github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 06:54:01 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #49006 from CaoShuFeng/is_forbidden

Browse Source 
Automatic merge from submit-queue

Fix forbidden message format

Before this change:
 $ kubectl get pods --as=tom
 Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default".
After this change:
 $ kubectl get pods --as=tom
 Error from server (Forbidden): pods is forbidden: User "tom" cannot list pods in the namespace "default".



**What this PR does / why we need it**:

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:

```
Fix forbidden message format, remove extra ""
```
This commit is contained in:
Kubernetes Submit Queue 2017-08-26 19:01:21 -07:00 committed by GitHub
commit 562d2be7a0
3 changed files with 16 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
staging/src/k8s.io/apimachinery/pkg/api/errors/errors.go
View File

@ -128,6 +128,14 @@ func NewUnauthorized(reason string) *StatusError {
// NewForbidden returns an error indicating the requested action was forbidden // NewForbidden returns an error indicating the requested action was forbidden
func NewForbidden(qualifiedResource schema.GroupResource, name string, err error) *StatusError { func NewForbidden(qualifiedResource schema.GroupResource, name string, err error) *StatusError {
var message string
if qualifiedResource.Empty() {
message = fmt.Sprintf("forbidden: %v", err)
} else if name == "" {
message = fmt.Sprintf("%s is forbidden: %v", qualifiedResource.String(), err)
} else {
message = fmt.Sprintf("%s %q is forbidden: %v", qualifiedResource.String(), name, err)
}
return &StatusError{metav1.Status{ return &StatusError{metav1.Status{
Status: metav1.StatusFailure, Status: metav1.StatusFailure,
Code: http.StatusForbidden, Code: http.StatusForbidden,
@ -137,7 +145,7 @@ func NewForbidden(qualifiedResource schema.GroupResource, name string, err error
Kind: qualifiedResource.Resource, Kind: qualifiedResource.Resource,
Name: name, Name: name,
}, },
Message: fmt.Sprintf("%s %q is forbidden: %v", qualifiedResource.String(), name, err), Message: message,
}} }}
} }

10
staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors_test.go
View File

@ -68,13 +68,15 @@ func TestForbidden(t *testing.T) {
reason string reason string
contentType string contentType string
}{ }{
{`{"metadata":{},"status":"Failure","message":" \"\" is forbidden: User \"NAME\" cannot GET path \"/whatever\".","reason":"Forbidden","details":{},"code":403} {`{"metadata":{},"status":"Failure","message":"forbidden: User \"NAME\" cannot GET path \"/whatever\".","reason":"Forbidden","details":{},"code":403}
`, authorizer.AttributesRecord{User: u, Verb: "GET", Path: "/whatever"}, "", "application/json"}, `, authorizer.AttributesRecord{User: u, Verb: "GET", Path: "/whatever"}, "", "application/json"},
{`{"metadata":{},"status":"Failure","message":" \"\" is forbidden: User \"NAME\" cannot GET path \"/\u0026lt;script\u0026gt;\".","reason":"Forbidden","details":{},"code":403} {`{"metadata":{},"status":"Failure","message":"forbidden: User \"NAME\" cannot GET path \"/\u0026lt;script\u0026gt;\".","reason":"Forbidden","details":{},"code":403}
`, authorizer.AttributesRecord{User: u, Verb: "GET", Path: "/<script>"}, "", "application/json"}, `, authorizer.AttributesRecord{User: u, Verb: "GET", Path: "/<script>"}, "", "application/json"},
{`{"metadata":{},"status":"Failure","message":"pod \"\" is forbidden: User \"NAME\" cannot GET pod at the cluster scope.","reason":"Forbidden","details":{"kind":"pod"},"code":403} {`{"metadata":{},"status":"Failure","message":"pod is forbidden: User \"NAME\" cannot GET pod at the cluster scope.","reason":"Forbidden","details":{"kind":"pod"},"code":403}
`, authorizer.AttributesRecord{User: u, Verb: "GET", Resource: "pod", ResourceRequest: true}, "", "application/json"}, `, authorizer.AttributesRecord{User: u, Verb: "GET", Resource: "pod", ResourceRequest: true}, "", "application/json"},
{`{"metadata":{},"status":"Failure","message":"pod.v2 \"\" is forbidden: User \"NAME\" cannot GET pod.v2/quota in the namespace \"test\".","reason":"Forbidden","details":{"group":"v2","kind":"pod"},"code":403} {`{"metadata":{},"status":"Failure","message":"pod \"mypod\" is forbidden: User \"NAME\" cannot GET pod at the cluster scope.","reason":"Forbidden","details":{"name":"mypod","kind":"pod"},"code":403}
`, authorizer.AttributesRecord{User: u, Verb: "GET", Resource: "pod", ResourceRequest: true, Name: "mypod"}, "", "application/json"},
{`{"metadata":{},"status":"Failure","message":"pod.v2 is forbidden: User \"NAME\" cannot GET pod.v2/quota in the namespace \"test\".","reason":"Forbidden","details":{"group":"v2","kind":"pod"},"code":403}
`, authorizer.AttributesRecord{User: u, Verb: "GET", Namespace: "test", APIGroup: "v2", Resource: "pod", Subresource: "quota", ResourceRequest: true}, "", "application/json"}, `, authorizer.AttributesRecord{User: u, Verb: "GET", Namespace: "test", APIGroup: "v2", Resource: "pod", Subresource: "quota", ResourceRequest: true}, "", "application/json"},
} }
for _, test := range cases { for _, test := range cases {

2
test/integration/master/master_test.go
View File

@ -171,7 +171,7 @@ func TestStatus(t *testing.T) {
statusCode: http.StatusForbidden, statusCode: http.StatusForbidden,
reqPath: "/apis", reqPath: "/apis",
reason: "Forbidden", reason: "Forbidden",
message: ` "" is forbidden: User "" cannot get path "/apis".: "Everything is forbidden."`, message: `forbidden: User "" cannot get path "/apis".: "Everything is forbidden."`,
}, },
{ {
name: "401", name: "401",