Add config setting to preserve V2 update/delete RBAC (argoproj#20600)

A breaking change was introduced in a previous commit that is planned to be a part of the next major version of Argo CD (v3) where it's okay to introduce breaking changes. We want this feature before we hit v3, so we add a config setting that allows us to explicitly turn this new v3 behavior on in v2. The current v2 behavior is the default, so this change will not affect folks who do not explicitly opt in. This commit to add the gating code is added separately so it will be easy to either cherry pick that pervious commit or revert this one. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel · Nov 5, 2024 · 62574fa · 62574fa
1 parent 6ab13bd
commit 62574fa
Show file tree

Hide file tree

Showing 4 changed files with 352 additions and 10 deletions.
diff --git a/docs/operator-manual/rbac.md b/docs/operator-manual/rbac.md
@@ -114,7 +114,7 @@ The `applications` resource is an [Application-Specific Policy](#application-spe
 
 #### Fine-grained Permissions for `update`/`delete` action
 
-The `update` and `delete` actions, when granted on an application, will allow the user to perform the operation on the application itself but not its resources.
+The `update` and `delete` actions, when granted on an application, will allow the user to perform the operation on the application itself **and** all of its resources.
 It can be desirable to only allow `update` or `delete` on specific resources within an application.
 
 To do so, when the action if performed on an application's resource, the `<action>` will have the `<action>/<group>/<kind>/<ns>/<name>` format.
@@ -138,12 +138,35 @@ p, example-user, applications, delete, default/prod-app, deny
 p, example-user, applications, delete/*/Pod/*, default/prod-app, allow
 ```
 
-If we want to explicitly allow updates to the application, but deny updates to any sub-resources:
+!!! note
 
-```csv
-p, example-user, applications, update, default/prod-app, allow
-p, example-user, applications, update/*, default/prod-app, deny
-```
+    It is not possible to deny fine-grained permissions for a sub-resource if the action was **explicitly allowed on the application**.
+    For instance, the following policies will **allow** a user to delete the Pod and any other resources in the application:
+
+    ```csv
+    p, example-user, applications, delete, default/prod-app, allow
+    p, example-user, applications, delete/*/Pod/*, default/prod-app, deny
+    ```
+
+!!! note
+
+    In v3, RBAC will have a breaking change. The `udpate` and `delete` actions
+    (without a `/*`) will no longer include sub-resources. This allows you to
+    explicitly allow or deny access to an application without affecting its
+    sub-resources. For example, you may want to allow enable/disable of auto-sync
+    by allowing update on an application, but disallow the editing of deployment
+    manifests for that application.
+
+    To enable this behavior before v3, you can set the config value
+    `server.rbac.enablev3` to `true` in the Argo CD ConfigMap argocd-cm.
+
+    Once you do so, you can explicitly allow updates to the application, but deny
+    updates to any sub-resources:
+
+    ```csv
+    p, example-user, applications, update, default/prod-app, allow
+    p, example-user, applications, update/*, default/prod-app, deny
+    ```
 
 #### The `action` action
 

diff --git a/server/application/application.go b/server/application/application.go
@@ -1333,10 +1333,19 @@ func (s *Server) getAppResources(ctx context.Context, a *appv1.Application) (*ap
 }
 
 func (s *Server) getAppLiveResource(ctx context.Context, action string, q *application.ApplicationResourceRequest) (*appv1.ResourceNode, *rest.Config, *appv1.Application, error) {
-	if action == rbacpolicy.ActionDelete || action == rbacpolicy.ActionUpdate {
+	enableV3, err := s.settingsMgr.GetServerRBACEnableV3()
+	if err != nil {
+		return nil, nil, nil, errors.New("asdfasdfasdfasdf: " + err.Error())
+	}
+
+	if enableV3 && (action == rbacpolicy.ActionDelete || action == rbacpolicy.ActionUpdate) {
 		action = fmt.Sprintf("%s/%s/%s/%s/%s", action, q.GetGroup(), q.GetKind(), q.GetNamespace(), q.GetResourceName())
 	}
 	a, _, err := s.getApplicationEnforceRBACInformer(ctx, action, q.GetProject(), q.GetAppNamespace(), q.GetName())
+	if !enableV3 && err != nil && errors.Is(err, permissionDeniedErr) && (action == rbacpolicy.ActionDelete || action == rbacpolicy.ActionUpdate) {
+		action = fmt.Sprintf("%s/%s/%s/%s/%s", action, q.GetGroup(), q.GetKind(), q.GetNamespace(), q.GetResourceName())
+		a, _, err = s.getApplicationEnforceRBACInformer(ctx, action, q.GetProject(), q.GetAppNamespace(), q.GetName())
+	}
 	if err != nil {
 		return nil, nil, nil, err
 	}