feat: disambiguate local users from SSO users in RBAC with strict mode#28233
feat: disambiguate local users from SSO users in RBAC with strict mode#28233christianh814 wants to merge 5 commits into
Conversation
…entiate between local users and SSO users Signed-off-by: Christian Hernandez <christian@chernand.io>
❗ Preview Environment stop on Bunnyshell failedSee: Environment Details | Pipeline Logs Available commands (reply to this comment):
|
christianh814
changed the title
Bundle ReportChanges will decrease total bundle size by 8 bytes (-0.0%) ⬇️. This is within the configured threshold ✅ Detailed changes
Affected Assets, Files, and Routes:view changes for bundle: argo-cd-ui-array-pushAssets Changed:
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #28233 +/- ##
=========================================
Coverage ? 64.77%
=========================================
Files ? 424
Lines ? 58728
Branches ? 0
=========================================
Hits ? 38040
Misses ? 17154
Partials ? 3534 ☔ View full report in Codecov by Harness. |
| <h4>Update account password</h4> | ||
| <Form | ||
| onSubmit={(params: PasswordFormData) => changePassword(userInfo.username, params.currentPassword, params.newPassword)} | ||
| onSubmit={(params: PasswordFormData) => changePassword('', params.currentPassword, params.newPassword)} |
There was a problem hiding this comment.
I'm not a UI expert but is this change correct?
There was a problem hiding this comment.
The panel only renders for the logged-in local user (iss === 'argocd'), so this is always a self-service password change.
Passing an empty name tells the backend's UpdatePassword to resolve the account from the authenticated token instead of a client-supplied name. This is needed because the new strict mode now displays userInfo.username as sally@local (for example), which would no longer match the real account name (e.g. sally) and would break the update.
Empty name is correct in both strict and non-strict modes.
2 participants
Fixes #26795
Adds an opt-in feature flag that disambiguates local accounts from SSO users during RBAC enforcement, resolving the ambiguous group assignment problem described HERE.
When
rbac.local.user.strictmode: "true"is set in theargocd-cmConfigMap, Argo CD appends an@localsuffix to local account names during RBAC enforcement only. This prevents an SSO user whose scope happens to match a local user's name from inheriting that local user's roles.Behavior summary:
g, sally@local, role:developer.sally(CLI/UI) , the@localsuffix only affects RBAC matching.@localidentity when strict mode is on, so operators know which subject to reference.role:adminfor bothadminandadmin@local, preserving default admin access.TL;DR
When you create a local user like this with this setting:
You have to do this for RBAC now: