Make openshift authorizer.GetResoruce match upstream #13259
Conversation
deads2k
force-pushed
the
auth-05-interface
branch
from
f1e3e39 to
d0b1b25
Compare
|
[test] |
deads2k
force-pushed
the
auth-05-interface
branch
from
d0b1b25 to
37191a4
Compare
| @@ -22,11 +23,24 @@ type DefaultAuthorizationAttributes struct { | |||
| // ToDefaultAuthorizationAttributes coerces Action to DefaultAuthorizationAttributes. Namespace is not included | |||
| // because the authorizer takes that information on the context | |||
| func ToDefaultAuthorizationAttributes(in authorizationapi.Action) Action { | |||
| // to match the RequestInfoFactory assuming an in.resource of one/two/three, one==resource, two==subresource, three=nothing | |||
| tokens := strings.Split(in.Resource, "/") | |||
There was a problem hiding this comment.
I don't see any code paths where we put more than two segments in the resource field, but if we did, I don't think we should discard extra segments. I'd expect SplitN and let the subresource have the remainder, including any extra slashes.
| return allowedResourceTypes.Has(strings.ToLower(a.GetResource())) | ||
| } | ||
|
|
||
| return allowedResourceTypes.Has(strings.ToLower(a.GetResource() + "/" + a.GetSubresource())) |
There was a problem hiding this comment.
this is going to get called a lot... should find a way to avoid allocating on every call
There was a problem hiding this comment.
this is going to get called a lot... should find a way to avoid allocating on every call
I don't see this as a blocker for merge. The interfaces need to be right for the rebase, the call path optimization only needs to be done by release.
| @@ -60,7 +60,8 @@ func (n NodeAuthorizerAttributesGetter) GetRequestAttributes(u user.Info, r *htt | |||
| APIVersion: "v1", | |||
| APIGroup: "", | |||
| Verb: apiVerb, | |||
| Resource: "nodes/proxy", | |||
| Resource: "nodes", | |||
| Subresource: "proxy", | |||
There was a problem hiding this comment.
the ones below referenced as constants need changing as well
There was a problem hiding this comment.
actually, all the references to the joined resources in synthetic.go need review :-/
There was a problem hiding this comment.
heh, just saw you hit that in #13286
There was a problem hiding this comment.
actually, all the references to the joined resources in synthetic.go need review :-/
I renamed them to find them. Interestingly enough, the authorization comparison still works because resource is opaque and still compares the entire thing.
|
|
||
| func (a authorizationAttributesAdapter) GetSubresource() string { | ||
| // to match the RequestInfoFactory assuming an in.resource of one/two/three, one==resource, two==subresource, three=nothing | ||
| tokens := strings.Split(a.attrs.Resource, "/") |
There was a problem hiding this comment.
same here, I'd expect SplitN
| if !requestInfo.IsResourceRequest { | ||
| return requestInfo, nil | ||
| } | ||
| if strings.ToLower(requestInfo.Verb) != "create" { |
There was a problem hiding this comment.
are we getting verbs of mixed case?
There was a problem hiding this comment.
are we getting verbs of mixed case?
Not sure. If at some point we want to inspect every possible call path to avoid the tolower, we can see about changing it later.
| if strings.ToLower(requestInfo.Verb) != "create" { | ||
| return requestInfo, nil | ||
| } | ||
| if len(requestInfo.APIGroup) != 0 { |
There was a problem hiding this comment.
do the API groupies know the grouped version won't support the special self SubjectAccessReview behavior?
There was a problem hiding this comment.
do the API groupies know the grouped version won't support the special self SubjectAccessReview behavior?
One of us merges first. We'll discover it either way.
| @@ -817,8 +817,9 @@ func newAuthorizationAttributeBuilder(requestContextMapper kapi.RequestContextMa | |||
| sets.NewString(bootstrappolicy.AuthenticatedGroup), | |||
| requestInfoFactory, | |||
| ) | |||
| personalSARRequestInfoResolveer := authorizer.NewPersonalSARRequestInfoResolver(browserSafeRequestInfoResolver) | |||
There was a problem hiding this comment.
typo personalSARRequestInfoResolveer
| @@ -21,7 +21,7 @@ type DefaultAuthorizationAttributes struct { | |||
|
|
|||
| // ToDefaultAuthorizationAttributes coerces Action to DefaultAuthorizationAttributes. Namespace is not included | |||
| // because the authorizer takes that information on the context | |||
| func ToDefaultAuthorizationAttributes(in authorizationapi.Action) DefaultAuthorizationAttributes { | |||
| func ToDefaultAuthorizationAttributes(in authorizationapi.Action) Action { | |||
| return DefaultAuthorizationAttributes{ | |||
There was a problem hiding this comment.
huh... this is a chunky struct to copy around (either as an arg or as a receiver). not new, but worth making a pointer in a follow up.
| messageResolver.addRootScopedForbiddenMessageMaker("update", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot update `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} at the cluster scope`)) | ||
| messageResolver.addNamespacedForbiddenMessageMaker("delete", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot delete `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} in project "{{.Namespace}}"`)) | ||
| messageResolver.addRootScopedForbiddenMessageMaker("delete", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot delete `+apiGroupIfNotEmpty+`{{.Attributes.GetResource}} at the cluster scope`)) | ||
| messageResolver.addNamespacedForbiddenMessageMaker("create", authorizationapi.ResourceAll, newTemplateForbiddenMessageMaker(`User "{{.User.GetName}}" cannot create `+apiGroupIfNotEmpty+resourceWithSubresourceIfNotEmpty+` in project "{{.Namespace}}"`)) |
There was a problem hiding this comment.
These should be ... resourceWithSubresourceIfNotEmpty+apiGroupIfNotEmpty ...
There was a problem hiding this comment.
These should be ... resourceWithSubresourceIfNotEmpty+apiGroupIfNotEmpty
If you want to change the message formats (which I'd agree with), that's a separate thing to do.
| @@ -21,27 +21,28 @@ type ForbiddenMessageResolver struct { | |||
|
|
|||
| func NewForbiddenMessageResolver(projectRequestForbiddenTemplate string) *ForbiddenMessageResolver { | |||
| apiGroupIfNotEmpty := "{{if len .Attributes.GetAPIGroup }}{{.Attributes.GetAPIGroup}}.{{end}}" | |||
There was a problem hiding this comment.
The dot is a separator for display. It could be removed entirely and the messages reworked, but it can't move before.
| @@ -93,21 +93,19 @@ func (r *RemoteAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes autho | |||
| } | |||
|
|
|||
| func getAction(namespace string, attributes authorizer.Action) authzapi.Action { | |||
| resource := attributes.GetResource() | |||
There was a problem hiding this comment.
Do we have tests for round tripping authorizer.Action <-> authzapi.Action. Maybe we don't need them if we completely use kube stuff...
There was a problem hiding this comment.
Do we have tests for round tripping authorizer.Action <-> authzapi.Action. Maybe we don't need them if we completely use kube stuff...
We're two pulls (already open from removal). I think this is a gimme.
|
Opened #13316 for potential performance related followup. |
deads2k
force-pushed
the
auth-05-interface
branch
from
37191a4 to
10e2e6c
Compare
| resource := "" | ||
| subresource := "" | ||
| switch { | ||
| case len(tokens) >= 2: |
| @@ -22,11 +23,24 @@ type DefaultAuthorizationAttributes struct { | |||
| // ToDefaultAuthorizationAttributes coerces Action to DefaultAuthorizationAttributes. Namespace is not included | |||
| // because the authorizer takes that information on the context | |||
| func ToDefaultAuthorizationAttributes(in authorizationapi.Action) Action { | |||
| // to match the RequestInfoFactory assuming an in.resource of one/two/three, one==resource, two==subresource, three=nothing | |||
deads2k
force-pushed
the
auth-05-interface
branch
from
10e2e6c to
c3bb1dd
Compare
comments addressed. |
|
re[test] |
deads2k
force-pushed
the
auth-05-interface
branch
from
185060d to
c3bb1dd
Compare
|
re[test] |
1 similar comment
|
re[test] |
|
Evaluated for origin test up to c3bb1dd |
|
[merge] |
|
Evaluated for origin merge up to c3bb1dd |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/82/) (Base Commit: d3a3181) |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/25/) (Base Commit: 18a751b) (Image: devenv-rhel7_6062) |
Builds on #13256 .
This switches us to use our own interface for authorization evaluation and updates our GetResource to match upstreams and adds the GetSubresource to have complete information.
@liggitt fyi
@enj ptal.