github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-14 06:15:45 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #37537 from xilabao/extend-err-info-when-authorize-failed

Browse Source 
Automatic merge from submit-queue

extend err info when authorize failed

if rolebinding related to a non-existent role,  kubectl get po will return a error.

old result:
```shell
$ kubectl --token=/test get po
Error from server (InternalError): an error on the server ("Internal Server Error: \"/api/v1/namespaces/default/pods\"") has prevented the request from succeeding (get pods)
```
new result (output the reason):
```shell
$ kubectl --token=hi/test get po
Error from server (Forbidden): User "hi" cannot list pods in the namespace "default".: "role.rbac.authorization.k8s.io \"admin-resource-role\" not found" (get pods)
```

test.yaml
```
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name:  admin-resource-binding
  namespace: default
subjects:
  - kind: Group
    name: test
roleRef:
  kind: Role
  name: admin-resource-role
```
This commit is contained in:
Kubernetes Submit Queue 2016-12-22 06:10:37 -08:00 committed by GitHub
commit 38882c3727
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/apiserver/filters/errors.go
View File

@ -64,6 +64,6 @@ func internalError(w http.ResponseWriter, req *http.Request, err error) {
w.Header().Set("Content-Type", "text/plain")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.WriteHeader(http.StatusInternalServerError)
fmt.Fprintf(w, "Internal Server Error: %#v", req.RequestURI)
fmt.Fprintf(w, "Internal Server Error: %#v: %v", req.RequestURI, err)
runtime.HandleError(err)
}

3
plugin/pkg/auth/authorizer/rbac/rbac.go
View File

@ -18,6 +18,7 @@ limitations under the License.
package rbac
import (
"fmt"
"github.com/golang/glog"
"k8s.io/kubernetes/pkg/apis/rbac"
@ -47,7 +48,7 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(),
requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource())
return false, "", ruleResolutionError
return false, fmt.Sprintf("%v", ruleResolutionError), nil
}
func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister) *RBACAuthorizer {