I have argocd installed (version v2.14.2+ad27246) in a k3s cluster. This is my argocd-rbac-cm:
data:
policy.csv: |+
p, [email protected], applications, *, my-project/*, allow
p, [email protected], projects, get, *, allow
p, [email protected], repositories, get, *, allow
p, [email protected], clusters, get, *, allow
p, [email protected], logs, get, my-project/*, allow
p, [email protected], exec, create, my-project/*, allow
This is my argocd-cm config:
data:
dex.config: |
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ldap.xxx.internal:389
insecureNoSSL: true # Set to false if using TLS
startTLS: false # Set to true if using StartTLS
bindDN: "" # Empty for direct user authentication
usernamePrompt: "LDAP Username"
userSearch:
baseDN: dc=xxx,dc=internal
filter: ""
username: userPrincipalName
idAttr: userPrincipalName
emailAttr: userPrincipalName
nameAttr: displayName
preferredUsernameAttr: userPrincipalName
groupSearch:
baseDN: dc=xxx,dc=internal
filter: ""
userAttr: dn
groupAttr: member
nameAttr: cn
server.rbac.log.enforce.enable: 'true'
url: https://localhost:8585
When I login I get the following in the dex-logs:
level=INFO msg="login successful" connector_id=ldap username="Viktor Eriksson /EXT /xxx" [email protected] [email protected] groups="[<the groups i'm part of>]" request_id=21397de2-fb0a-48d8-a486-cb6c854e7eec
And in argocd-server logs I get:
/project.ProjectService/List" grpc.method=List grpc.request.claims="{"at_hash":"iW6mbRByVYqVf-LF3Yxf5g","aud":"argo-cd","c_hash":"YL0tjnX3RdXhPlj4lagcSQ","email":"[email protected]","email_verified":true,"exp":1741173322,"iat":1741086922,"iss":"https://localhost:8585/api/dex","name":"Viktor Eriksson /EXT /xxx","preferred_username":"[email protected]","sub":"Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw"}" grpc.request.content= grpc.service=project.ProjectService grpc.start_time="2025-03-04T11:17:08Z" span.kind=server system=grpc
But the policies doesn't work. I'm supposed to see the project "my-project" but I can't see it.
BUT!
If I use the "sub" part that can be seen in the claims response above. Like this:
data:
policy.csv: |+
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, applications, *, my-project/*, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, projects, get, *, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, repositories, get, *, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, clusters, get, *, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, logs, get, my-project/*, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, exec, create, my-project/*, allow
It works!
Why is sub used? How can I make it use the username or idAttr or email?
I have argocd installed (version v2.14.2+ad27246) in a k3s cluster. This is my argocd-rbac-cm:
data:
policy.csv: |+
p, [email protected], applications, *, my-project/*, allow
p, [email protected], projects, get, *, allow
p, [email protected], repositories, get, *, allow
p, [email protected], clusters, get, *, allow
p, [email protected], logs, get, my-project/*, allow
p, [email protected], exec, create, my-project/*, allow
This is my argocd-cm config:
data:
dex.config: |
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ldap.xxx.internal:389
insecureNoSSL: true # Set to false if using TLS
startTLS: false # Set to true if using StartTLS
bindDN: "" # Empty for direct user authentication
usernamePrompt: "LDAP Username"
userSearch:
baseDN: dc=xxx,dc=internal
filter: ""
username: userPrincipalName
idAttr: userPrincipalName
emailAttr: userPrincipalName
nameAttr: displayName
preferredUsernameAttr: userPrincipalName
groupSearch:
baseDN: dc=xxx,dc=internal
filter: ""
userAttr: dn
groupAttr: member
nameAttr: cn
server.rbac.log.enforce.enable: 'true'
url: https://localhost:8585
When I login I get the following in the dex-logs:
level=INFO msg="login successful" connector_id=ldap username="Viktor Eriksson /EXT /xxx" [email protected] [email protected] groups="[<the groups i'm part of>]" request_id=21397de2-fb0a-48d8-a486-cb6c854e7eec
And in argocd-server logs I get:
/project.ProjectService/List" grpc.method=List grpc.request.claims="{"at_hash":"iW6mbRByVYqVf-LF3Yxf5g","aud":"argo-cd","c_hash":"YL0tjnX3RdXhPlj4lagcSQ","email":"[email protected]","email_verified":true,"exp":1741173322,"iat":1741086922,"iss":"https://localhost:8585/api/dex","name":"Viktor Eriksson /EXT /xxx","preferred_username":"[email protected]","sub":"Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw"}" grpc.request.content= grpc.service=project.ProjectService grpc.start_time="2025-03-04T11:17:08Z" span.kind=server system=grpc
But the policies doesn't work. I'm supposed to see the project "my-project" but I can't see it.
BUT!
If I use the "sub" part that can be seen in the claims response above. Like this:
data:
policy.csv: |+
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, applications, *, my-project/*, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, projects, get, *, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, repositories, get, *, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, clusters, get, *, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, logs, get, my-project/*, allow
p, Ch9WaWt0b3IuRXJpa3Nzb25AZXh0LmJvbGlkZW4uY29tEgRsZGFw, exec, create, my-project/*, allow
It works!
Why is sub used? How can I make it use the username or idAttr or email?
Share edited Mar 4 at 21:28 Gaël J 15.6k5 gold badges22 silver badges45 bronze badges asked Mar 4 at 11:25 Viktor ErikssonViktor Eriksson 6,2913 gold badges22 silver badges25 bronze badges 1
subis the "claim" for this purpose in OAuth/OIDC. Sounds strange that it is a base64 encoded version of your email but I guess this is how DEX handles it. Not sure how to make it work with ArgoCD RBAC then