-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Role-based Access Controls for SSO #3525
Comments
We need some requirements for this issue. How do you want RBAC to work and be configured? Please be specific! |
We need something beyond 👍 for this issue to be worked on. Please can you add some information about how you expect RBAC to work? |
Just a thought to start with - Read only user ( can only view workflow, all submit button should be disabled) and admin user with all privileges |
One cheap solution to RBAC is to base it on the URL of each request to the server using Casbin. Operators must configure a So...
Casbin model: model.conf
Casbin policy (you would configure this): policy.csv
Some examples of the URLs:
Many users want to use namespace for data segregation, but this would not work for artifacts archived workflows (we could fix that). |
I'd like to hear more uses cases please. |
@alexec The SSO enablement in ArgoWorkflow is not seem less like we have in ArgoCD where we allow existing OIDC provider also. We would like to have a simplified SSO functionality along with RBAC enabled. |
The casbin based policy is quite a bit more complex than simply mapping a group returned by OIDC to a k8s service account. This is mostly due to the burden of having to write and maintain a policy covering constantly expanding and changing set of URLs. |
I think you're probably correct about that. |
We still don't have enough use cases to be confident we can implement the right solution for this issue. I've added as a topic to the next community meeting: |
I think the community meeting gave a couple of key use cases
|
RBAC configuration proposal: kind: ConfigMap
metadata:
name: workflow-controller-configmap
data:
rbac:
# to configure the default account to use:
defaultServiceAccount: my-sa
# use the first matching rule
rules:
- groups:
anyOf:
- my-oidc-group
serviceAccount:
name: my-sa |
We have a number of question on this feature and have put them into a proposal: https://docs.google.com/document/d/1OTVPpWCKM_oO4Z2_pMN1LTyTjWbPv4G9SDmTIpGnIQo/edit?usp=sharing |
Please comment. |
Bump! Please comment on the proposal! https://docs.google.com/document/d/1OTVPpWCKM_oO4Z2_pMN1LTyTjWbPv4G9SDmTIpGnIQo/edit?usp=sharing |
I've created a developer build for your testing: To test this, you need the following extra configuration: Please test and tell me if it meets your needs. |
@danxmoran, @clelange, @ephemeral, @kabilan6, @vladlosev, @lukasmrtvy, @gordonbondon, @dcd000, @rgoldfinger-quizlet, @SM616, and 23 people who reacted with thumbs up emoji. Your feedback is key to ensuring that this feature gets merged. I'd love to get it into the v2.12 release next month, but I really need more feedback from the community. Ideally I'm looking for people to take a deep dive and test it, but reviewing the YAML configuration and reasoning about it would be very valuable too. To test this, you only need to upgrade the Argo Server. @vladlosev thank you for your feedback! Alex |
Hey @alexec, our use case is quite simple atm. We are heavy users of ArgoCD, and we use Okta + Dex for auth. We would like to use something similar for Argo Workflows. (Casbin style) Happy to join the next community meeting to discuss further. Thanks, |
Don't forget to try out |
@alexec I tried installing this image in our cluster but have no success making it work. I noticed in the server's logs that it was not outputting the |
Thank you. I'll investigate. |
Try this: docker run argoproj/argocli:rbac version
argo: v2.3.0-rc3
BuildDate: 2020-09-15T21:56:10Z
GitCommit: dd5aad87e4cd64c126b3fa2209903c566bbaee86 # <-- check this is same
GitTreeState: clean
GitTag: v2.3.0-rc3 # <-- ignore this :)
GoVersion: go1.13.4
Compiler: gc
Platform: linux/amd64 |
@alexec it works like a charm with the updated image! The operation is very transparent when permissions are sufficient and the error messages are quite conspicuous when the user lacks the permissions. I could go and use it right now. Sorry you didn't get to ship it in 2.11. |
Co-authored-by: Vlad Losev <[email protected]>
Co-authored-by: Vlad Losev <[email protected]> Signed-off-by: Alex Capras <[email protected]>
Doesnt this support email scope ? Azure doesnt seem to support groups scope, I mean for RBAC mapping. in rbac-rule |
Summary
Currently any user that logs in using SSO escalates to the
argo-server
service account. We would like other options.Motivation
TBD
Proposal
Either:
See:
Message from the maintainers:
If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.
The text was updated successfully, but these errors were encountered: