Get Cluster returns PermissionDenied for non-existing clusters

[clementblaise]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug
Argocd API Get Cluster returns PermissionDenied for non-existing clusters

To Reproduce

argocd cluster get non-existant
FATA[0000] rpc error: code = PermissionDenied desc = permission denied

Expected behavior

API should return not found

Screenshots

Version

argocd: v2.4.14+029be59.dirty
  BuildDate: 2022-10-05T19:03:58Z
  GitCommit: 029be590bfd5003d65ddabb4d4cb8a31bff29c18
  GitTreeState: dirty
  GoVersion: go1.19.2
  Compiler: gc
  Platform: darwin/arm64

Server version is v2.4.13

Logs

Existing cluster

time="2022-10-06T15:32:44Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.claims="{\"iat\":1664380119,\"iss\":\"argocd\",\"jti\":\"32676cf1-bda2-4b05-90f9-9622a8aab76f\",\"nbf\":1664380119,\"sub\":\"crossplane\"}" grpc.request.content= grpc.service=version.VersionService grpc.start_time="2022-10-06T15:32:44Z" span.kind=server system=grpc
time="2022-10-06T15:32:44Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2022-10-06T15:32:44Z" grpc.time_ms=8.773 span.kind=server system=grpc
time="2022-10-06T15:32:44Z" level=info msg="received unary call /cluster.ClusterService/Get" grpc.method=Get grpc.request.claims="{\"iat\":1664380119,\"iss\":\"argocd\",\"jti\":\"32676cf1-bda2-4b05-90f9-9622a8aab76f\",\"nbf\":1664380119,\"sub\":\"crossplane\"}" grpc.request.content="name:\"in-cluster\" " grpc.service=cluster.ClusterService grpc.start_time="2022-10-06T15:32:44Z" span.kind=server system=grpc
time="2022-10-06T15:32:44Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Get grpc.service=cluster.ClusterService grpc.start_time="2022-10-06T15:32:44Z" grpc.time_ms=8.848 span.kind=server system=grpc

Non existing cluster

time="2022-10-06T15:34:20Z" level=info msg="received unary call /version.VersionService/Version" grpc.method=Version grpc.request.claims="{\"iat\":1664380119,\"iss\":\"argocd\",\"jti\":\"32676cf1-bda2-4b05-90f9-9622a8aab76f\",\"nbf\":1664380119,\"sub\":\"crossplane\"}" grpc.request.content= grpc.service=version.VersionService grpc.start_time="2022-10-06T15:34:20Z" span.kind=server system=grpc
time="2022-10-06T15:34:20Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=Version grpc.service=version.VersionService grpc.start_time="2022-10-06T15:34:20Z" grpc.time_ms=10.9 span.kind=server system=grpc
time="2022-10-06T15:34:21Z" level=info msg="received unary call /cluster.ClusterService/Get" grpc.method=Get grpc.request.claims="{\"iat\":1664380119,\"iss\":\"argocd\",\"jti\":\"32676cf1-bda2-4b05-90f9-9622a8aab76f\",\"nbf\":1664380119,\"sub\":\"crossplane\"}" grpc.request.content="name:\"non-existing\" " grpc.service=cluster.ClusterService grpc.start_time="2022-10-06T15:34:21Z" span.kind=server system=grpc
time="2022-10-06T15:34:21Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = permission denied" grpc.code=PermissionDenied grpc.method=Get grpc.service=cluster.ClusterService grpc.start_time="2022-10-06T15:34:21Z" grpc.time_ms=10.283 span.kind=server system=grpc

[janwillies]

seems to have been introduced with #7039: https://github.com/argoproj/argo-cd/pull/7039/files#diff-47255bee56d3ad7830d9721f65c73fac53009229cb98c63c67745527d598835bR126

I wonder if there was a specific reason 🤔

CC @pasha-codefresh

[cleverhu]

It is a bug, so I pulled a request for this.

[crenshaw-dev]

@clementblaise I believe this behavior is intentional, to avoid letting unauthorized users enumerate the clusters by trial and error. By returning a 403 both for "that doesn't exist" and "you're not allowed to see that," we prevent the user from determining which clusters exist.

Generally the preferred way of doing this is to return a 404 (like you get a 404 in GitHub when attempting to view a repo which you're not allowed to access).

Unfortunately, we can't go the 404 route while still allowing users to update clusters by name instead of URL. If the user gets an unauthorized error when updating a cluster by name, they can infer that the cluster by that name exists, because the RBAC check can only be performed if the server was able to retrieve the cluster's URL (i.e. the cluster exists).

I'd like to return a nicer error message while 1) preventing cluster enumeration and 2) allowing users to get clusters by name. But for the moment, I can't think of a way.