Argo-cd: Change model.conf to support email instead sub field
Is your feature request related to a problem? Please describe.
I created custom rules and configured the SSO with Google. The better field to do a match is email but the model.conf use the field sub. The sub in the authentication is a hash, not clear who is the user when I edit the rbac.
Describe the solution you'd like
In the match use the field r.email and p.email:
[matchers]
m = g(r.sub, p.sub,r.email,p.email) && keyMatch(r.res, p.res) && keyMatch(r.act, p.act) && keyMatch(r.obj, p.obj)
Describe alternatives you've considered
We need using SSO a field that represent better a user than the hash of account. Maybe, enable a customize configuration of model.conf is a good ideia.
Additional context
time="2019-04-11T19:30:02Z" level=info msg="received unary call /project.ProjectService/Create" grpc.method=Create grpc.request.claims="{\"at_hash\":\"xxxxxxxxxxxxxx\",\"aud\":\"argo-cd\",\"email\":\"[email protected]\",\"email_verified\":true,\"exp\":111111111,\"iat\":111111111,\"iss\":\"http://argocd.example.com/api/dex\",\"name\":\"Jo茫o Jose\",\"sub\":\"ChUxxxxxxxxxx\"}" grpc.request.content="%!v(PANIC=reflect.Value.Bytes of non-byte slice)" grpc.service=project.ProjectService grpc.start_time="2019-04-11T19:30:02Z" span.kind=server system=grpc
jbaojunior
All 7 comments
subject needs to remain for the admin case and the project role case. But emails make sense for these type of providers that have no group concept.
The reason why it wasn't added already was because email_verified and email gave me pause about the right way to do this security wise. e.g. I presume email should not be checked unless email_verified is true.
jessesuen
on 13 Apr 2019
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 12 Jun 2019
This should be now be possible with the new scopes configuration in argocd-rbac-cm.yaml:
https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml#L26
jessesuen
on 19 Jun 2019
This should be now be possible with the new scopes configuration in
argocd-rbac-cm.yaml:https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml#L26
May I know the lines? It is not working.
shuklashashank
on 27 Jan 2020
This should be now be possible with the new scopes configuration in
argocd-rbac-cm.yaml:
https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml#L26May I know the lines? It is not working.
```
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
name: argocd-rbac-cm
namespace: argocd
data:
policy.csv: |
g, [email protected], role:admin
policy.default: role:readonly
scopes: '[email]'
lebenitza
on 28 Jan 2020
@MihaiAnei How can we map mutliple emails to the role, below is working but it is going too long if we add many users
policy.csv: |
g, [email protected], role:admin
g, [email protected], role:admin
Beer786
on 4 Mar 2020
I am not sure but I don't think it is possible. I am not having that many users and I use a script to generate argocd-rbac-cm :)
lebenitza
on 4 Mar 2020
Related issues
turbotankist
路
3Comments
jessesuen
路
3Comments
jutley
路
3Comments
everesio
路
3Comments
chiragthaker
路
3Comments
Most helpful comment
subject needs to remain for the
admincase and the project role case. But emails make sense for these type of providers that have no group concept.The reason why it wasn't added already was because
email_verifiedandemailgave me pause about the right way to do this security wise. e.g. I presume email should not be checked unlessemail_verifiedis true.