mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Merge pull request #70314 from samdamana/auth-revert
Revert "limit forbidden error to details of what was forbidden"
This commit is contained in:
commit
361f8c31bd
@ -227,7 +227,7 @@ func (pl policyList) Authorize(a authorizer.Attributes) (authorizer.Decision, st
|
|||||||
return authorizer.DecisionAllow, "", nil
|
return authorizer.DecisionAllow, "", nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return authorizer.DecisionNoOpinion, "no ABAC policy matched", nil
|
return authorizer.DecisionNoOpinion, "No policy matched.", nil
|
||||||
// TODO: Benchmark how much time policy matching takes with a medium size
|
// TODO: Benchmark how much time policy matching takes with a medium size
|
||||||
// policy file, compared to other steps such as encoding/decoding.
|
// policy file, compared to other steps such as encoding/decoding.
|
||||||
// Then, add Caching only if needed.
|
// Then, add Caching only if needed.
|
||||||
|
@ -121,8 +121,6 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut
|
|||||||
reason := ""
|
reason := ""
|
||||||
if len(ruleCheckingVisitor.errors) > 0 {
|
if len(ruleCheckingVisitor.errors) > 0 {
|
||||||
reason = fmt.Sprintf("RBAC: %v", utilerrors.NewAggregate(ruleCheckingVisitor.errors))
|
reason = fmt.Sprintf("RBAC: %v", utilerrors.NewAggregate(ruleCheckingVisitor.errors))
|
||||||
} else {
|
|
||||||
reason = "no RBAC policy matched"
|
|
||||||
}
|
}
|
||||||
return authorizer.DecisionNoOpinion, reason, nil
|
return authorizer.DecisionNoOpinion, reason, nil
|
||||||
}
|
}
|
||||||
|
@ -73,7 +73,7 @@ func WithAuthorization(handler http.Handler, a authorizer.Authorizer, s runtime.
|
|||||||
glog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason)
|
glog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason)
|
||||||
audit.LogAnnotation(ae, decisionAnnotationKey, decisionForbid)
|
audit.LogAnnotation(ae, decisionAnnotationKey, decisionForbid)
|
||||||
audit.LogAnnotation(ae, reasonAnnotationKey, reason)
|
audit.LogAnnotation(ae, reasonAnnotationKey, reason)
|
||||||
responsewriters.Forbidden(ctx, attributes, w, req, "", s)
|
responsewriters.Forbidden(ctx, attributes, w, req, reason, s)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -110,7 +110,7 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
|
|||||||
decision, reason, err := a.Authorize(actingAsAttributes)
|
decision, reason, err := a.Authorize(actingAsAttributes)
|
||||||
if err != nil || decision != authorizer.DecisionAllow {
|
if err != nil || decision != authorizer.DecisionAllow {
|
||||||
glog.V(4).Infof("Forbidden: %#v, Reason: %s, Error: %v", req.RequestURI, reason, err)
|
glog.V(4).Infof("Forbidden: %#v, Reason: %s, Error: %v", req.RequestURI, reason, err)
|
||||||
responsewriters.Forbidden(ctx, actingAsAttributes, w, req, "", s)
|
responsewriters.Forbidden(ctx, actingAsAttributes, w, req, reason, s)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -175,7 +175,7 @@ func TestStatus(t *testing.T) {
|
|||||||
statusCode: http.StatusForbidden,
|
statusCode: http.StatusForbidden,
|
||||||
reqPath: "/apis",
|
reqPath: "/apis",
|
||||||
reason: "Forbidden",
|
reason: "Forbidden",
|
||||||
message: `forbidden: User "" cannot get path "/apis"`,
|
message: `forbidden: User "" cannot get path "/apis": Everything is forbidden.`,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "401",
|
name: "401",
|
||||||
|
Loading…
Reference in New Issue
Block a user