Merge pull request #65906 from liggitt/union-authz-message

Automatic merge from submit-queue (batch tested with PRs 65946, 65904, 65913, 65906, 65920). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Improve multi-authorizer errors Fixes #52279 Includes an indication from the RBAC authorizer that it attempted to authorize the request. this reduces confusion when combined with a webhook authorizer that returns specific reasons for rejection /sig auth ```release-note NONE ```
2025-07-23 03:41:45 +00:00 · 2018-07-07 16:25:14 -07:00 · 2018-07-07 16:25:14 -07:00 · 5b052de486
commit 5b052de486
parent c899ccf441 1c012f1c49
2 changed files with 3 additions and 1 deletions
--- a/pkg/auth/authorizer/abac/abac.go
+++ b/pkg/auth/authorizer/abac/abac.go
@ -227,7 +227,7 @@ func (pl policyList) Authorize(a authorizer.Attributes) (authorizer.Decision, st
 			return authorizer.DecisionAllow, "", nil
 		}
 	}
-	return authorizer.DecisionNoOpinion, "No policy matched.", nil
+	return authorizer.DecisionNoOpinion, "no ABAC policy matched", nil
 	// TODO: Benchmark how much time policy matching takes with a medium size
 	// policy file, compared to other steps such as encoding/decoding.
 	// Then, add Caching only if needed.
--- a/plugin/pkg/auth/authorizer/rbac/rbac.go
+++ b/plugin/pkg/auth/authorizer/rbac/rbac.go
@ -121,6 +121,8 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut
 	reason := ""
 	if len(ruleCheckingVisitor.errors) > 0 {
 		reason = fmt.Sprintf("RBAC: %v", utilerrors.NewAggregate(ruleCheckingVisitor.errors))
+	} else {
+		reason = "no RBAC policy matched"
 	}
 	return authorizer.DecisionNoOpinion, reason, nil
 }