Normal Description of problem:
Group permissions are not getting applied if we directly assign it to the group without a role-name
Even though the argocd CLI affirms the permission works, it doesn't actually work in Argo CD.
For example, given this policy file:
p, <group-name>, applications, *, */*, allow
Testing the policy indicates it should work:
$ argocd admin settings rbac can <group-name> sync applications 'default/*' --policy-file policy.csv
Yes
But, below two methods works as expected, (Giving the group permissions via a named role works)
rbac:
defaultPolicy: ""
policy: |
p, <group-name>, applications, * , */*, allow
g, <group-name>, role:<role-name> <======
scopes: '[groups]'
rbac:
defaultPolicy: ""
policy: |
p, role:<role-name>, applications, *, */*, allow
g, <group>, role:<role-name> <=======
scopes: '[groups]'
Prerequisites (if any, like setup, operators/versions):
Steps to Reproduce
- Create an argocd instance
- Create a test application
- Create a group and assign below permissions to that group
rbac: defaultPolicy: "" policy: | p, <group-name>, applications, * , */*, allow scopes: '[groups]'
- Try to view or do any actions on the application as a group user
Actual results:
User unable to view or do any actions on the application
Expected results:
User should be able to view or do the specified actions on the application
Reproducibility (Always/Intermittent/Only Once):
Always
Acceptance criteria:
Definition of Done:
