-
|
Dear all, I am trying to wrap my head around ArgoCD RBAC policies. Everything is working fine, but only if I assing policies to groups. Assigning policies to users is not being respected apparently. For a demo setup I have enabled the "applications in any namespace" feature and can see my application in the As a user ( policy.default: ""
policy.csv: |
g, cluster-admin, role:admin
g, admin, role:admin
g, my-group, role:readonly
p, my-user, applications, *, */my-namespace/*, allow I found the warning that polices cannot be assigned to groups unless the group gets assigned a role first. OK, that should not be a problem, as my group gets a role and I want to target a user. But not matter what I try, the last line never takes effect. Whether or not I use Funny thing: When I replace the user's name with the group's name, it suddenly works. p, my-group, applications, *, */my-namespace/*, allowAny ideas? Can I not target users in policies? Did I mess up the syntax? Is there a difference in the users whether they are local or come from Oauth (which is the case for me)? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Hmm, working around this by creating a group for each user and then granting permissions to the group works, but is ugly. Is it really not possible to target individual users? |
Beta Was this translation helpful? Give feedback.
-
|
The pattern you are seeing is right (a group The So you have two clean options:
# argocd-rbac-cm
data:
scopes: '[groups, email]'
policy.csv: |
p, user@example.org, applications, *, */my-namespace/*, allowLocal (non-SSO) accounts are different: their login name is the subject, so |
Beta Was this translation helpful? Give feedback.
The pattern you are seeing is right (a group
p/gworks, an identical line with the user does not), but the lever is not quite "user vs group". It is which OIDC claims Argo CD examines during RBAC enforcement.The
argocd-rbac-cmhas ascopesfield that lists the OIDC scopes/claims checked in addition tosub, and it defaults to[groups]. That is why group policies work out of the box (thegroupsclaim is examined) while ap, my-user, ...line does not match: the username/email claim is not being examined unless you add it. Also, for SSO the subject used is derived from the token (with Dex,federated_claims.user_id), not the display name shown in the UI.So you have two clean options: