github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-02 09:47:06 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #46375 from deads2k/auth-05-nameprotection

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 46456, 46675, 46676, 46416, 46375)

prevent illegal verb/name combinations in default policy rules

Names aren't presented with some kinds of "normal" verbs.  This prevents people from making common mistakes.

@timothysc as I noted in your pull.  This will prevent some classes of errors.
This commit is contained in:
Kubernetes Submit Queue
2017-06-03 00:28:53 -07:00
committed by GitHub
parent ead40ebdce 5539a6721d
commit 78a9e4feba
2 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/apis/rbac/helpers.go
View File

@@ -222,6 +222,22 @@ func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) {
// this a common bug
return PolicyRule{}, fmt.Errorf("resource rule must have apiGroups: %#v", r.PolicyRule)
}
// if resource names are set, then the verb must not be list, watch, create, or deletecollection
// since verbs are largely opaque, we don't want to accidentally prevent things like "impersonate", so
// we will backlist common mistakes, not whitelist acceptable options.
if len(r.PolicyRule.ResourceNames) != 0 {
illegalVerbs := []string{}
for _, verb := range r.PolicyRule.Verbs {
switch verb {
case "list", "watch", "create", "deletecollection":
illegalVerbs = append(illegalVerbs, verb)
}
}
if len(illegalVerbs) > 0 {
return PolicyRule{}, fmt.Errorf("verbs %v do not have names available: %#v", illegalVerbs, r.PolicyRule)
}
}
default:
return PolicyRule{}, fmt.Errorf("a rule must have either nonResourceURLs or resources: %#v", r.PolicyRule)
}

16
staging/src/k8s.io/client-go/pkg/apis/rbac/helpers.go
View File

@@ -221,6 +221,22 @@ func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) {
// this a common bug
return PolicyRule{}, fmt.Errorf("resource rule must have apiGroups: %#v", r.PolicyRule)
}
// if resource names are set, then the verb must not be list, watch, create, or deletecollection
// since verbs are largely opaque, we don't want to accidentally prevent things like "impersonate", so
// we will backlist common mistakes, not whitelist acceptable options.
if len(r.PolicyRule.ResourceNames) != 0 {
illegalVerbs := []string{}
for _, verb := range r.PolicyRule.Verbs {
switch verb {
case "list", "watch", "create", "deletecollection":
illegalVerbs = append(illegalVerbs, verb)
}
}
if len(illegalVerbs) > 0 {
return PolicyRule{}, fmt.Errorf("verbs %v do not have names available: %#v", illegalVerbs, r.PolicyRule)
}
}
default:
return PolicyRule{}, fmt.Errorf("a rule must have either nonResourceURLs or resources: %#v", r.PolicyRule)
}