Filtering groups (filterGroupsRegex) and RBAC

[gauravluckme]

Hi - We've configured SSO and trying to restrict access using Filtering groups (filterGroupsRegex). However it's not working as expected, is it we need to always enable RBAC to use it or we are missing some configuration?

[agilgur5]

Looking at the code of #11774, specifically this block:

argo-workflows/server/auth/sso/sso.go

Line 300 in bf7760a

if len(s.filterGroupsRegex) > 0 {

it doesn't seem like it should be RBAC specific.

I would double-check that your Argo version is compatible.
You didn't provide any config or any other information so it's pretty hard to help otherwise.

[gauravluckme]

We're using Argo Workflows version - v3.5.7 (helm version 0.41.7)

The below configuration are configured (we fetch the groups from customGroupClaimName):

sso:
      issuer: https://example.com/oauth/token
      clientId:
        name: example-sso-secret
        key: sso.clientId
      clientSecret:
        name: example-sso-secret
        key: sso.clientSecret
      redirectUrl: ""
      rbac:
        enabled: false
      scopes:
        - openid
        - profile
        - email
        - roles
      customGroupClaimName: roles
      filterGroupsRegex:
        - ^GR_example-group.*

[agilgur5]

Hmm, v3.5 definitely supports it and I don't see anything off in your config from a glance (I assume the redirectUrl is redacted). Anything in your Server logs?

Do you have SSO enabled on your Server container (--auth-mode=sso)? In the Helm Chart you also need server.sso.enabled: true, do you have that set?

Are you sure it only works when you set sso.rbac.enabled? Can you reproduce that? How have you validated that it works or doesn't?

[gauravluckme]

Yes, SSO enabled on your Server container. Also it's also enabled in the configmap.

We've given a group in the filterGroupsRegex, and the users who are not part of that group are still able to access the server. Also users who are part of the group they get to know the group in the userinfo, however for the others that information is missing.

[agilgur5]

Also users who are part of the group they get to know the group in the userinfo, however for the others that information is missing.

That would mean it's working as intended. Only the filtered group is showing up and is stored in the cookie.

We've given a group in the filterGroupsRegex, and the users who are not part of that group are still able to access the server.

I think you've misunderstood the purpose of the filter. It does not control permissions, that is what RBAC is for. SSO without RBAC means that anyone who can login to your SSO provider has access. Effectively it is authN without authZ. There is no check for groups or anything what-so-ever without RBAC.

The filter, per the docs you linked, just shrinks the selection of groups available, primarily for cookie size limitation purposes.