Rename config setting used to preserve V2 update/delete RBAC (argopro…

…j#20600) We don't know if this will go out with v3, and furthermore, the name is not very descriptive. (see also argoproj#18124, argoproj#19988) Signed-off-by: Matt Finkel <[email protected]>
fffinkel · Jan 8, 2025 · 9d6f8a7 · 9d6f8a7
1 parent c3931f1
commit 9d6f8a7
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 19 deletions.
diff --git a/docs/operator-manual/rbac.md b/docs/operator-manual/rbac.md
@@ -160,15 +160,16 @@ p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow
 
 !!! note
 
-    In v3, RBAC will have a breaking change. The `update` and `delete` actions
-    (without a `/*`) will no longer include sub-resources. This allows you to
-    explicitly allow or deny access to an application without affecting its
-    sub-resources. For example, you may want to allow enable/disable of auto-sync
-    by allowing update on an application, but disallow the editing of deployment
-    manifests for that application.
+    In a future version, RBAC will have a breaking change. The `update` and
+    `delete` actions (without a `/*`) will no longer include sub-resources.
+    This allows you to explicitly allow or deny access to an application
+    without affecting its sub-resources. For example, you may want to allow
+    enable/disable of auto-sync by allowing update on an application, but
+    disallow the editing of deployment manifests for that application.
 
     To enable this behavior before v3, you can set the config value
-    `server.rbac.enablev3` to `true` in the Argo CD ConfigMap argocd-cm.
+    `server.rbac.disableApplicationFineGrainedRBACInheritance` to `false` in
+    the Argo CD ConfigMap argocd-cm.
 
     Once you do so, you can explicitly allow updates to the application, but deny
     updates to any sub-resources:

diff --git a/server/application/application.go b/server/application/application.go
@@ -1346,16 +1346,16 @@ func (s *Server) getAppResources(ctx context.Context, a *v1alpha1.Application) (
 }
 
 func (s *Server) getAppLiveResource(ctx context.Context, action string, q *application.ApplicationResourceRequest) (*v1alpha1.ResourceNode, *rest.Config, *v1alpha1.Application, error) {
-	enableV3, err := s.settingsMgr.GetServerRBACEnableV3()
+	fineGrainedInheritanceDisabled, err := s.settingsMgr.ApplicationFineGrainedRBACInheritanceDisabled()
 	if err != nil {
 		return nil, nil, nil, err
 	}
 
-	if enableV3 && (action == rbacpolicy.ActionDelete || action == rbacpolicy.ActionUpdate) {
+	if !fineGrainedInheritanceDisabled && (action == rbacpolicy.ActionDelete || action == rbacpolicy.ActionUpdate) {
 		action = fmt.Sprintf("%s/%s/%s/%s/%s", action, q.GetGroup(), q.GetKind(), q.GetNamespace(), q.GetResourceName())
 	}
 	a, _, err := s.getApplicationEnforceRBACInformer(ctx, action, q.GetProject(), q.GetAppNamespace(), q.GetName())
-	if !enableV3 && err != nil && errors.Is(err, permissionDeniedErr) && (action == rbacpolicy.ActionDelete || action == rbacpolicy.ActionUpdate) {
+	if fineGrainedInheritanceDisabled && err != nil && errors.Is(err, permissionDeniedErr) && (action == rbacpolicy.ActionDelete || action == rbacpolicy.ActionUpdate) {
 		action = fmt.Sprintf("%s/%s/%s/%s/%s", action, q.GetGroup(), q.GetKind(), q.GetNamespace(), q.GetResourceName())
 		a, _, err = s.getApplicationEnforceRBACInformer(ctx, action, q.GetProject(), q.GetAppNamespace(), q.GetName())
 	}

diff --git a/server/application/application_test.go b/server/application/application_test.go
@@ -1637,7 +1637,7 @@ func TestDeleteResourcesRBAC(t *testing.T) {
 		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
 		enf.SetDefaultRole("role:admin")
 	}
-	argoCM := map[string]string{"server.rbac.enablev3": "true"}
+	argoCM := map[string]string{"server.rbac.disableApplicationFineGrainedRBACInheritance": "false"}
 	appServer := newTestAppServerWithEnforcerConfigure(t, f, argoCM, testApp)
 	appServer.enf.SetDefaultRole("")
 
@@ -1768,7 +1768,7 @@ func TestPatchResourcesRBAC(t *testing.T) {
 		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
 		enf.SetDefaultRole("role:admin")
 	}
-	argoCM := map[string]string{"server.rbac.enablev3": "true"}
+	argoCM := map[string]string{"server.rbac.disableApplicationFineGrainedRBACInheritance": "false"}
 	appServer := newTestAppServerWithEnforcerConfigure(t, f, argoCM, testApp)
 	appServer.enf.SetDefaultRole("")
 
@@ -2051,7 +2051,7 @@ func TestUpdateApplicationRBAC(t *testing.T) {
 		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
 		enf.SetDefaultRole("role:admin")
 	}
-	argoCM := map[string]string{"server.rbac.enablev3": "true"}
+	argoCM := map[string]string{"server.rbac.disableApplicationFineGrainedRBACInheritance": "false"}
 	appServer := newTestAppServerWithEnforcerConfigure(t, f, argoCM, testApp)
 	appServer.enf.SetDefaultRole("")
 	testApp.Spec.Project = ""

diff --git a/util/settings/settings.go b/util/settings/settings.go
@@ -511,8 +511,8 @@ const (
 	inClusterEnabledKey = "cluster.inClusterEnabled"
 	// settingsServerRBACLogEnforceEnable is the key to configure whether logs RBAC enforcement is enabled
 	settingsServerRBACLogEnforceEnableKey = "server.rbac.log.enforce.enable"
-	// settingsServerRBACEnableV3Key is the key to configure V3 RBAC enforcement
-	settingsServerRBACEnableV3Key = "server.rbac.enablev3"
+	// settingsServerRBACEDisableFineGrainedInheritance is the key to configure find-grained RBAC inheritance
+	settingsServerRBACDisableFineGrainedInheritance = "server.rbac.disableApplicationFineGrainedRBACInheritance"
 	// MaxPodLogsToRender the maximum number of pod logs to render
 	settingsMaxPodLogsToRender = "server.maxPodLogsToRender"
 	// helmValuesFileSchemesKey is the key to configure the list of supported helm values file schemas
@@ -861,17 +861,17 @@ func (mgr *SettingsManager) GetServerRBACLogEnforceEnable() (bool, error) {
 	return strconv.ParseBool(argoCDCM.Data[settingsServerRBACLogEnforceEnableKey])
 }
 
-func (mgr *SettingsManager) GetServerRBACEnableV3() (bool, error) {
+func (mgr *SettingsManager) ApplicationFineGrainedRBACInheritanceDisabled() (bool, error) {
 	argoCDCM, err := mgr.getConfigMap()
 	if err != nil {
 		return false, err
 	}
 
-	if argoCDCM.Data[settingsServerRBACEnableV3Key] == "" {
-		return false, nil
+	if argoCDCM.Data[settingsServerRBACDisableFineGrainedInheritance] == "" {
+		return true, nil
 	}
 
-	return strconv.ParseBool(argoCDCM.Data[settingsServerRBACEnableV3Key])
+	return strconv.ParseBool(argoCDCM.Data[settingsServerRBACDisableFineGrainedInheritance])
 }
 
 func (mgr *SettingsManager) GetMaxPodLogsToRender() (int64, error) {