switch to kube authorization attributes

[deads2k]

Builds on #13259.

This pull removes our existing attributes and uses the upstream kube attributes. At this point our interfaces should overlap. I'm planning one more to remove our authorizer interface altogether.

@liggitt @enj

[deads2k]

[test]

[ncdc]

Move this down before line 32?

[ncdc]

Move up into the map declaration?

[liggitt]

doesn't really matter, but NonResourceURL: true is the opposite of ResourceRequest: true

[deads2k]

doesn't really matter, but NonResourceURL: true is the opposite of ResourceRequest: true

Didn't matter in the test. I thought it better to test something other than zero values.

[liggitt]

why was the default user needed?

[liggitt]

oh, to exercise all the cache keys

[enj]

Still reviewing...

[enj]

Out of date comment.

[enj]

This and every other AttributesRecord that is manually built is incorrect. ResourceRequest needs to be explicitly set to true.

I0309 01:03:37.003518   13555 messages.go:126] User "developer" cannot "create" on "" <nil> authorizer.AttributesRecord{User:(*user.DefaultInfo)(0xc4277905c0), Verb:"create", Namespace:"", APIGroup:"authorization.k8s.io", APIVersion:"", Resource:"selfsubjectaccessreviews", Subresource:"", Name:"", ResourceRequest:false, Path:""}

[liggitt]

Well. That's a painful default.

[deads2k]

Well. That's a painful default.

Yeah, guess I missed a couple.

[deads2k]

Also, glad our tests exercise many of these. Go us :)

[enj]

Drop MessageContext and use authorizer.Attributes directly?

[deads2k]

Drop MessageContext and use authorizer.Attributes directly?

If you want to do it as a followup, sure. Not needed to collapse interfaces ahead of the rebase.

[enj]

a -> attributes

[deads2k]

Oh, the cool one was the subtle namespace problem. We hacked the namespace into the context in a filter for projects. When I eliminated using context, we lost that value for project authorization which made everything go haywire.

[deads2k]

comments addressed.

[ncdc]

These look like they might be caused by this PR?

09:22:16 === BEGIN TEST CASE ===
09:22:16 test/cmd/images_tests.sh:204: executing 'oc tag cmd-images-old-policy/mysql:5.5 newrepo:latest' expecting success
09:22:16 
FAILURE after 0.722s: test/cmd/images_tests.sh:204: executing 'oc tag cmd-images-old-policy/mysql:5.5 newrepo:latest' expecting success: the command returned the wrong error code
09:22:16 There was no output from the command.
09:22:16 Standard error from the command:
09:22:16 The ImageStream "newrepo" is invalid: []: Internal error: imagestreams "newrepo" is invalid: spec.tags[latest].from: Forbidden: cmd-images-old-policy/mysql
09:22:16 === END TEST CASE ===
09:22:16 In suite "github.com/openshift/origin/test/cmd/policy", test case "test/cmd/policy.sh:113: executing 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/job.yaml -o=jsonpath={.status.AllowedBy.name}' expecting success and text 'restricted'" failed:
09:22:16 === BEGIN TEST CASE ===
09:22:16 test/cmd/policy.sh:113: executing 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/job.yaml -o=jsonpath={.status.AllowedBy.name}' expecting success and text 'restricted'
09:22:16 FAILURE after 0.194s: test/cmd/policy.sh:113: executing 'oc policy scc-subject-review -f ${OS_ROOT}/test/testdata/job.yaml -o=jsonpath={.status.AllowedBy.name}' expecting success and text 'restricted': the command returned the wrong error code; the output content test failed
09:22:16 There was no output from the command.
09:22:16 Standard error from the command:
09:22:16 error: unable to compute Pod Security Policy Subject Review for "hello": User "bob" cannot create podsecuritypolicyselfsubjectreviews in project "bob"
09:22:16 === END TEST CASE ===

[deads2k]

These look like they might be caused by this PR?

Yeah, I'll make it through.

[enj]

final := chainFunc(
    browserSafeRequestInfoResolver,  // base info
    authorizer.NewPersonalSARRequestInfoResolver,  // wrapper funcs
    authorizer.NewProjectRequestInfoResolver,
)

[deads2k]

final := chainFunc(
browserSafeRequestInfoResolver, // base info
authorizer.NewPersonalSARRequestInfoResolver, // wrapper funcs
authorizer.NewProjectRequestInfoResolver,
)

No real disagreement, but I suspect this gets reswizzled in the rebase. You want the related updates now?

[enj]

After rebase sounds good to me.

[enj]

LGTM if tests pass.

[deads2k]

re[test]

[deads2k]

re[test]

[deads2k]

[merge]

[openshift-bot]

Evaluated for origin merge up to 52e4858

[openshift-bot]

Evaluated for origin test up to 52e4858

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/86/) (Base Commit: d3a3181)

[openshift-bot]

continuous-integration/openshift-jenkins/merge ABORTED (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/26/) (Base Commit: 5602529)