RBAC Migration Followup #4: Use upstream subject locator directly

[abstractj]

This PR attempts to fix the follow up #4 from RBAC migration.

Remaining task:

• Merge my changes with @tiran's code to convert []rbac.Subject -> users, groups
  []string

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: abstractj
We suggest the following additional approver: liggitt

Assign the PR to them by writing /assign @liggitt in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/authorization/OWNERS
• pkg/cmd/OWNERS
• pkg/project/OWNERS

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[abstractj]

/unassign @liggitt

/assign @enj

[abstractj]

/retest

[liggitt]

need to handle ServiceAccount and map to a username

[abstractj]

@liggitt I was wondering if we should take the code from here https://github.com/openshift/origin/pull/16034/files#diff-5654e020d459e05c8fcca57d5675ece4R59 and move to an utility function. In this way would be possible to reuse here and also at reviewer.go
Does it make sense? If yes, which place would be the best for it?

[liggitt]

sure, a utility function to go from subjects to users/groups is fine

[liggitt]

same here

[liggitt]

group with kube imports

[enj]

This should no longer take or return the kubeSubjectLocator

[enj]

@abstractj sync with @tiran to use this as the foundation for two public functions:

1. []rbac.Subject -> users, groups []string
2. users, groups []string -> []rbac.Subject

Put those in a new file at pkg/authorization/registry/util/subject.go for now.

[liggitt]

[]rbac.Subject, defaultServiceAccountNamespace -> users, groups []string

do we need the reverse?

[enj]

https://github.com/openshift/origin/pull/16033/files#diff-9cbb0b75c1c78e77c6ee106a6ac6fdd8R121

[abstractj]

/retest

[dobbymoodge]

/retest

[abstractj]

/retest

[abstractj]

/retest

[enj]

@abstractj you broke it 😄

coverage: 61.6% of statements
ok  	github.com/openshift/origin/vendor/k8s.io/kubernetes/vendor/k8s.io/kube-gen/cmd/openapi-gen/generators	1.549s	coverage: 61.6% of statements
[WARNING] `go test` had the following output to stderr:
# github.com/openshift/origin/pkg/authorization/registry/localresourceaccessreview
pkg/authorization/registry/localresourceaccessreview/rest_test.go:75: cannot use authorizer (type *testAuthorizer) as type "github.com/openshift/origin/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac".SubjectLocator in argument to resourceaccessreview.NewREST:
	*testAuthorizer does not implement "github.com/openshift/origin/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac".SubjectLocator (missing AllowedSubjects method)
pkg/authorization/registry/localresourceaccessreview/rest_test.go:123: cannot use r.authorizer (type *testAuthorizer) as type "github.com/openshift/origin/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac".SubjectLocator in argument to resourceaccessreview.NewREST:
	*testAuthorizer does not implement "github.com/openshift/origin/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac".SubjectLocator (missing AllowedSubjects method)
# github.com/openshift/origin/pkg/authorization/registry/resourceaccessreview
pkg/authorization/registry/resourceaccessreview/rest_test.go:108: cannot use r.authorizer (type *testAuthorizer) as type "github.com/openshift/origin/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac".SubjectLocator in field value:
	*testAuthorizer does not implement "github.com/openshift/origin/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac".SubjectLocator (missing AllowedSubjects method)
[INFO] No compiled `junitreport` binary was found. Attempting to build one using:
[INFO]   $ hack/build-go.sh tools/junitreport
++ Building go targets for linux/amd64: tools/junitreport
[INFO] hack/build-go.sh exited with code 0 after 00h 00m 17s
[INFO] jUnit XML report placed at _output/scripts/test-go/artifacts/gotest_report_4HKfT.xml
Of 6084 tests executed in 2616.257s, 6065 succeeded, 0 failed, and 19 were skipped.
In suite "github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/cloudprovider/providers/cloudstack", test case "TestNewCSCloud" was skipped:
=== RUN   TestNewCSCloud
--- SKIP: TestNewCSCloud (0.00s)
	cloudstack_test.go:90: No config found in environment
In suite "github.com/openshift/origin/vendor/k8s.io/kubernetes/pkg/cloudprovider/providers/cloudstack", test case "TestLoadBalancer" was skipped:
=== RUN   TestLoadBalancer
--- SKIP: TestLoadBalancer (0.00s)

[abstractj]

@enj I just did a rebase, but I've been banging my head against the wall with rest_test.go. I would appreciate if have some minutes of your life to give me a help.

Now that I changed the test I get the following output running rest_test.go:

	rest_test.go:186: diff (
		
		A: authorizer.AttributesRecord){User:(user.Info)<nil> Verb:(string)get Namespace:(string)unittest APIGroup:(string) APIVersion:(string) Resource:(string)pods Subresource:(string) Name:(string) ResourceRequest:(bool)true Path:(string)}
		
		B: interface {})<nil>
		
	rest_test.go:175: diff (*authorization.ResourceAccessReviewResponse){TypeMeta:(v1.TypeMeta){Kind:(string) APIVersion:(string)} Namespace:(string)unittest Users:(sets.String)map[
		
		A: one:{} two:{}] Groups:(sets.String)map[three:{} four:{}] EvaluationError:(string)}
		
		B: ] Groups:(sets.String)map[] EvaluationError:(string)}
		
	rest_test.go:186: diff (
		
		A: authorizer.AttributesRecord){User:(user.Info)<nil> Verb:(string)delete Namespace:(string)unittest APIGroup:(string) APIVersion:(string) Resource:(string)deploymentConfig Subresource:(string) Name:(string) ResourceRequest:(bool)true Path:(string)}
		
		B: interface {})<nil>
		

Process finished with exit code 1

Which I believe, the cause is exclusively my ignorance about it.

[abstractj]

/retest

[abstractj]

/retest

All the changes requested were already included, I believe.

[abstractj]

@simo5 could you please give it a try and let me know what do you think? Now rest_test.go is passing, just not sure what's wrong in ci/openshift-jenkins/unit job

[simo5]

This is the error:

pkg/authorization/registry/resourceaccessreview/rest_test.go:108: cannot use r.authorizer (type *testAuthorizer) as type "github.com/openshift/origin/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac".SubjectLocator in field value:
	*testAuthorizer does not implement "github.com/openshift/origin/vendor/k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac".SubjectLocator (missing AllowedSubjects method)```

[abstractj]

/retest

[abstractj]

/retest

[abstractj]

/retest

[abstractj]

/retest

[0xmichalis]

/retest

[abstractj]

/retest

[abstractj]

/retest

[enj]

/hold

This is not a bug, docs or tests so cannot be merged until 3.8.

I still need to review it though.

[enj]

This is fine if the goal is to keep the diff small. But in reality the test authorizer should just return RBAC subject directly.

[abstractj]

@enj I rebased/updated this PR with the changes you request. But this is the only part of your review which I'm not following.

The goal of this change was to keep the diff small as possible, plus I couldn't find any examples of usage to include RBAC subject directly. But I will be more than happy to look at this if you have any pointers of snippets.

[enj]

Move import to openshfit block.

[enj]

Same comment as earlier.

This is fine if the goal is to keep the diff small. But in reality the test authorizer should just return RBAC subject directly.

[enj]

list of errors

[enj]

append to list of errors

[enj]

NewAggregate on the errors

[enj]

This should not be fatal, it should add to review.evaluationError

[enj]

Something like this:

func (r *authorizerReviewer) Review(namespaceName string) (Review, error) {
	attributes := kauthorizer.AttributesRecord{
		Verb:            "get",
		Namespace:       namespaceName,
		Resource:        "namespaces",
		Name:            namespaceName,
		ResourceRequest: true,
	}

	// err is non fatal and partial success is possible
	subjects, err := r.policyChecker.AllowedSubjects(attributes)
	// expandSubjectError is non fatal and partial success is possible
	users, groups, expandSubjectError := authorizationutil.ExpandSubjects(namespaceName, subjects)

	review := &defaultReview{
		users:  users.List(),
		groups: groups.List(),
	}

	if err != nil {
		review.evaluationError = err.Error()
	}
	if expandSubjectError != nil {
		review.evaluationError += " " + expandSubjectError.Error()
	}

	return review, nil
}

[enj]

Something like:

func (r *REST) Create(ctx apirequest.Context, obj runtime.Object, _ bool) (runtime.Object, error) {
	resourceAccessReview, ok := obj.(*authorizationapi.ResourceAccessReview)
	if !ok {
		return nil, kapierrors.NewBadRequest(fmt.Sprintf("not a resourceAccessReview: %#v", obj))
	}
	if errs := authorizationvalidation.ValidateResourceAccessReview(resourceAccessReview); len(errs) > 0 {
		return nil, kapierrors.NewInvalid(authorizationapi.Kind(resourceAccessReview.Kind), "", errs)
	}

	user, ok := apirequest.UserFrom(ctx)
	if !ok {
		return nil, kapierrors.NewInternalError(errors.New("missing user on request"))
	}

	// if a namespace is present on the request, then the namespace on the on the RAR is overwritten.
	// This is to support backwards compatibility.  To have gotten here in this state, it means that
	// the authorizer decided that a user could run an RAR against this namespace
	if namespace := apirequest.NamespaceValue(ctx); len(namespace) > 0 {
		resourceAccessReview.Action.Namespace = namespace

	} else if err := r.isAllowed(user, resourceAccessReview); err != nil {
		// this check is mutually exclusive to the condition above.  localSAR and localRAR both clear the namespace before delegating their calls
		// We only need to check if the RAR is allowed **again** if the authorizer didn't already approve the request for a legacy call.
		return nil, err
	}

	attributes := util.ToDefaultAuthorizationAttributes(nil, resourceAccessReview.Action.Namespace, resourceAccessReview.Action)

	// err is non fatal and partial success is possible
	subjects, err := r.subjectLocator.AllowedSubjects(attributes)
	// expandSubjectError is non fatal and partial success is possible
	users, groups, expandSubjectError := authorizationutil.ExpandSubjects(resourceAccessReview.Action.Namespace, subjects)

	response := &authorizationapi.ResourceAccessReviewResponse{
		Namespace: resourceAccessReview.Action.Namespace,
		Users:     users,
		Groups:    groups,
	}

	if err != nil {
		response.EvaluationError = err.Error()
	}
	if err != nil {
		response.EvaluationError += " " + expandSubjectError.Error()
	}

	return response, nil
}

[abstractj]

Fixing the build....hold on

[abstractj]

/retest

[abstractj]

/hold cancel

[enj]

/hold

Needs to wait until Monday at the earliest.

[openshift-ci-robot]

@abstractj: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/openshift-jenkins/origin/verify	9fbc0c3	link	/test origin-verify
ci/openshift-jenkins/experimental/integration	e5955e7	link	/test origin-it
ci/openshift-jenkins/extended_conformance_install_update	566de13	link	/test extended_conformance_install_update
ci/openshift-jenkins/extended_conformance_gce	566de13	link	/test extended_conformance_gce

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[openshift-merge-robot]

@abstractj PR needs rebase

[enj]

Superseded by #18152