-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UI: Add namespace
input box to UserInfo
page for SSO RBAC NS delegation
#12041
Comments
i also would love to have the UserInfo and ns correct in UI |
To be clear, this only impacts those using SSO RBAC Namespace Delegation and the current SA is not incorrect, it just shows the assigned cluster scope SA instead of any one NS SA |
this should be a namespace drop-down that pulls in namespaces by scanning rolebindings the user is assigned to or using SubjectAccessReview for the same behavior so the user sees the namespaces they are part of. This would be a better user experience then a blank input box. |
It would be, but this is a bit easier said than done. There's actually a separate feature request for that: #9140
The problem is that you don't know ahead of time what namespaces the user has access to. |
I'm looking into this, and I'm having trouble with the "Only show this input box if SSO RBAC Namespace delegation is enabled" requirement. Unless I'm missing something, the UI currently has no way of knowing when SSO or RBAC namespace delegation (which is controlled by the That works, but do we really want to want to update that API solely to support this requirement? It'd be simpler to always show the input box. |
Nice analysis! Yes, you're correct that it would have to be added to the I've also tried to avoid updating that API, especially as there can be security ramifications to exposing more configuration. Instead I've tried to infer the configuration where possible. In this case, I don't think you can infer it before displaying the input, as the installation namespace will always have some SA. As such, I think it's fine to have the namespace there for now and for an MVP, and we can reevaluate the Worth noting that I wrote this issue up almost a year ago, so my knowledge of the codebase was certainly more incomplete back then 😅 |
When using [SSO RBAC Namespace Delegation](https://argo-workflows.readthedocs.io/en/latest/argo-server-sso/#sso-rbac-namespace-delegation), there's currently no way of seeing which service account maps to the user in a given namespace. The backend for the `/api/v1/userinfo` endpoint already supports a query parameter called `?namespace` that it will use to look up service account details, though this isn't documented. This documents the existing `?namespace` query parameter, adds a namespace inbox filter on the top of the page, and updates the `UserInfo` page to pass it when calling `/api/v1/userinfo`. The only thing I wasn't quite sure about is error handling: if someone enter an invalid namespace, then `/api/v1/userinfo` will ignore it and silently fall back to the installation namespace, which could cause confusion. Ideally, the UI would detect that and show an informative error message, but that'd require non-trivial API changes. Testing procedure: 1. Created the following manifest and ran `kubectl apply -f` on it: ```yaml apiVersion: v1 kind: Namespace metadata: name: delegation-test --- apiVersion: v1 kind: ServiceAccount metadata: name: delegated-sa namespace: delegation-test annotations: workflows.argoproj.io/rbac-rule: "true" workflows.argoproj.io/rbac-rule-precedence: "2" --- apiVersion: v1 kind: Secret metadata: name: delegated-sa.service-account-token namespace: delegation-test annotations: kubernetes.io/service-account.name: delegated-sa type: kubernetes.io/service-account-token data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTWpFM05qazBPVFF3SGhjTk1qUXdOekl6TWpFeE9ERTBXaGNOTXpRd056SXhNakV4T0RFMApXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTWpFM05qazBPVFF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTWnAyeVNTekR5OFR6VjJHWG1naUdWaW5Qb0VkREZrdCtSeGpkbE5zMjAKamc1bk9iUEhLMTYybDdObHR5dGxpb0RxTHIwQXNwSGNPVWlvUTlrcElnNVdvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWZlYUhaTnpOeG9kd0w0YXNHdDhSCjBrZDJ6K0V3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnRGdWZjJBMGZESkN1S3lLblI3RTVBay9KTDlWek1KQzIKZ2dKbmJFbjFrNm9DSVFDZldtL1FWbkxVVG5Bb0RMSCtFNzN6UW0wdXVOVEhzemxXVFhYM2hjWkFaUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K namespace: ZGVsZWdhdGlvbi10ZXN0Cg== token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklreHlhVWhQV0RSdlYwOUhhSFZsVFdOWWJqQTVhV1p1VUcxRFh6aFNlVkZUVG5kVGVWTjNTVEZPZDJjaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpoY21kdklpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WldOeVpYUXVibUZ0WlNJNkltRnlaMjh0YzJWeWRtVnlMbk5sY25acFkyVXRZV05qYjNWdWRDMTBiMnRsYmlJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKaGNtZHZMWE5sY25abGNpSXNJbXQxWW1WeWJtVjBaWE11YVc4dmMyVnlkbWxqWldGalkyOTFiblF2YzJWeWRtbGpaUzFoWTJOdmRXNTBMblZwWkNJNklqSmtOV1F3TVRjMkxUQmpPRGN0TkRVMlpTMWlOR05tTFdFMlpEUmlaRGhsTURJelpTSXNJbk4xWWlJNkluTjVjM1JsYlRwelpYSjJhV05sWVdOamIzVnVkRHBoY21kdk9tRnlaMjh0YzJWeWRtVnlJbjAuYXZZVVZNZUtpTnZKYWdkU1U0bElYQ1RjdEFqSUE4V0FCVC01MEh1SFRRTVFrNUNKSFY1NFVTOW9hZlIwS085TldLcE5aVVlCU0hIaWJIWXRXRDdVVUVRRnk2bEFidzRUU3lwb2lBN2dST3N3X1dXSXpkS3BYVG5CM1UzSVVVeEdaQW56ZlBKNlZRdXhGQUZIQ205b1lTZXl1eDE4MkNNdnphUEhEdjd0N0V3TTRCSHFOU1dCMFc2aG95ZFJzeWdBV0xoWFhjSnNZZDdTTzBNRUlBWTViWmNHajF0eXQ1NUV1T1N2SDdqdUJES2JianhYMFlKUkp5dl9tbzdHNl9EemtHN3NMQ2NsUGZOMXYyZnJkZ2cxdjVEZHZBNmhVeXhsRjZhUzdublM5X1BfbW42UlctUk9TUWI3YkpTNVFmNzdVNG01QUFYUGttRWhnM2htVXcwdjJB ``` I thought about creating a new profile under `test/e2e/manifests/sso-delegated` that could be used to test this via `make start PROFILE=sso-delegated`, but I don't know if that's worth it. 2. Run `make start UI=true PROFILE=sso SSO_DELEGATE_RBAC_TO_NAMESPACE=true NAMESPACED=false` 3. Visit http://localhost:8080/ 4. Click "Login" 5. Click "Log in with Example" 6. Click "Grant Access" 7. Click the icon for the `UserInfo` page on the left navigation bar 8. Verify namespace input is populated with the installation namespace Also, I verified the Signed-off-by: Mason Malone <mmalone@adobe.com>
Summary
Add an input box to the
UserInfo
page where a user can type in a namespace. It would default to the Argo installation namespace, as it currently does today.Use Cases
Right now, when using SSO RBAC with Namespace delegation, there's no way to see in the UI what SA will map to your user in a specific namespace.
You have to try a request in that namespace and then check the Server logs. Users who don't have access to the Server logs have no way to debug or even see what SA they got assigned in an NS.
Moreover, as the
UserInfo
page only shows you the default SA in the Argo installation namespace (see also #10968), that can be very confusing to a user who only has access to a specific namespace; they will effectively never be able to see their permissions for that namespace.This popped up over Slack today with a user, but I was similarly confused by this when I was first setting up SSO RBAC namespace delegation (see also #10968).
Implementation Details
Server-side Details
This does require a new query parameter to be able to be passed to the backend in
/api/v1/userinfo
, i.e.?namespace=my-namespace
.In
server/auth/gatekeeper.go
, this line in therbacAuthorization
function gets the namespace via thegetNamespace
function. That function merely takes a request as an argument, so we just have to make sure the request is properly formatted as it expects.I'm not entirely sure how it does the conversion from gRPC to Go struct, as this is one of the places where almost everything is auto-generated that keeps confusing me (and other contributors). IIRC the source of truth here is
info.proto
, but I'm not entirely sure how to ensure that adding anamespace
property there corresponds toGetNamespace()
returning that property specifically.UI Details
I think an input box for
Namespace
at the top of the page would suffice. Default to the Argo installation namespace as mentioned above. Should use the same input box and behavior as theNamespace
input on the Workflows List page.Only show this input box if SSO RBAC Namespace delegation is enabled.
Message from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
The text was updated successfully, but these errors were encountered: