Token Auth Permissions 0.9.0

[wmiller112]

Checklist

• I've searched the issue queue to verify this is not a duplicate bug report.
• I've included steps to reproduce the bug.
• I've pasted the output of kargo version.
• I've pasted logs, if applicable.

Description

After update to 0.9.0, auth with bearer token results in permission denied from api server for all kargo projects, warehouses, stages, etc. Same authentication in 0.8.8 works without issue. I am using oidc with dex for standard user auth, for which I've made the necessary claim changes and all of that works fine. It doesn't seem like any of those changes should have an impact on token auth.

Steps to Reproduce

• Authenticate to kargo 0.8.8 with token - in my case this is via a Go app, but I imagine it would be the same via CLI with --kubeconfig authentication (Though I am unable to verify, as trying with CLI led me to this issue)
• Get project
  • Again in my test case using GetProjectRequest, but imagine same for kargo get projects
  • Successfully lists projects
• Update to kargo 0.9.0
• Get project results in:
  projects.kargo.akuity.io "<project>" is forbidden: get is not permitted

Version

Client Version: v0.9.0
Server Version: v0.9.0

Logs

time="2024-10-10T19:04:40Z" level=error msg="finished unary call" connect.code=permission_denied connect.duration="811.993µs" connect.method=GetProject connect.service=akuity.io.kargo.service.v1alpha1.KargoService connect.start_time="2024-10-10T19:04:40Z" error="permission_denied: projects.kargo.akuity.io \"<project>\" is forbidden: get is not permitted"