Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support glob or regex matchers for subject in RBAC config #21321

Open
shmargum opened this issue Dec 27, 2024 · 0 comments
Open

Support glob or regex matchers for subject in RBAC config #21321

shmargum opened this issue Dec 27, 2024 · 0 comments
Labels
component:rbac Issues related to Openshift and Racher enhancement New feature or request

Comments

@shmargum
Copy link

shmargum commented Dec 27, 2024

Summary

Proposing that the subject matcher should support regex and glob matchers.

Motivation

With Dex supporting token exchange, we can now use OIDC tokens from GitHub Actions to authenticate to ArgoCD via Dex.
While this technically already works there are a number of limitations preventing some ideal workflows.
As an example, if a GitHub repository has customized the OIDC claims to include additional information such as the workflow_ref or job_workflow_ref, the sub claim may become non deterministic, for example, it might include the pull request number.
In order to allow pull requests to run something like argocd app diff with a GitHub issued OIDC token that includes the pull request number ...@refs/pull/1234/merge we would need to allow glob/regex matchers here.
This would have similar behavior to the wildcard example here

Proposal

  1. Using a plain text id would be helpful as opposed to the base64 url encoded sub.

  2. Simply add the glob or regex matcher to the subjects.

    • m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
@shmargum shmargum added the enhancement New feature or request label Dec 27, 2024
@andrii-korotkov-verkada andrii-korotkov-verkada added the component:rbac Issues related to Openshift and Racher label Dec 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:rbac Issues related to Openshift and Racher enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants