New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read-only RBAC has the UI showing workflow as deleted when it is not #2145
Comments
In slack @sarabala1979 pointed me to https://github.com/argoproj/argo/blob/4cda9a05bf8cee20027132e4b3428ca9654bed5a/server/workflowarchive/archived_workflow_server.go#L106 I'm not sure yet why this doesn't seem to be taking affect. |
@alexec @sarabala1979 ok, so it actually doesn't delete the workflow. For other actions (kubernetes-based ones) the UI shows a Red pop-up saying permission denied. For postgres is does not show the pop-up, and shows the workflow gone. If you do a refresh or query the table it's still there. |
renamed the ticket |
Can I please confirm this is a UI only issue (which isn't great) - and that it not actually deleted (which is worse). |
@alexec correct, that appears to be the case. I am much less concerned about this now. Apologies for not checking the database directly sooner. |
Thank you @ddseapy |
Checklist:
What happened:
EDIT - This looks to be JUST a UI issue, and not a security concern
When setting the RBAC for the server pod to the following, I am able to delete workflows from the archive, but not from the cluster.
What you expected to happen:
I should get permission denied trying to delete the workflow from postgres
How to reproduce it (as minimally and precisely as possible):
Set the rbac to what is listed above for the server. Run a workflow. Try to delete the workflow from the archive in the UI. It will succeed even though it should fail.
Anything else we need to know?:
Environment:
Message from the maintainers:
If you are impacted by this bug please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.
The text was updated successfully, but these errors were encountered: