github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 05:57:25 +00:00
Code Issues Projects Releases Wiki Activity

nodeidentifier: require nodes to have wellformed usernames

Browse Source
This commit is contained in:
Mike Danese 2017-06-01 14:39:17 -07:00 committed by Jordan Liggitt
parent 5404948e7b
commit 73e47f652b
No known key found for this signature in database
GPG Key ID: 24E7ADF9A3B42012
2 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/auth/nodeidentifier/default.go
View File

@ -23,8 +23,9 @@ import (
) )
// NewDefaultNodeIdentifier returns a default NodeIdentifier implementation, // NewDefaultNodeIdentifier returns a default NodeIdentifier implementation,
// which returns isNode=true if the user groups contain the system:nodes group, // which returns isNode=true if the user groups contain the system:nodes group
// and populates nodeName if isNode is true, and the user name is in the format system:node:<nodeName> // and the user name matches the format system:node:<nodeName>, and populates
// nodeName if isNode is true
func NewDefaultNodeIdentifier() NodeIdentifier { func NewDefaultNodeIdentifier() NodeIdentifier {
return defaultNodeIdentifier{} return defaultNodeIdentifier{}
} }
@ -35,14 +36,22 @@ type defaultNodeIdentifier struct{}
// nodeUserNamePrefix is the prefix for usernames in the form `system:node:<nodeName>` // nodeUserNamePrefix is the prefix for usernames in the form `system:node:<nodeName>`
const nodeUserNamePrefix = "system:node:" const nodeUserNamePrefix = "system:node:"
// NodeIdentity returns isNode=true if the user groups contain the system:nodes group, // NodeIdentity returns isNode=true if the user groups contain the system:nodes
// and populates nodeName if isNode is true, and the user name is in the format system:node:<nodeName> // group and the user name matches the format system:node:<nodeName>, and
// populates nodeName if isNode is true
func (defaultNodeIdentifier) NodeIdentity(u user.Info) (string, bool) { func (defaultNodeIdentifier) NodeIdentity(u user.Info) (string, bool) {
// Make sure we're a node, and can parse the node name // Make sure we're a node, and can parse the node name
if u == nil { if u == nil {
return "", false return "", false
} }
userName := u.GetName()
if !strings.HasPrefix(userName, nodeUserNamePrefix) {
return "", false
}
nodeName := strings.TrimPrefix(userName, nodeUserNamePrefix)
isNode := false isNode := false
for _, g := range u.GetGroups() { for _, g := range u.GetGroups() {
if g == user.NodesGroup { if g == user.NodesGroup {
@ -54,11 +63,5 @@ func (defaultNodeIdentifier) NodeIdentity(u user.Info) (string, bool) {
return "", false return "", false
} }
userName := u.GetName()
nodeName := ""
if strings.HasPrefix(userName, nodeUserNamePrefix) {
nodeName = strings.TrimPrefix(userName, nodeUserNamePrefix)
}
return nodeName, isNode return nodeName, isNode
} }

2
pkg/auth/nodeidentifier/default_test.go
View File

@ -45,7 +45,7 @@ func TestDefaultNodeIdentifier_NodeIdentity(t *testing.T) {
name: "node group without username", name: "node group without username",
user: &user.DefaultInfo{Name: "foo", Groups: []string{"system:nodes"}}, user: &user.DefaultInfo{Name: "foo", Groups: []string{"system:nodes"}},
expectNodeName: "", expectNodeName: "",
expectIsNode: true, expectIsNode: false,
}, },
{ {
name: "node group and username", name: "node group and username",