-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Introduce RBAC based approach to pod logs #7211 #8353
Conversation
Codecov Report
@@ Coverage Diff @@
## master #8353 +/- ##
==========================================
+ Coverage 42.57% 42.60% +0.02%
==========================================
Files 177 177
Lines 22988 23007 +19
==========================================
+ Hits 9787 9801 +14
- Misses 11804 11805 +1
- Partials 1397 1401 +4
Continue to review full report at Codecov.
|
server/account/account.go
Outdated
// Otherwise, no RBAC enforcement for logs will take place (meaning, can-i request on a logs resource will result in "yes") | ||
// In the future, logs RBAC will be always enforced and the parameter along with this check will be removed | ||
if r.Resource == "logs" { | ||
// logsRBACEnforceEnable := env.ParseBoolFromEnv("ARGOCD_SERVER_RBAC_LOG_ENFORCE_ENABLE", false) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think it is redundant changes
server/application/application.go
Outdated
// Temporarily, logs RBAC will be enforced only if an intermediate env var serverRBACLogEnforceEnable is defined and has a "true" value | ||
// Otherwise, no RBAC enforcement for logs will take place (meaning, can-i request on a logs resource will result in "yes") | ||
// In the future, logs RBAC will be always enforced and the parameter along with this check will be removed | ||
logsRBACEnforceEnable, _ := s.settingsMgr.GetServerRBACLogEnforceEnable() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not ignore error here
util/settings/settings.go
Outdated
if argoCDCM.Data[settingsServerRBACLogEnforceEnableKey] == "" { | ||
return false, err | ||
} | ||
return argoCDCM.Data[settingsServerRBACLogEnforceEnableKey] == "true", nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe better use strconv.ParseBool(
@@ -91,6 +91,8 @@ type ArgoCDSettings struct { | |||
PasswordPattern string `json:"passwordPattern,omitempty"` | |||
// BinaryUrls contains the URLs for downloading argocd binaries | |||
BinaryUrls map[string]string `json:"binaryUrls,omitempty"` | |||
// ServerRBACLogEnforceEnable temporary var indicates whether rbac will be enforced on logs | |||
ServerRBACLogEnforceEnable bool `json:"serverRBACLogEnforceEnable"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i dont think you need it anymore after migrate to settings manager
Fixed according to the remarks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also do a quick update in rbac.md? Seems like a good place to document this.
server/account/account.go
Outdated
@@ -126,6 +126,21 @@ func (s *Server) CanI(ctx context.Context, r *account.CanIRequest) (*account.Can | |||
if !slice.ContainsString(rbacpolicy.Resources, r.Resource, nil) { | |||
return nil, status.Errorf(codes.InvalidArgument, "%v does not contain %s", rbacpolicy.Resources, r.Resource) | |||
} | |||
|
|||
// Temporarily, logs RBAC will be enforced only if an intermediate env var serverRBACLogEnforceEnable is defined and has a "true" value |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is serverRBACLogEnforceEnable
the name of the env var or some internal variable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Internal var based on a value of an env var. Will clarify the comment, thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed the comment in application.go and account.go section to explain better what the switch does + renamed the var to comply to its name in settings manager.
Added docs in the rbac.md as per the "log" rbac resource, but not sure at what section should I document the switch itself?
Signed-off-by: reggie-k <reginakagan@gmail.com>
Signed-off-by: reggie-k <reginakagan@gmail.com>
Signed-off-by: reggie-k <reginakagan@gmail.com>
Signed-off-by: reggie-k <reginakagan@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Great! |
Well done @reggie-k |
Awesome! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh! You asked a question that I failed to answer. settingsServerRBACLogEnforceEnableKey
should be documented in docs/operator-manual/argocd-cm.yaml.
Nitpick: could you replace the hard-coded instances of the config key in tests with the variable?
If the backend changes shouldn't be allowed to go out without frontend changes, I'd recommend making them all part of one PR. |
Signed-off-by: reggie-k <reginakagan@gmail.com>
Signed-off-by: reggie-k <reginakagan@gmail.com>
Signed-off-by: reggie-k <reginakagan@gmail.com>
Signed-off-by: reggie-k <reginakagan@gmail.com>
Done, now wondering whether part of that belongs in the release blog :) What do you think?
Am a total go newbie, but the const key names in settings.go are private and used within the package, as far as I understand, do you want me to make this particular one a global const so that it can be referenced outside? |
I see the reason behind this. How can this be achieved, given my colleague will work on the UI changes, and will need the backend to have my changes? Can you guide me through the process from Github perspective? Where does he fork from, where does he create PRs to, etc? |
I think it probably does. @alexmt do we keep a running list anywhere of things that need to be in the release blog?
I'm relatively new to go as well, so I missed that problem. 😆 I think hard-coding is fine in this case. Searching text is easy.
I think he could 1) fork argo-cd, 2) add your fork as a remote, 3) checkout your branch, 4) create a new branch based on yours, 5) make changes and then open a PR against your branch. Once the UI changes are merged into your branch, this PR will be ready for final review/merge. |
Thank you for review @pasha-codefresh and @crenshaw-dev . Doing one final round and merging |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
I think we should resolve https://github.com/argoproj/argo-cd/pull/8353/files#r798567363 but I propose to merge PR for the sake of time and create follow up PR to do it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Great job @reggie-k ! |
Thank you @reggie-k ! |
…oj#8353) * initial changes in settings, app, account, admin, rbac, doc and tests Signed-off-by: reggie-k <reginakagan@gmail.com> * rbac.md docs and better comments in account and app Signed-off-by: reggie-k <reginakagan@gmail.com> * initial changes in settings, app, account, admin, rbac, doc and tests Signed-off-by: reggie-k <reginakagan@gmail.com> * rbac.md docs and better comments in account and app Signed-off-by: reggie-k <reginakagan@gmail.com> * initial changes in settings, app, account, admin, rbac, doc and tests Signed-off-by: reggie-k <reginakagan@gmail.com> * rbac.md docs and better comments in account and app Signed-off-by: reggie-k <reginakagan@gmail.com> * rebase fix Signed-off-by: reggie-k <reginakagan@gmail.com> * updated docs for argocd-cm.yaml Signed-off-by: reggie-k <reginakagan@gmail.com> Signed-off-by: wojtekidd <wojtek.cichon@protonmail.com>
The required changes in the cli were performed, the UI changes will come in a separate PR.
The enforcement is disabled by default, to mitigate the breaking change.
The switch will reside in the main argocd-cm.
Not sure whether I should document the switch explicitly myself or will it be documented in the release blog?
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist: