Replies: 1 comment
-
|
Hmm, working around this by creating a group for each user and then granting permissions to the group works, but is ugly. Is it really not possible to target individual users? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Dear all,
I am trying to wrap my head around ArgoCD RBAC policies.
Everything is working fine, but only if I assing policies to groups. Assigning policies to users is not being respected apparently.
For a demo setup I have enabled the "applications in any namespace" feature and can see my application in the
my-namespacenamespace.As a user (
my-user, which is part of themy-groupgroup) I can "read" the applications, but syncing or deleting is not allowed, despite the last line. The username and the groups show up in the user info in the UI.I found the warning that polices cannot be assigned to groups unless the group gets assigned a role first.
https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md?plain=1#L67
OK, that should not be a problem, as my group gets a role and I want to target a user.
But not matter what I try, the last line never takes effect. Whether or not I use
*/*or the syntax with the namespace, same result.Funny thing: When I replace the user's name with the group's name, it suddenly works.
p, my-group, applications, *, */my-namespace/*, allowAny ideas? Can I not target users in policies? Did I mess up the syntax? Is there a difference in the users whether they are local or come from Oauth (which is the case for me)?
Beta Was this translation helpful? Give feedback.
All reactions