem ensues. An additional (optional) safeguard in the UI could be a good thing, I have seen other UIs implementing such things as well.
I think this could be handled by an additional session cookie within the UI, and there's no need for additional RBAC roles. This should be only a safeguard against human errors for the UI.
When this session cookie (e.g. argocd-write-mode=true or similar) is not set, the UI will return an error on all data manipulating queries (i.e. POST, PUT, DELETE) it would usually send. A button on the UI (e.g Enable Write Mode) could be responsible for setting the cookie (and deleting it, when write mode is turned off again by the user).
The final decision whether the query is permitted is still done by the API, evaluating the RBAC permissions using the user's JWT token.
What do you think about this?
drewboswell
victorboissiere
Summary
Add operational lock/unlock functionality/button. (lock on sync, modify, edit, delete etc.)
Motivation
This is principally to protect admins from accidental or erroneous action on critical infrastructure., and introduces an extra layer of accountability. I would also add some peace of mind when operating applications individually or as a group for critical apps like ingress-controllers, sealed-secrets, rbac-manager etc.
Proposal
To not break a gitops workflow, this can take the form of an RBAC permission toggle.
There are a few options to consider: