Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

argocd RBAC project * wildcard matches all apps in all projects #3963

Closed
3 tasks done
devonhk opened this issue Jul 20, 2020 · 0 comments · Fixed by #3966
Closed
3 tasks done

argocd RBAC project * wildcard matches all apps in all projects #3963

devonhk opened this issue Jul 20, 2020 · 0 comments · Fixed by #3966
Labels
bug Something isn't working security Security related

Comments

@devonhk
Copy link

devonhk commented Jul 20, 2020
edited
Loading

Checklist:

  • I've searched in the docs and FAQ for my answer: http://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

I discovered that specifying a wildcard in an RBAC policy project doesn’t work as expected.
I expected this line to match any project, but only the app payments-data-collector.
p, role:payments, applications, get, */payments-data-collector, allow
But instead that policy gave the role access to all apps in all projects, essentially p, role:payments, applications, get, */*, allow.
I think this is a pretty serious RBAC bug, I had inadvertently given users admin access to all apps in my cluster.

To Reproduce

  1. create a policy like this onep, role:payments, applications, get, */test-app, allow
  2. Make sure that you have multiple apps under different project names
  3. Login as the payments role and get any application

Expected behavior

  1. 403 permission denied on any app that isn't called test-app

Actual behavior

The policy p, role:payments, applications, get, */test-app, allow is interpreted as p, role:payments, applications, get, */*, allow. The wildcard * is greedy and matches everything

Version

argocd: v1.4.2+48cced9
  BuildDate: 2020-01-24T01:07:43Z
  GitCommit: 48cced9d925b5bc94f6aa9fa4a8a19b2a59e128a
  GitTreeState: clean
  GoVersion: go1.12.6
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.4.2+48cced9
  BuildDate: 2020-01-24T01:07:03Z
  GitCommit: 48cced9d925b5bc94f6aa9fa4a8a19b2a59e128a
  GitTreeState: clean
  GoVersion: go1.12.6
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: Version: {Version:kustomize/v3.2.1 GitCommit:d89b448c745937f0cf1936162f26a5aac688f840 BuildDate:2019-09-27T00:10:52Z GoOs:linux GoArch:amd64}
  Helm Version: v2.15.2
  Kubectl Version: v1.14.0
@devonhk devonhk added the bug Something isn't working label Jul 20, 2020
@alexmt alexmt added the security Security related label Jul 20, 2020
@alexmt alexmt mentioned this issue Jul 20, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: use glob matcher in casbin built-in model alexmt/argo-cd
2 participants
@alexmt @devonhk