Read-only RBAC has the UI showing workflow as deleted when it is not #2145
Comments
|
In slack @sarabala1979 pointed me to https://github.com/argoproj/argo/blob/4cda9a05bf8cee20027132e4b3428ca9654bed5a/server/workflowarchive/archived_workflow_server.go#L106 I'm not sure yet why this doesn't seem to be taking affect. |
|
@alexec @sarabala1979 ok, so it actually doesn't delete the workflow. For other actions (kubernetes-based ones) the UI shows a Red pop-up saying permission denied. For postgres is does not show the pop-up, and shows the workflow gone. If you do a refresh or query the table it's still there. |
ddseapy
changed the title
|
renamed the ticket |
ddseapy
changed the title
|
Can I please confirm this is a UI only issue (which isn't great) - and that it not actually deleted (which is worse). |
|
@alexec correct, that appears to be the case. I am much less concerned about this now. Apologies for not checking the database directly sooner. |
|
Thank you @ddseapy |
Checklist:
What happened:
EDIT - This looks to be JUST a UI issue, and not a security concern
When setting the RBAC for the server pod to the following, I am able to delete workflows from the archive, but not from the cluster.
What you expected to happen:
I should get permission denied trying to delete the workflow from postgres
How to reproduce it (as minimally and precisely as possible):
Set the rbac to what is listed above for the server. Run a workflow. Try to delete the workflow from the archive in the UI. It will succeed even though it should fail.
Anything else we need to know?:
Environment:
Message from the maintainers:
If you are impacted by this bug please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.
The text was updated successfully, but these errors were encountered: