Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI: Env variable to hide yaml submission #11391

Open
tooptoop4 opened this issue Jul 18, 2023 · 6 comments
Open

UI: Env variable to hide yaml submission #11391

tooptoop4 opened this issue Jul 18, 2023 · 6 comments
Labels
area/ui type/feature Feature request type/security Security related

Comments

@tooptoop4
Copy link
Contributor

Would be great to hide this button
https://github.com/argoproj/argo-workflows/blob/v3.4.8/ui/src/app/workflows/components/workflow-creator.tsx#L79-L84

Then can allow SSO users to just submit workflows from existing templates but not submit arbitrary new code!
@tooptoop4 tooptoop4 added the type/feature Feature request label Jul 18, 2023
@agilgur5
Copy link

agilgur5 commented Jul 22, 2023
edited
Loading

You can use the Workflow Restrictions feature to only allow users to submit via existing templates.

Removing the UI button would not necessarily suffice, as the API can still be accessed (e.g. someone could make a request from within their browser console). API permissions are based off k8s RBAC, which is not specific enough to only allow certain kinds of Workflows (other than a resourceNames allowlist).

If not using Workflow Restrictions, another way to workaround that would be to use policies / admission controllers to create more granular logic.
See also #6490 for more granular RBAC via Casbin, similar to Argo CD

@tooptoop4
Copy link
Contributor Author

would workflow restrictions prevent an adhoc run of a cronworkflow that doesn't use a template?

@agilgur5
Copy link

agilgur5 commented Jul 23, 2023
edited
Loading

I believe it should apply to CronWorkflows as well, yes.

I've never tried submitting a CronWorkflow with no template though, so I'm not 100% confident of that. Good question!

But if Workflow Restrictions didn't apply to CronWorkflows, I would consider that to be a bug. Can tag me if you find such a bug and I'd look into fixing it 🙂

@agilgur5
Copy link

Ah right, I forgot, a CronWorkflow just creates Workflows (see also the code here), so yes, it will go through the same validation as a Workflow.

@agilgur5 agilgur5 added the type/security Security related label Oct 23, 2024
@agilgur5

This comment was marked as resolved.

Sign in to view
@agilgur5 agilgur5 added the solution/duplicate This issue or PR is a duplicate of an existing one label Oct 23, 2024
@agilgur5 agilgur5 changed the title Env variable to hide yaml submission from UI UI: Env variable to hide yaml submission Oct 23, 2024
@agilgur5

This comment was marked as resolved.

Sign in to view
@agilgur5 agilgur5 reopened this Oct 23, 2024
@agilgur5 agilgur5 removed the solution/duplicate This issue or PR is a duplicate of an existing one label Oct 23, 2024
@tooptoop4 tooptoop4 mentioned this issue Oct 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/ui type/feature Feature request type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(ui): option to disable workflow editor (#11391) tooptoop4/argo-workflows
2 participants
@agilgur5 @tooptoop4