mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-04 09:49:50 +00:00
Export UserInfo conversion, use authnv1.UserInfo in audit
This commit is contained in:
Jordan Liggitt
parent
38752f7f99
commit
0e787a4b78
@ -17,10 +17,23 @@ limitations under the License.
|
|||||||
package v1
|
package v1
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
v1 "k8s.io/api/authentication/v1"
|
||||||
|
conversion "k8s.io/apimachinery/pkg/conversion"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
|
authentication "k8s.io/kubernetes/pkg/apis/authentication"
|
||||||
)
|
)
|
||||||
|
|
||||||
func addConversionFuncs(scheme *runtime.Scheme) error {
|
func addConversionFuncs(scheme *runtime.Scheme) error {
|
||||||
// Add non-generated conversion functions
|
// Add non-generated conversion functions
|
||||||
return scheme.AddConversionFuncs()
|
return scheme.AddConversionFuncs()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Convert_v1_UserInfo_To_authentication_UserInfo is an autogenerated conversion function.
|
||||||
|
func Convert_v1_UserInfo_To_authentication_UserInfo(in *v1.UserInfo, out *authentication.UserInfo, s conversion.Scope) error {
|
||||||
|
return autoConvert_v1_UserInfo_To_authentication_UserInfo(in, out, s)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Convert_authentication_UserInfo_To_v1_UserInfo is an autogenerated conversion function.
|
||||||
|
func Convert_authentication_UserInfo_To_v1_UserInfo(in *authentication.UserInfo, out *v1.UserInfo, s conversion.Scope) error {
|
||||||
|
return autoConvert_authentication_UserInfo_To_v1_UserInfo(in, out, s)
|
||||||
|
}
|
||||||
|
|||||||
@ -17,6 +17,7 @@ limitations under the License.
|
|||||||
package audit
|
package audit
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
authnv1 "k8s.io/api/authentication/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
@ -92,10 +93,10 @@ type Event struct {
|
|||||||
// For non-resource requests, this is the lower-cased HTTP method.
|
// For non-resource requests, this is the lower-cased HTTP method.
|
||||||
Verb string
|
Verb string
|
||||||
// Authenticated user information.
|
// Authenticated user information.
|
||||||
User UserInfo
|
User authnv1.UserInfo
|
||||||
// Impersonated user information.
|
// Impersonated user information.
|
||||||
// +optional
|
// +optional
|
||||||
ImpersonatedUser *UserInfo
|
ImpersonatedUser *authnv1.UserInfo
|
||||||
// Source IPs, from where the request originated and intermediate proxies.
|
// Source IPs, from where the request originated and intermediate proxies.
|
||||||
// +optional
|
// +optional
|
||||||
SourceIPs []string
|
SourceIPs []string
|
||||||
@ -283,21 +284,3 @@ type ObjectReference struct {
|
|||||||
// +optional
|
// +optional
|
||||||
Subresource string
|
Subresource string
|
||||||
}
|
}
|
||||||
|
|
||||||
// UserInfo holds the information about the user needed to implement the
|
|
||||||
// user.Info interface.
|
|
||||||
type UserInfo struct {
|
|
||||||
// The name that uniquely identifies this user among all active users.
|
|
||||||
Username string
|
|
||||||
// A unique value that identifies this user across time. If this user is
|
|
||||||
// deleted and another user by the same name is added, they will have
|
|
||||||
// different UIDs.
|
|
||||||
UID string
|
|
||||||
// The names of groups this user is a part of.
|
|
||||||
Groups []string
|
|
||||||
// Any additional information provided by the authenticator.
|
|
||||||
Extra map[string]ExtraValue
|
|
||||||
}
|
|
||||||
|
|
||||||
// ExtraValue masks the value so protobuf can generate
|
|
||||||
type ExtraValue []string
|
|
||||||
|
|||||||
@ -20,6 +20,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
|
||||||
|
authnv1 "k8s.io/api/authentication/v1"
|
||||||
"k8s.io/apiserver/pkg/apis/audit"
|
"k8s.io/apiserver/pkg/apis/audit"
|
||||||
authuser "k8s.io/apiserver/pkg/authentication/user"
|
authuser "k8s.io/apiserver/pkg/authentication/user"
|
||||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||||
@ -126,7 +127,7 @@ func (a *attributes) GetPath() string {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// user represents the event user
|
// user represents the event user
|
||||||
type user audit.UserInfo
|
type user authnv1.UserInfo
|
||||||
|
|
||||||
// GetName returns the user name
|
// GetName returns the user name
|
||||||
func (u user) GetName() string { return u.Username }
|
func (u user) GetName() string { return u.Username }
|
||||||
|
|||||||
@ -26,6 +26,7 @@ import (
|
|||||||
"github.com/pborman/uuid"
|
"github.com/pborman/uuid"
|
||||||
"k8s.io/klog"
|
"k8s.io/klog"
|
||||||
|
|
||||||
|
authnv1 "k8s.io/api/authentication/v1"
|
||||||
"k8s.io/apimachinery/pkg/api/meta"
|
"k8s.io/apimachinery/pkg/api/meta"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
@ -68,9 +69,9 @@ func NewEventFromRequest(req *http.Request, level auditinternal.Level, attribs a
|
|||||||
|
|
||||||
if user := attribs.GetUser(); user != nil {
|
if user := attribs.GetUser(); user != nil {
|
||||||
ev.User.Username = user.GetName()
|
ev.User.Username = user.GetName()
|
||||||
ev.User.Extra = map[string]auditinternal.ExtraValue{}
|
ev.User.Extra = map[string]authnv1.ExtraValue{}
|
||||||
for k, v := range user.GetExtra() {
|
for k, v := range user.GetExtra() {
|
||||||
ev.User.Extra[k] = auditinternal.ExtraValue(v)
|
ev.User.Extra[k] = authnv1.ExtraValue(v)
|
||||||
}
|
}
|
||||||
ev.User.Groups = user.GetGroups()
|
ev.User.Groups = user.GetGroups()
|
||||||
ev.User.UID = user.GetUID()
|
ev.User.UID = user.GetUID()
|
||||||
@ -95,14 +96,14 @@ func LogImpersonatedUser(ae *auditinternal.Event, user user.Info) {
|
|||||||
if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) {
|
if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
ae.ImpersonatedUser = &auditinternal.UserInfo{
|
ae.ImpersonatedUser = &authnv1.UserInfo{
|
||||||
Username: user.GetName(),
|
Username: user.GetName(),
|
||||||
}
|
}
|
||||||
ae.ImpersonatedUser.Groups = user.GetGroups()
|
ae.ImpersonatedUser.Groups = user.GetGroups()
|
||||||
ae.ImpersonatedUser.UID = user.GetUID()
|
ae.ImpersonatedUser.UID = user.GetUID()
|
||||||
ae.ImpersonatedUser.Extra = map[string]auditinternal.ExtraValue{}
|
ae.ImpersonatedUser.Extra = map[string]authnv1.ExtraValue{}
|
||||||
for k, v := range user.GetExtra() {
|
for k, v := range user.GetExtra() {
|
||||||
ae.ImpersonatedUser.Extra[k] = auditinternal.ExtraValue(v)
|
ae.ImpersonatedUser.Extra[k] = authnv1.ExtraValue(v)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -21,6 +21,7 @@ import (
|
|||||||
|
|
||||||
"github.com/stretchr/testify/require"
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
|
authnv1 "k8s.io/api/authentication/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
auditinternal "k8s.io/apiserver/pkg/apis/audit"
|
||||||
"k8s.io/apiserver/pkg/audit/policy"
|
"k8s.io/apiserver/pkg/audit/policy"
|
||||||
@ -67,7 +68,7 @@ func TestEnforced(t *testing.T) {
|
|||||||
Level: auditinternal.LevelRequestResponse,
|
Level: auditinternal.LevelRequestResponse,
|
||||||
Stage: auditinternal.StageResponseComplete,
|
Stage: auditinternal.StageResponseComplete,
|
||||||
RequestURI: "/apis/extensions/v1beta1",
|
RequestURI: "/apis/extensions/v1beta1",
|
||||||
User: auditinternal.UserInfo{
|
User: authnv1.UserInfo{
|
||||||
Username: user.Anonymous,
|
Username: user.Anonymous,
|
||||||
},
|
},
|
||||||
RequestObject: &runtime.Unknown{Raw: []byte(`test`)},
|
RequestObject: &runtime.Unknown{Raw: []byte(`test`)},
|
||||||
|
|||||||
@ -25,6 +25,7 @@ import (
|
|||||||
|
|
||||||
"github.com/pborman/uuid"
|
"github.com/pborman/uuid"
|
||||||
|
|
||||||
|
authnv1 "k8s.io/api/authentication/v1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||||
@ -64,7 +65,7 @@ func TestLogEventsLegacy(t *testing.T) {
|
|||||||
AuditID: types.UID(uuid.NewRandom().String()),
|
AuditID: types.UID(uuid.NewRandom().String()),
|
||||||
Stage: auditinternal.StageRequestReceived,
|
Stage: auditinternal.StageRequestReceived,
|
||||||
Verb: "get",
|
Verb: "get",
|
||||||
User: auditinternal.UserInfo{
|
User: authnv1.UserInfo{
|
||||||
Username: "admin",
|
Username: "admin",
|
||||||
Groups: []string{
|
Groups: []string{
|
||||||
"system:masters",
|
"system:masters",
|
||||||
@ -122,7 +123,7 @@ func TestLogEventsJson(t *testing.T) {
|
|||||||
AuditID: types.UID(uuid.NewRandom().String()),
|
AuditID: types.UID(uuid.NewRandom().String()),
|
||||||
Stage: auditinternal.StageRequestReceived,
|
Stage: auditinternal.StageRequestReceived,
|
||||||
Verb: "get",
|
Verb: "get",
|
||||||
User: auditinternal.UserInfo{
|
User: authnv1.UserInfo{
|
||||||
Username: "admin",
|
Username: "admin",
|
||||||
Groups: []string{
|
Groups: []string{
|
||||||
"system:masters",
|
"system:masters",
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user