Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC using LDAP is not working (Not assigning the policies) #17908

Open
3 tasks done
behniafb opened this issue Apr 20, 2024 · 4 comments · May be fixed by #20683
Open
3 tasks done

RBAC using LDAP is not working (Not assigning the policies) #17908

behniafb opened this issue Apr 20, 2024 · 4 comments · May be fixed by #20683
Labels
bug Something isn't working component:server good first issue Good for newcomers question Issue is a question or reach for support type:bug

Comments

@behniafb
Copy link

behniafb commented Apr 20, 2024
edited
Loading

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug:
  • I've pasted the output of argocd version:
~$ argocd version
argocd: v2.10.6+d504d2b
  BuildDate: 2024-04-05T00:27:47Z
  GitCommit: d504d2b1d92f0cf831a124a5fd1a96ee29fa7679
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64

Describe the bug

Hello. I want to integrate LDAP with ArgoCD, using Dex.

The problem is, the LDAP user that I login with, doesn't get the necessary policies that I've specified in argocd-rbac-cm in policy.csv;

But the confusing thing is it SUCCESSFULY gets the policy.default to whatever role I set to !

To Reproduce

These are the necessary configs that I have set.
argocd-cm :

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argocd
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: v2.10.6
    helm.sh/chart: argo-cd-6.7.11
    k8slens-edit-resource-version: v1
  annotations:
    meta.helm.sh/release-name: argocd
    meta.helm.sh/release-namespace: argocd
data:
  admin.enabled: 'true'
  application.instanceLabelKey: argocd.argoproj.io/instance
  dex.config: |-
    logger:
      level: debug
    connectors:
    - type: ldap
      name: My Company
      id: ad
      config:
        # Ldap server address

        host: "ldap.mycompany.com:389"
        insecureNoSSL: true
        insecureSkipVerify: true

        # Variable name stores ldap bindDN in argocd-secret
        bindDN: 'CN=DevOps Local Cluster Service Account,OU=Other,OU=Service Accounts,OU=_Special,OU=Users,OU=My Company Accounts,DC=mycompany,DC=com'
        
        # Variable name stores ldap bind password in argocd-secret
        bindPW: 'password'
        usernamePrompt: "Username"
        
        # Ldap user serch attributes
        userSearch:
          baseDN: "OU=Users,OU=My Company Accounts,DC=mycompany,DC=com"
          username: mail
          idAttr: mail
          nameAttr: displayName
          emailAttr: mail
  exec.enabled: 'false'
  server.rbac.log.enforce.enable: 'true'
  timeout.hard.reconciliation: 0s
  timeout.reconciliation: 180s
  url: https://argo.mycompany.com

argocd-rbac-cm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argocd
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: v2.10.6
    helm.sh/chart: argo-cd-6.7.11
    k8slens-edit-resource-version: v1
  annotations:
    meta.helm.sh/release-name: argocd
    meta.helm.sh/release-namespace: argocd
data:
  policy.csv: |+
    p, role:Testrole, applications, create, test/*, allow
    p, role:Testrole, applications, delete, test/*, allow
    p, role:Testrole, applications, get, test/*, allow
    p, role:Testrole, applications, override, test/*, allow
    p, role:Testrole, applications, sync, test/*, allow
    p, role:Testrole, applications, update, test/*, allow
    p, role:Testrole, logs, get, test/*, allow
    p, role:Testrole, exec, create, test/*, allow
    p, role:Testrole, projects, get, test, allow

    g, [email protected], role:admin

  policy.default: role:Testrole
  policy.matchMode: glob
  scopes: '[groups]'

Expected behavior
I expect that when I login with LDAP user [email protected], it gets the policy of g, [email protected], role:admin which is admin ; But it gets the default policy, which is policy.default: role:Testrole.

Screenshots
For example, when I want to see the list of clusters, I get this error (something that admin policy is capable of):

Version

argocd@argocd-server-7db5c6b77-2nzpf:~$ argocd version
argocd: v2.10.6+d504d2b
  BuildDate: 2024-04-05T00:27:47Z
  GitCommit: d504d2b1d92f0cf831a124a5fd1a96ee29fa7679
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64

Logs

argocd-server logs (debug mode) when I try to create a create a project called TestForGithub:

time="2024-04-20T10:55:52Z" level=info msg="ArgoCD API Server is starting" built="2024-04-05T00:27:47Z" commit=d504d2b1d92f0cf831a124a5fd1a96ee29fa7679 namespace=argocd port=8080 version=v2.10.6+d504d2b
time="2024-04-20T10:55:52Z" level=info msg="Starting configmap/secret informers"
time="2024-04-20T10:55:52Z" level=info msg="Configmap/secret informer synced"
time="2024-04-20T10:55:52Z" level=info msg="invalidated cache for resource in namespace: argocd with the name: argocd-notifications-cm"
time="2024-04-20T10:55:52Z" level=info msg="invalidated cache for resource in namespace: argocd with the name: argocd-notifications-secret"
time="2024-04-20T10:55:52Z" level=info msg="Creating client app (argo-cd)"
time="2024-04-20T10:55:52Z" level=info msg="argocd v2.10.6+d504d2b serving on port 8080 (url: https://argo.mycompany.com, tls: false, namespace: argocd, sso: true)"
time="2024-04-20T10:55:52Z" level=info msg="Enabled application namespace patterns: argocd"
time="2024-04-20T10:55:52Z" level=info msg="0xc0017408a0 subscribed to settings updates"
time="2024-04-20T10:55:52Z" level=info msg="Starting rbac config informer"
time="2024-04-20T10:55:52Z" level=info msg="RBAC ConfigMap 'argocd-rbac-cm' added"
time="2024-04-20T10:56:10Z" level=info msg="Initializing OIDC provider (issuer: https://argo.mycompany.com/api/dex)"
time="2024-04-20T10:56:10Z" level=info msg="OIDC supported scopes: [openid email groups profile offline_access]"
time="2024-04-20T10:56:10Z" level=info msg="received unary call /project.ProjectService/List" grpc.method=List grpc.request.claims="{\"at_hash\":\"Z-mWH5Z9XXwWAaGleL5JSA\",\"aud\":\"argo-cd\",\"c_hash\":\"lNVuQ7fISUG2rYqUaV5t_g\",\"email\":\"[email protected]\",\"email_verified\":true,\"exp\":1713695788,\"iat\":1713609388,\"iss\":\"https://argo.mycompany.com/api/dex\",\"name\":\"Behnia Farahbod [ My Company - ITS ]\",\"sub\":\"ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ\"}" grpc.request.content= grpc.service=project.ProjectService grpc.start_time="2024-04-20T10:56:10Z" span.kind=server system=grpc
time="2024-04-20T10:56:10Z" level=debug msg="enforce failed" claims="map[at_hash:Z-mWH5Z9XXwWAaGleL5JSA aud:argo-cd c_hash:lNVuQ7fISUG2rYqUaV5t_g email:[email protected] email_verified:true exp:1.713695788e+09 iat:1.713609388e+09 iss:https://argo.mycompany.com/api/dex name:Behnia Farahbod [ My Company - ITS ] sub:ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ]" groups="[]" project=default rval="[map[at_hash:Z-mWH5Z9XXwWAaGleL5JSA aud:argo-cd c_hash:lNVuQ7fISUG2rYqUaV5t_g email:[email protected] email_verified:true exp:1.713695788e+09 iat:1.713609388e+09 iss:https://argo.mycompany.com/api/dex name:Behnia Farahbod [ My Company - ITS ] sub:ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ] projects get default]" scopes="[groups]" subject=ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ
time="2024-04-20T10:56:10Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=List grpc.service=project.ProjectService grpc.start_time="2024-04-20T10:56:10Z" grpc.time_ms=16.151 span.kind=server system=grpc
time="2024-04-20T10:56:11Z" level=info msg="received unary call /session.SessionService/GetUserInfo" grpc.method=GetUserInfo grpc.request.claims="{\"at_hash\":\"Z-mWH5Z9XXwWAaGleL5JSA\",\"aud\":\"argo-cd\",\"c_hash\":\"lNVuQ7fISUG2rYqUaV5t_g\",\"email\":\"[email protected]\",\"email_verified\":true,\"exp\":1713695788,\"iat\":1713609388,\"iss\":\"https://argo.mycompany.com/api/dex\",\"name\":\"Behnia Farahbod [ My Company - ITS ]\",\"sub\":\"ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ\"}" grpc.request.content= grpc.service=session.SessionService grpc.start_time="2024-04-20T10:56:11Z" span.kind=server system=grpc
time="2024-04-20T10:56:11Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=GetUserInfo grpc.service=session.SessionService grpc.start_time="2024-04-20T10:56:11Z" grpc.time_ms=1.069 span.kind=server system=grpc
2024/04/20 10:56:19 proto: tag has too few fields: "-"
2024/04/20 10:56:19 proto: tag has unknown wire type: "int64,1,opt,name=iat"
2024/04/20 10:56:19 proto: tag has unknown wire type: "int64,2,opt,name=exp"
time="2024-04-20T10:56:19Z" level=info msg="received unary call /project.ProjectService/Create" grpc.method=Create grpc.request.claims="{\"at_hash\":\"Z-mWH5Z9XXwWAaGleL5JSA\",\"aud\":\"argo-cd\",\"c_hash\":\"lNVuQ7fISUG2rYqUaV5t_g\",\"email\":\"[email protected]\",\"email_verified\":true,\"exp\":1713695788,\"iat\":1713609388,\"iss\":\"https://argo.mycompany.com/api/dex\",\"name\":\"Behnia Farahbod [ My Company - ITS ]\",\"sub\":\"ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ\"}" grpc.request.content="project:<TypeMeta:<kind:\"\" apiVersion:\"\" > metadata:<name:\"TestForGithub\" generateName:\"\" namespace:\"\" selfLink:\"\" uid:\"\" resourceVersion:\"\" generation:0 creationTimestamp:<0001-01-01T00:00:00Z> > spec:<description:\"\" permitOnlyProjectScopedClusters:false > status:<> > " grpc.service=project.ProjectService grpc.start_time="2024-04-20T10:56:19Z" span.kind=server system=grpc
time="2024-04-20T10:56:19Z" level=debug msg="enforce failed" claims="map[at_hash:Z-mWH5Z9XXwWAaGleL5JSA aud:argo-cd c_hash:lNVuQ7fISUG2rYqUaV5t_g email:[email protected] email_verified:true exp:1.713695788e+09 iat:1.713609388e+09 iss:https://argo.mycompany.com/api/dex name:Behnia Farahbod [ My Company - ITS ] sub:ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ]" groups="[]" project= rval="[map[at_hash:Z-mWH5Z9XXwWAaGleL5JSA aud:argo-cd c_hash:lNVuQ7fISUG2rYqUaV5t_g email:[email protected] email_verified:true exp:1.713695788e+09 iat:1.713609388e+09 iss:https://argo.mycompany.com/api/dex name:Behnia Farahbod [ My Company - ITS ] sub:ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ] projects create TestForGithub]" scopes="[groups]" subject=ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ
time="2024-04-20T10:56:19Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = permission denied: projects, create, TestForGithub, sub: ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ, iat: 2024-04-20T10:36:28Z" grpc.code=PermissionDenied grpc.method=Create grpc.service=project.ProjectService grpc.start_time="2024-04-20T10:56:19Z" grpc.time_ms=1.448 span.kind=server system=grpc
@behniafb behniafb added the bug Something isn't working label Apr 20, 2024
@behniafb
Copy link
Author

And something that I figured out is I can't find any place in ArgoCD deployments that mounts argocd-rbac-cm.
How does it import this ConfigMap ?!

@agaudreault
Copy link
Member

@behniafb Make sure [email protected] is what is being returned in the sub claims. In your case, it seems to be base64 encoded. To validate, use g, ChdiZWhuaWEuZkBtdG5pcmFuY2VsbC5pchICYWQ, role:admin instead. If this works, then it might be a configuration problems.

You might have more relevant logs in the dex pod.

@agaudreault agaudreault added question Issue is a question or reach for support and removed bug Something isn't working labels Jul 23, 2024
@alexmt alexmt added bug Something isn't working component:server type:bug labels Jul 23, 2024
@agaudreault
Copy link
Member

agaudreault commented Jul 23, 2024
edited
Loading

Actually. Seems related to dexidp/dex#1719. Since argo is using "sub" everywhere as a hardcoded value, and this value might not be deterministic, we should perhaps override sub with federated_claims.user_id when dex is used, or at least generate a deterministic unique value. https://dexidp.io/docs/configuration/custom-scopes-claims-clients/.

As a workaround, you might want to try scopes: '[groups, email]' so you have the email as part of the group. This will allow the email claim to be checked if the sub claim does not match.

Documentation definitely needs to be updated no matter what as this is a non-intuitive behavior from Dex.

@agaudreault agaudreault added the good first issue Good for newcomers label Jul 23, 2024
@mingmingshiliyu
Copy link

excellent job! I deployed argo with ldap, and found out it didn`t work when I changed the rbac rule in rbac-cm, in the meanwhile, the argocd-server reported the error:

time="2024-10-23T09:17:46Z" level=info msg="received unary call /application.ApplicationService/Update" grpc.method=Update grpc.request.claims="{\"at_hash\":\"ZNhiXJtvBeQkFxj1aeYF5A\",\"aud\":\"argo-cd\",\"c_hash\":\"33vK8Jx-UYPX1Xr7qJS84w\",\"email\":\"[email protected]\",\"email_verified\":true,\"exp\":1729761221,\"iat\":1729674821,\"iss\":\"https://xyz.dev.udestr.vwcloud.cn:31330/api/dex\",\"name\":\"zhangzeyuan\",\"sub\":\"Cgt6aGFuZ3pleXVhbhIEbGRhcA\"}" grpc.request.content="%!v(PANIC=String method: reflect.Value.Interface: cannot return value obtained from unexported field or method)" grpc.service=application.ApplicationService grpc.start_time="2024-10-23T09:17:46Z" span.kind=server system=grpc
time="2024-10-23T09:17:46Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = permission denied: applications, update, ude/core-manager-dev, sub: Cgt6aGFuZ3pleXVhbhIEbGRhcA, iat: 2024-10-23T09:13:41Z" grpc.code=PermissionDenied grpc.method=Update grpc.service=application.ApplicationService grpc.start_time="2024-10-23T09:17:46Z" grpc.time_ms=3.071 span.kind=server system=grpc

followed as you suggested, i configure g, Cgt6aGFuZ3pleXVhbhIEbGRhcA, role:admin ,it worked as expected! just record here to help others

@aali309 aali309 linked a pull request Nov 6, 2024 that will close this issue
Draft
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working component:server good first issue Good for newcomers question Issue is a question or reach for support type:bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Override sub with federated_claims.user_id when dex is used aali309/argo-cd
4 participants
@alexmt @behniafb @agaudreault @mingmingshiliyu