github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #70314 from samdamana/auth-revert

Browse Source 
Revert "limit forbidden error to details of what was forbidden"
This commit is contained in:
k8s-ci-robot 2018-10-29 17:11:27 -07:00 committed by GitHub
commit 361f8c31bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/auth/authorizer/abac/abac.go
View File

@ -227,7 +227,7 @@ func (pl policyList) Authorize(a authorizer.Attributes) (authorizer.Decision, st
return authorizer.DecisionAllow, "", nil return authorizer.DecisionAllow, "", nil
} }
} }
return authorizer.DecisionNoOpinion, "no ABAC policy matched", nil return authorizer.DecisionNoOpinion, "No policy matched.", nil
// TODO: Benchmark how much time policy matching takes with a medium size // TODO: Benchmark how much time policy matching takes with a medium size
// policy file, compared to other steps such as encoding/decoding. // policy file, compared to other steps such as encoding/decoding.
// Then, add Caching only if needed. // Then, add Caching only if needed.

2
plugin/pkg/auth/authorizer/rbac/rbac.go
View File

@ -121,8 +121,6 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut
reason := "" reason := ""
if len(ruleCheckingVisitor.errors) > 0 { if len(ruleCheckingVisitor.errors) > 0 {
reason = fmt.Sprintf("RBAC: %v", utilerrors.NewAggregate(ruleCheckingVisitor.errors)) reason = fmt.Sprintf("RBAC: %v", utilerrors.NewAggregate(ruleCheckingVisitor.errors))
} else {
reason = "no RBAC policy matched"
} }
return authorizer.DecisionNoOpinion, reason, nil return authorizer.DecisionNoOpinion, reason, nil
} }

2
staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go
View File

@ -73,7 +73,7 @@ func WithAuthorization(handler http.Handler, a authorizer.Authorizer, s runtime.
glog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason) glog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason)
audit.LogAnnotation(ae, decisionAnnotationKey, decisionForbid) audit.LogAnnotation(ae, decisionAnnotationKey, decisionForbid)
audit.LogAnnotation(ae, reasonAnnotationKey, reason) audit.LogAnnotation(ae, reasonAnnotationKey, reason)
responsewriters.Forbidden(ctx, attributes, w, req, "", s) responsewriters.Forbidden(ctx, attributes, w, req, reason, s)
}) })
} }

2
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
View File

@ -110,7 +110,7 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
decision, reason, err := a.Authorize(actingAsAttributes) decision, reason, err := a.Authorize(actingAsAttributes)
if err != nil || decision != authorizer.DecisionAllow { if err != nil || decision != authorizer.DecisionAllow {
glog.V(4).Infof("Forbidden: %#v, Reason: %s, Error: %v", req.RequestURI, reason, err) glog.V(4).Infof("Forbidden: %#v, Reason: %s, Error: %v", req.RequestURI, reason, err)
responsewriters.Forbidden(ctx, actingAsAttributes, w, req, "", s) responsewriters.Forbidden(ctx, actingAsAttributes, w, req, reason, s)
return return
} }
} }

2
test/integration/master/synthetic_master_test.go
View File

@ -175,7 +175,7 @@ func TestStatus(t *testing.T) {
statusCode: http.StatusForbidden, statusCode: http.StatusForbidden,
reqPath: "/apis", reqPath: "/apis",
reason: "Forbidden", reason: "Forbidden",
message: `forbidden: User "" cannot get path "/apis"`, message: `forbidden: User "" cannot get path "/apis": Everything is forbidden.`,
}, },
{ {
name: "401", name: "401",