Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable fine-grained update/delete RBAC enforcement by default #19988

Closed
agaudreault opened this issue Sep 18, 2024 · 2 comments · Fixed by #20671
Closed

Enable fine-grained update/delete RBAC enforcement by default #19988

agaudreault opened this issue Sep 18, 2024 · 2 comments · Fixed by #20671
Assignees
@agaudreault
Labels
component:rbac Issues related to Openshift and Racher enhancement New feature or request
Milestone
v3.0

Comments

@agaudreault
Copy link
Member

agaudreault commented Sep 18, 2024
edited
Loading

Summary

In 2.12 we introduced new RBAC for fine-grained update/delete in #18124. To keep backward compatibility, the applications, update and applications, delete rbac implicitly grant permissions to update/delete application's resources.

Motivation

Streamline behavior that was not possible without breaking changes.

Proposal

With the new fine-grained RBAC, applications, update and applications, delete give permission to manually edit/delete the Application, while applications, update/* and applications, delete/* are used for applications sub-resources.

The built-in policy should be updated to add applications, update/* and applications, delete/* for role:admin to preserve current privilege.
@agaudreault agaudreault added the enhancement New feature or request label Sep 18, 2024
@agaudreault agaudreault added this to the v3.0 milestone Sep 18, 2024
@todaywasawesome todaywasawesome added the component:rbac Issues related to Openshift and Racher label Sep 19, 2024
@agaudreault agaudreault mentioned this issue Oct 31, 2024
Open
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC
9797001 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

GitHub argoproj#19988, argoproj#20600
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC
36daf0c 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

GitHub argoproj#19988, argoproj#20600
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
fd8ae22 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#19988)
59b597b 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#20600)
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
f1f2b9e 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#19988)
b80c8b3 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
@fffinkel fffinkel mentioned this issue Nov 5, 2024
Open
14 tasks
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
6ab13bd 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
62574fa 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
63aefe4 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
a5f8e15 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Nov 5, 2024
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
bfb52e4 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
@fffinkel fffinkel mentioned this issue Nov 5, 2024
Merged
14 tasks
@andrii-korotkov-verkada
Copy link
Contributor

I think instead of introducing a breaking change we should create a new mechanism for setting permissions for applications themselves only.

Maybe we introduce the new permission terms like update_self or delete_self.

@fffinkel
Copy link
Contributor

fffinkel commented Dec 5, 2024

We're very happy to do that instead. I'll bring it up at the meeting today.

fffinkel added a commit to fffinkel/argo-cd that referenced this issue Jan 7, 2025
@fffinkel
Rename config setting used to preserve V2 update/delete RBAC (argopro…
0c34972 
…j#20600)

We don't know if this will go out with v3, and furthermore, the name is
not very descriptive.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Jan 8, 2025
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
5309048 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Jan 8, 2025
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
c3931f1 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so
we add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Jan 8, 2025
@fffinkel
Rename config setting used to preserve V2 update/delete RBAC (argopro…
9d6f8a7 
…j#20600)

We don't know if this will go out with v3, and furthermore, the name is
not very descriptive.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Jan 8, 2025
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
c44747f 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so we
add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Jan 8, 2025
@fffinkel
Enable fine-grained update/delete RBAC enforcement by default (argopr…
2edd102 
…oj#19988)

Change applications resource RBAC to use fine-grained update/delete
enforcement by default. This allows us to enforce RBAC on the
application itself, separately from the sub-resources related to it.

(see also argoproj#18124, argoproj#20600)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
fffinkel added a commit to fffinkel/argo-cd that referenced this issue Jan 8, 2025
@fffinkel
Add config setting to preserve V2 update/delete RBAC (argoproj#20600)
78d89af 
A breaking change was introduced in a previous commit that is planned to
be a part of the next major version of Argo CD (v3) where it's okay to
introduce breaking changes. We want this feature before we hit v3, so we
add a config setting that allows us to explicitly turn this new v3
behavior on in v2. The current v2 behavior is the default, so this
change will not affect folks who do not explicitly opt in.

This commit to add the gating code is added separately so it will be
easy to either cherry pick that pervious commit or revert this one.

(see also argoproj#18124, argoproj#19988)

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
@crenshaw-dev crenshaw-dev moved this to Todo in Argo CD 3.0 Jan 14, 2025
agaudreault added a commit that referenced this issue Jan 17, 2025
@fffinkel @agaudreault
feat(rbac)!: disable fine-grained inheritance by default (#19988) (#2…
606bd5b 
…0671)



---------

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Co-authored-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@github-project-automation github-project-automation bot moved this from Todo to Done in Argo CD 3.0 Jan 17, 2025
agaudreault added a commit to agaudreault/argo-cd that referenced this issue Jan 17, 2025
@fffinkel @agaudreault
feat(rbac): disable fine-grained inheritance by default (argoproj#19988
34f3348 
…) (argoproj#20671)

---------

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Co-authored-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
@agaudreault agaudreault self-assigned this Jan 17, 2025
dudo pushed a commit to dudo/argo-cd that referenced this issue Jan 18, 2025
@fffinkel @agaudreault @dudo
feat(rbac)!: disable fine-grained inheritance by default (argoproj#19988
94377bd 
) (argoproj#20671)

---------

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Co-authored-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Signed-off-by: Brett C. Dudo <brett@dudo.io>
revitalbarletz pushed a commit to revitalbarletz/argo-cd that referenced this issue Jan 20, 2025
@fffinkel @agaudreault @revitalbarletz
feat(rbac)!: disable fine-grained inheritance by default (argoproj#19988
ff57d57 
) (argoproj#20671)



---------

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Co-authored-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
flbla pushed a commit to flbla/argo-cd that referenced this issue Jan 20, 2025
@fffinkel @agaudreault @flbla
feat(rbac)!: disable fine-grained inheritance by default (argoproj#19988
bedf5f6 
) (argoproj#20671)

---------

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Co-authored-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Signed-off-by: flbla <flbla@users.noreply.github.com>
vasilegroza pushed a commit to vasilegroza/argo-cd that referenced this issue Feb 27, 2025
@fffinkel @agaudreault @vasilegroza
feat(rbac)!: disable fine-grained inheritance by default (argoproj#19988
5671806 
) (argoproj#20671)



---------

Signed-off-by: Matt Finkel <finkel.matt@gmail.com>
Signed-off-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Co-authored-by: Alexandre Gaudreault <alexandre_gaudreault@intuit.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@agaudreault agaudreault

Labels
component:rbac Issues related to Openshift and Racher enhancement New feature or request
Projects
Argo CD 3.0
Status: Done
Milestone
v3.0
Development

Successfully merging a pull request may close this issue.

feat(rbac)!: disable fine-grained inheritance by default (#19988) fffinkel/argo-cd
4 participants
@fffinkel @todaywasawesome @agaudreault @andrii-korotkov-verkada