From 7fabd06c2be41f4134f425fa967d79ac31dc5756 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stanislav=20L=C3=A1zni=C4=8Dka?= Date: Thu, 16 Feb 2023 11:28:50 +0100 Subject: [PATCH] requestheaders: add a "requestheader-uid-headers" flag and wire it up --- .../app/options/options_test.go | 1 + pkg/kubeapiserver/authenticator/config.go | 1 + .../options/authentication_test.go | 4 ++ .../authenticatorfactory/delegating.go | 1 + .../authenticatorfactory/requestheader.go | 2 + .../request/headerrequest/requestheader.go | 26 ++++++-- .../headerrequest/requestheader_controller.go | 18 +++++- .../requestheader_controller_test.go | 30 ++++++--- .../headerrequest/requestheader_test.go | 62 ++++++++++++++++++- .../pkg/endpoints/filters/authentication.go | 3 + .../endpoints/filters/authentication_test.go | 38 ++++++++++++ .../pkg/server/options/authentication.go | 14 +++++ .../authentication_dynamic_request_header.go | 1 + .../pkg/server/options/authentication_test.go | 3 + .../cloud-provider/options/options_test.go | 2 + 15 files changed, 187 insertions(+), 19 deletions(-) diff --git a/cmd/kube-controller-manager/app/options/options_test.go b/cmd/kube-controller-manager/app/options/options_test.go index be9f0c12082..4dbcda55eac 100644 --- a/cmd/kube-controller-manager/app/options/options_test.go +++ b/cmd/kube-controller-manager/app/options/options_test.go @@ -430,6 +430,7 @@ func TestAddFlags(t *testing.T) { ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{ UsernameHeaders: []string{"x-remote-user"}, + UIDHeaders: []string{"x-remote-uid"}, GroupHeaders: []string{"x-remote-group"}, ExtraHeaderPrefixes: []string{"x-remote-extra-"}, }, diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go index 9b1655b139a..fe583eca253 100644 --- a/pkg/kubeapiserver/authenticator/config.go +++ b/pkg/kubeapiserver/authenticator/config.go @@ -110,6 +110,7 @@ func (config Config) New(serverLifecycle context.Context) (authenticator.Request config.RequestHeaderConfig.CAContentProvider.VerifyOptions, config.RequestHeaderConfig.AllowedClientNames, config.RequestHeaderConfig.UsernameHeaders, + config.RequestHeaderConfig.UIDHeaders, config.RequestHeaderConfig.GroupHeaders, config.RequestHeaderConfig.ExtraHeaderPrefixes, ) diff --git a/pkg/kubeapiserver/options/authentication_test.go b/pkg/kubeapiserver/options/authentication_test.go index 7185f385c7a..beedd013d8e 100644 --- a/pkg/kubeapiserver/options/authentication_test.go +++ b/pkg/kubeapiserver/options/authentication_test.go @@ -303,6 +303,7 @@ func TestToAuthenticationConfig(t *testing.T) { }, RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{ UsernameHeaders: []string{"x-remote-user"}, + UIDHeaders: []string{"x-remote-uid"}, GroupHeaders: []string{"x-remote-group"}, ExtraHeaderPrefixes: []string{"x-remote-extra-"}, ClientCAFile: "testdata/root.pem", @@ -352,6 +353,7 @@ func TestToAuthenticationConfig(t *testing.T) { RequestHeaderConfig: &authenticatorfactory.RequestHeaderConfig{ UsernameHeaders: headerrequest.StaticStringSlice{"x-remote-user"}, + UIDHeaders: headerrequest.StaticStringSlice{"x-remote-uid"}, GroupHeaders: headerrequest.StaticStringSlice{"x-remote-group"}, ExtraHeaderPrefixes: headerrequest.StaticStringSlice{"x-remote-extra-"}, CAContentProvider: nil, // this is nil because you can't compare functions @@ -397,6 +399,7 @@ func TestBuiltInAuthenticationOptionsAddFlags(t *testing.T) { "--client-ca-file=client-cacert", "--requestheader-client-ca-file=testdata/root.pem", "--requestheader-username-headers=x-remote-user-custom", + "--requestheader-uid-headers=x-remote-uid-custom", "--requestheader-group-headers=x-remote-group-custom", "--requestheader-allowed-names=kube-aggregator", "--service-account-key-file=cert", @@ -430,6 +433,7 @@ func TestBuiltInAuthenticationOptionsAddFlags(t *testing.T) { RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{ ClientCAFile: "testdata/root.pem", UsernameHeaders: []string{"x-remote-user-custom"}, + UIDHeaders: []string{"x-remote-uid-custom"}, GroupHeaders: []string{"x-remote-group-custom"}, AllowedNames: []string{"kube-aggregator"}, }, diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go index 76ef44732ed..b74b8b0d494 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/delegating.go @@ -77,6 +77,7 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur c.RequestHeaderConfig.CAContentProvider.VerifyOptions, c.RequestHeaderConfig.AllowedClientNames, c.RequestHeaderConfig.UsernameHeaders, + c.RequestHeaderConfig.UIDHeaders, c.RequestHeaderConfig.GroupHeaders, c.RequestHeaderConfig.ExtraHeaderPrefixes, ) diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go index 766bde51727..f217b94efad 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticatorfactory/requestheader.go @@ -24,6 +24,8 @@ import ( type RequestHeaderConfig struct { // UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins. UsernameHeaders headerrequest.StringSliceProvider + // UsernameHeaders are the headers to check (in order, case-insensitively) for an identity UID. The first header with a value wins. + UIDHeaders headerrequest.StringSliceProvider // GroupHeaders are the headers to check (case-insensitively) for a group names. All values will be used. GroupHeaders headerrequest.StringSliceProvider // ExtraHeaderPrefixes are the head prefixes to check (case-insentively) for filling in diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go index 18261639394..57bf9ca300f 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader.go @@ -53,6 +53,9 @@ type requestHeaderAuthRequestHandler struct { // nameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins. nameHeaders StringSliceProvider + // nameHeaders are the headers to check (in order, case-insensitively) for an identity UID. The first header with a value wins. + uidHeaders StringSliceProvider + // groupHeaders are the headers to check (case-insensitively) for group membership. All values of all headers will be added. groupHeaders StringSliceProvider @@ -61,11 +64,15 @@ type requestHeaderAuthRequestHandler struct { extraHeaderPrefixes StringSliceProvider } -func New(nameHeaders, groupHeaders, extraHeaderPrefixes []string) (authenticator.Request, error) { +func New(nameHeaders, uidHeaders, groupHeaders, extraHeaderPrefixes []string) (authenticator.Request, error) { trimmedNameHeaders, err := trimHeaders(nameHeaders...) if err != nil { return nil, err } + trimmedUIDHeaders, err := trimHeaders(uidHeaders...) + if err != nil { + return nil, err + } trimmedGroupHeaders, err := trimHeaders(groupHeaders...) if err != nil { return nil, err @@ -77,14 +84,16 @@ func New(nameHeaders, groupHeaders, extraHeaderPrefixes []string) (authenticator return NewDynamic( StaticStringSlice(trimmedNameHeaders), + StaticStringSlice(trimmedUIDHeaders), StaticStringSlice(trimmedGroupHeaders), StaticStringSlice(trimmedExtraHeaderPrefixes), ), nil } -func NewDynamic(nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request { +func NewDynamic(nameHeaders, uidHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request { return &requestHeaderAuthRequestHandler{ nameHeaders: nameHeaders, + uidHeaders: uidHeaders, groupHeaders: groupHeaders, extraHeaderPrefixes: extraHeaderPrefixes, } @@ -103,8 +112,8 @@ func trimHeaders(headerNames ...string) ([]string, error) { return ret, nil } -func NewDynamicVerifyOptionsSecure(verifyOptionFn x509request.VerifyOptionFunc, proxyClientNames, nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request { - headerAuthenticator := NewDynamic(nameHeaders, groupHeaders, extraHeaderPrefixes) +func NewDynamicVerifyOptionsSecure(verifyOptionFn x509request.VerifyOptionFunc, proxyClientNames, nameHeaders, uidHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) authenticator.Request { + headerAuthenticator := NewDynamic(nameHeaders, uidHeaders, groupHeaders, extraHeaderPrefixes) return x509request.NewDynamicCAVerifier(verifyOptionFn, headerAuthenticator, proxyClientNames) } @@ -114,25 +123,30 @@ func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) if len(name) == 0 { return nil, false, nil } + uid := headerValue(req.Header, a.uidHeaders.Value()) groups := allHeaderValues(req.Header, a.groupHeaders.Value()) extra := newExtra(req.Header, a.extraHeaderPrefixes.Value()) // clear headers used for authentication - ClearAuthenticationHeaders(req.Header, a.nameHeaders, a.groupHeaders, a.extraHeaderPrefixes) + ClearAuthenticationHeaders(req.Header, a.nameHeaders, a.uidHeaders, a.groupHeaders, a.extraHeaderPrefixes) return &authenticator.Response{ User: &user.DefaultInfo{ Name: name, + UID: uid, Groups: groups, Extra: extra, }, }, true, nil } -func ClearAuthenticationHeaders(h http.Header, nameHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) { +func ClearAuthenticationHeaders(h http.Header, nameHeaders, uidHeaders, groupHeaders, extraHeaderPrefixes StringSliceProvider) { for _, headerName := range nameHeaders.Value() { h.Del(headerName) } + for _, headerName := range uidHeaders.Value() { + h.Del(headerName) + } for _, headerName := range groupHeaders.Value() { h.Del(headerName) } diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go index dc844ee73bf..38d6cbe71a1 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller.go @@ -45,6 +45,7 @@ const ( // RequestHeaderAuthRequestProvider a provider that knows how to dynamically fill parts of RequestHeaderConfig struct type RequestHeaderAuthRequestProvider interface { UsernameHeaders() []string + UIDHeaders() []string GroupHeaders() []string ExtraHeaderPrefixes() []string AllowedClientNames() []string @@ -54,6 +55,7 @@ var _ RequestHeaderAuthRequestProvider = &RequestHeaderAuthRequestController{} type requestHeaderBundle struct { UsernameHeaders []string + UIDHeaders []string GroupHeaders []string ExtraHeaderPrefixes []string AllowedClientNames []string @@ -80,6 +82,7 @@ type RequestHeaderAuthRequestController struct { exportedRequestHeaderBundle atomic.Value usernameHeadersKey string + uidHeadersKey string groupHeadersKey string extraHeaderPrefixesKey string allowedClientNamesKey string @@ -90,7 +93,7 @@ func NewRequestHeaderAuthRequestController( cmName string, cmNamespace string, client kubernetes.Interface, - usernameHeadersKey, groupHeadersKey, extraHeaderPrefixesKey, allowedClientNamesKey string) *RequestHeaderAuthRequestController { + usernameHeadersKey, uidHeadersKey, groupHeadersKey, extraHeaderPrefixesKey, allowedClientNamesKey string) *RequestHeaderAuthRequestController { c := &RequestHeaderAuthRequestController{ name: "RequestHeaderAuthRequestController", @@ -100,6 +103,7 @@ func NewRequestHeaderAuthRequestController( configmapNamespace: cmNamespace, usernameHeadersKey: usernameHeadersKey, + uidHeadersKey: uidHeadersKey, groupHeadersKey: groupHeadersKey, extraHeaderPrefixesKey: extraHeaderPrefixesKey, allowedClientNamesKey: allowedClientNamesKey, @@ -152,6 +156,10 @@ func (c *RequestHeaderAuthRequestController) UsernameHeaders() []string { return c.loadRequestHeaderFor(c.usernameHeadersKey) } +func (c *RequestHeaderAuthRequestController) UIDHeaders() []string { + return c.loadRequestHeaderFor(c.uidHeadersKey) +} + func (c *RequestHeaderAuthRequestController) GroupHeaders() []string { return c.loadRequestHeaderFor(c.groupHeadersKey) } @@ -278,6 +286,11 @@ func (c *RequestHeaderAuthRequestController) getRequestHeaderBundleFromConfigMap return nil, err } + uidHeaderCurrentValue, err := deserializeStrings(cm.Data[c.uidHeadersKey]) + if err != nil { + return nil, err + } + groupHeadersCurrentValue, err := deserializeStrings(cm.Data[c.groupHeadersKey]) if err != nil { return nil, err @@ -296,6 +309,7 @@ func (c *RequestHeaderAuthRequestController) getRequestHeaderBundleFromConfigMap return &requestHeaderBundle{ UsernameHeaders: usernameHeaderCurrentValue, + UIDHeaders: uidHeaderCurrentValue, GroupHeaders: groupHeadersCurrentValue, ExtraHeaderPrefixes: extraHeaderPrefixesCurrentValue, AllowedClientNames: allowedClientNamesCurrentValue, @@ -312,6 +326,8 @@ func (c *RequestHeaderAuthRequestController) loadRequestHeaderFor(key string) [] switch key { case c.usernameHeadersKey: return headerBundle.UsernameHeaders + case c.uidHeadersKey: + return headerBundle.UIDHeaders case c.groupHeadersKey: return headerBundle.GroupHeaders case c.extraHeaderPrefixesKey: diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller_test.go index 36dfbf1ec29..861c751080c 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller_test.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_controller_test.go @@ -19,10 +19,10 @@ package headerrequest import ( "context" "encoding/json" - "k8s.io/apimachinery/pkg/api/equality" "testing" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/equality" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes/fake" corev1listers "k8s.io/client-go/listers/core/v1" @@ -34,6 +34,7 @@ const ( defConfigMapNamespace = "kube-system" defUsernameHeadersKey = "user-key" + defUIDHeadersKey = "uid-key" defGroupHeadersKey = "group-key" defExtraHeaderPrefixesKey = "extra-key" defAllowedClientNamesKey = "names-key" @@ -41,6 +42,7 @@ const ( type expectedHeadersHolder struct { usernameHeaders []string + uidHeaders []string groupHeaders []string extraHeaderPrefixes []string allowedClientNames []string @@ -55,9 +57,10 @@ func TestRequestHeaderAuthRequestController(t *testing.T) { }{ { name: "happy-path: headers values are populated form a config map", - cm: defaultConfigMap(t, []string{"user-val"}, []string{"group-val"}, []string{"extra-val"}, []string{"names-val"}), + cm: defaultConfigMap(t, []string{"user-val"}, []string{"uid-val"}, []string{"group-val"}, []string{"extra-val"}, []string{"names-val"}), expectedHeader: expectedHeadersHolder{ usernameHeaders: []string{"user-val"}, + uidHeaders: []string{"uid-val"}, groupHeaders: []string{"group-val"}, extraHeaderPrefixes: []string{"extra-val"}, allowedClientNames: []string{"names-val"}, @@ -66,7 +69,7 @@ func TestRequestHeaderAuthRequestController(t *testing.T) { { name: "passing an empty config map doesn't break the controller", cm: func() *corev1.ConfigMap { - c := defaultConfigMap(t, nil, nil, nil, nil) + c := defaultConfigMap(t, nil, nil, nil, nil, nil) c.Data = map[string]string{} return c }(), @@ -74,7 +77,7 @@ func TestRequestHeaderAuthRequestController(t *testing.T) { { name: "an invalid config map produces an error", cm: func() *corev1.ConfigMap { - c := defaultConfigMap(t, nil, nil, nil, nil) + c := defaultConfigMap(t, nil, nil, nil, nil, nil) c.Data = map[string]string{ defUsernameHeadersKey: "incorrect-json-array", } @@ -119,9 +122,10 @@ func TestRequestHeaderAuthRequestControllerPreserveState(t *testing.T) { }{ { name: "scenario 1: headers values are populated form a config map", - cm: defaultConfigMap(t, []string{"user-val"}, []string{"group-val"}, []string{"extra-val"}, []string{"names-val"}), + cm: defaultConfigMap(t, []string{"user-val"}, []string{"uid-val"}, []string{"group-val"}, []string{"extra-val"}, []string{"names-val"}), expectedHeader: expectedHeadersHolder{ usernameHeaders: []string{"user-val"}, + uidHeaders: []string{"uid-val"}, groupHeaders: []string{"group-val"}, extraHeaderPrefixes: []string{"extra-val"}, allowedClientNames: []string{"names-val"}, @@ -130,7 +134,7 @@ func TestRequestHeaderAuthRequestControllerPreserveState(t *testing.T) { { name: "scenario 2: an invalid config map produces an error but doesn't destroy the state (scenario 1)", cm: func() *corev1.ConfigMap { - c := defaultConfigMap(t, nil, nil, nil, nil) + c := defaultConfigMap(t, nil, nil, nil, nil, nil) c.Data = map[string]string{ defUsernameHeadersKey: "incorrect-json-array", } @@ -139,6 +143,7 @@ func TestRequestHeaderAuthRequestControllerPreserveState(t *testing.T) { expectErr: true, expectedHeader: expectedHeadersHolder{ usernameHeaders: []string{"user-val"}, + uidHeaders: []string{"uid-val"}, groupHeaders: []string{"group-val"}, extraHeaderPrefixes: []string{"extra-val"}, allowedClientNames: []string{"names-val"}, @@ -146,9 +151,10 @@ func TestRequestHeaderAuthRequestControllerPreserveState(t *testing.T) { }, { name: "scenario 3: some headers values have changed (prev set by scenario 1)", - cm: defaultConfigMap(t, []string{"user-val"}, []string{"group-val-scenario-3"}, []string{"extra-val"}, []string{"names-val"}), + cm: defaultConfigMap(t, []string{"user-val"}, []string{"uid-val"}, []string{"group-val-scenario-3"}, []string{"extra-val"}, []string{"names-val"}), expectedHeader: expectedHeadersHolder{ usernameHeaders: []string{"user-val"}, + uidHeaders: []string{"uid-val"}, groupHeaders: []string{"group-val-scenario-3"}, extraHeaderPrefixes: []string{"extra-val"}, allowedClientNames: []string{"names-val"}, @@ -156,9 +162,10 @@ func TestRequestHeaderAuthRequestControllerPreserveState(t *testing.T) { }, { name: "scenario 4: all headers values have changed (prev set by scenario 3)", - cm: defaultConfigMap(t, []string{"user-val-scenario-4"}, []string{"group-val-scenario-4"}, []string{"extra-val-scenario-4"}, []string{"names-val-scenario-4"}), + cm: defaultConfigMap(t, []string{"user-val-scenario-4"}, []string{"uid-val-scenario-4"}, []string{"group-val-scenario-4"}, []string{"extra-val-scenario-4"}, []string{"names-val-scenario-4"}), expectedHeader: expectedHeadersHolder{ usernameHeaders: []string{"user-val-scenario-4"}, + uidHeaders: []string{"uid-val-scenario-4"}, groupHeaders: []string{"group-val-scenario-4"}, extraHeaderPrefixes: []string{"extra-val-scenario-4"}, allowedClientNames: []string{"names-val-scenario-4"}, @@ -204,9 +211,10 @@ func TestRequestHeaderAuthRequestControllerSyncOnce(t *testing.T) { }{ { name: "headers values are populated form a config map", - cm: defaultConfigMap(t, []string{"user-val"}, []string{"group-val"}, []string{"extra-val"}, []string{"names-val"}), + cm: defaultConfigMap(t, []string{"user-val"}, []string{"uid-val"}, []string{"group-val"}, []string{"extra-val"}, []string{"names-val"}), expectedHeader: expectedHeadersHolder{ usernameHeaders: []string{"user-val"}, + uidHeaders: []string{"uid-val"}, groupHeaders: []string{"group-val"}, extraHeaderPrefixes: []string{"extra-val"}, allowedClientNames: []string{"names-val"}, @@ -238,7 +246,7 @@ func TestRequestHeaderAuthRequestControllerSyncOnce(t *testing.T) { } } -func defaultConfigMap(t *testing.T, usernameHeaderVal, groupHeadersVal, extraHeaderPrefixesVal, allowedClientNamesVal []string) *corev1.ConfigMap { +func defaultConfigMap(t *testing.T, usernameHeaderVal, uidHeaderVal, groupHeadersVal, extraHeaderPrefixesVal, allowedClientNamesVal []string) *corev1.ConfigMap { encode := func(val []string) string { encodedVal, err := json.Marshal(val) if err != nil { @@ -253,6 +261,7 @@ func defaultConfigMap(t *testing.T, usernameHeaderVal, groupHeadersVal, extraHea }, Data: map[string]string{ defUsernameHeadersKey: encode(usernameHeaderVal), + defUIDHeadersKey: encode(uidHeaderVal), defGroupHeadersKey: encode(groupHeadersVal), defExtraHeaderPrefixesKey: encode(extraHeaderPrefixesVal), defAllowedClientNamesKey: encode(allowedClientNamesVal), @@ -265,6 +274,7 @@ func newDefaultTarget() *RequestHeaderAuthRequestController { configmapName: defConfigMapName, configmapNamespace: defConfigMapNamespace, usernameHeadersKey: defUsernameHeadersKey, + uidHeadersKey: defUIDHeadersKey, groupHeadersKey: defGroupHeadersKey, extraHeaderPrefixesKey: defExtraHeaderPrefixesKey, allowedClientNamesKey: defAllowedClientNamesKey, diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_test.go b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_test.go index 24541a3f719..c698ca1d149 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_test.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/request/headerrequest/requestheader_test.go @@ -29,6 +29,7 @@ import ( func TestRequestHeader(t *testing.T) { testcases := map[string]struct { nameHeaders []string + uidHeaders []string groupHeaders []string extraPrefixHeaders []string requestHeaders http.Header @@ -128,13 +129,66 @@ func TestRequestHeader(t *testing.T) { }, expectedOk: true, }, - + "uid none": { + nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-Uid"}, + requestHeaders: http.Header{ + "X-Remote-User": {"Bob"}, + }, + expectedUser: &user.DefaultInfo{ + Name: "Bob", + UID: "", + Groups: []string{}, + Extra: map[string][]string{}, + }, + expectedOk: true, + }, + "uid exact match": { + nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-Uid"}, + requestHeaders: http.Header{ + "X-Remote-User": {"Bob"}, + // The keys in http.Header MUST be http.CanonicalHeaderKey. + // Hence X-Remote-Uid-1 instead of X-Remote-UID-1. + "X-Remote-Uid-1": {"8f5ea9d1-a5ed-4d02-80a2-26709216350b"}, + "X-Remote-Uid-2": {"c7644180-c774-4a9b-81e5-3eef76f087ab"}, + }, + finalHeaders: http.Header{ + "X-Remote-Uid-1": {"8f5ea9d1-a5ed-4d02-80a2-26709216350b"}, + "X-Remote-Uid-2": {"c7644180-c774-4a9b-81e5-3eef76f087ab"}, + }, + expectedUser: &user.DefaultInfo{ + Name: "Bob", + UID: "", + Groups: []string{}, + Extra: map[string][]string{}, + }, + expectedOk: true, + }, + "uid first match": { + nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-Uid-1", "X-Remote-Uid-2"}, + requestHeaders: http.Header{ + "X-Remote-User": {"Bob"}, + "X-Remote-Uid-1": {"8f5ea9d1-a5ed-4d02-80a2-26709216350b"}, + "X-Remote-Uid-2": {"c7644180-c774-4a9b-81e5-3eef76f087ab"}, + }, + expectedUser: &user.DefaultInfo{ + Name: "Bob", + UID: "8f5ea9d1-a5ed-4d02-80a2-26709216350b", + Groups: []string{}, + Extra: map[string][]string{}, + }, + expectedOk: true, + }, "extra prefix matches case-insensitive": { nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-UID"}, groupHeaders: []string{"X-Remote-Group-1", "X-Remote-Group-2"}, extraPrefixHeaders: []string{"X-Remote-Extra-1-", "X-Remote-Extra-2-"}, requestHeaders: http.Header{ "X-Remote-User": {"Bob"}, + "X-Remote-Uid": {"2ca80fb0-60ea-4ecf-951c-89af843b0402"}, "X-Remote-Group-1": {"one-a", "one-b"}, "X-Remote-Group-2": {"two-a", "two-b"}, "X-Remote-extra-1-key1": {"alfa", "bravo"}, @@ -146,6 +200,7 @@ func TestRequestHeader(t *testing.T) { }, expectedUser: &user.DefaultInfo{ Name: "Bob", + UID: "2ca80fb0-60ea-4ecf-951c-89af843b0402", Groups: []string{"one-a", "one-b", "two-a", "two-b"}, Extra: map[string][]string{ "key1": {"alfa", "bravo", "echo", "foxtrot"}, @@ -191,10 +246,12 @@ func TestRequestHeader(t *testing.T) { "escaped extra keys": { nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-Uid"}, groupHeaders: []string{"X-Remote-Group"}, extraPrefixHeaders: []string{"X-Remote-Extra-"}, requestHeaders: http.Header{ "X-Remote-User": {"Bob"}, + "X-Remote-Uid": {"2ca80fb0-60ea-4ecf-951c-89af843b0402"}, "X-Remote-Group": {"one-a", "one-b"}, "X-Remote-Extra-Alpha": {"alphabetical"}, "X-Remote-Extra-Alph4num3r1c": {"alphanumeric"}, @@ -206,6 +263,7 @@ func TestRequestHeader(t *testing.T) { }, expectedUser: &user.DefaultInfo{ Name: "Bob", + UID: "2ca80fb0-60ea-4ecf-951c-89af843b0402", Groups: []string{"one-a", "one-b"}, Extra: map[string][]string{ "alpha": {"alphabetical"}, @@ -223,7 +281,7 @@ func TestRequestHeader(t *testing.T) { for k, testcase := range testcases { t.Run(k, func(t *testing.T) { - auth, err := New(testcase.nameHeaders, testcase.groupHeaders, testcase.extraPrefixHeaders) + auth, err := New(testcase.nameHeaders, testcase.uidHeaders, testcase.groupHeaders, testcase.extraPrefixHeaders) if err != nil { t.Fatal(err) } diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go index 64b3569d0d9..980e11f6e11 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go @@ -54,6 +54,7 @@ func withAuthentication(handler http.Handler, auth authenticator.Request, failed } standardRequestHeaderConfig := &authenticatorfactory.RequestHeaderConfig{ UsernameHeaders: headerrequest.StaticStringSlice{"X-Remote-User"}, + UIDHeaders: headerrequest.StaticStringSlice{"X-Remote-Uid"}, GroupHeaders: headerrequest.StaticStringSlice{"X-Remote-Group"}, ExtraHeaderPrefixes: headerrequest.StaticStringSlice{"X-Remote-Extra-"}, } @@ -90,6 +91,7 @@ func withAuthentication(handler http.Handler, auth authenticator.Request, failed headerrequest.ClearAuthenticationHeaders( req.Header, standardRequestHeaderConfig.UsernameHeaders, + standardRequestHeaderConfig.UIDHeaders, standardRequestHeaderConfig.GroupHeaders, standardRequestHeaderConfig.ExtraHeaderPrefixes, ) @@ -99,6 +101,7 @@ func withAuthentication(handler http.Handler, auth authenticator.Request, failed headerrequest.ClearAuthenticationHeaders( req.Header, requestHeaderConfig.UsernameHeaders, + requestHeaderConfig.UIDHeaders, requestHeaderConfig.GroupHeaders, requestHeaderConfig.ExtraHeaderPrefixes, ) diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication_test.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication_test.go index 2ef45a6be88..75bc14c5ca5 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication_test.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication_test.go @@ -285,6 +285,7 @@ func TestAuthenticateRequestError(t *testing.T) { func TestAuthenticateRequestClearHeaders(t *testing.T) { testcases := map[string]struct { nameHeaders []string + uidHeaders []string groupHeaders []string extraPrefixHeaders []string requestHeaders http.Header @@ -334,13 +335,39 @@ func TestAuthenticateRequestClearHeaders(t *testing.T) { "X-Remote-Group": {"Users"}, }, }, + "uid none": { + nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-Uid"}, + requestHeaders: http.Header{ + "X-Remote-User": {"Alice"}, + }, + }, + "uid all matches": { + nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-Uid-1", "X-Remote-Uid-2"}, + requestHeaders: http.Header{ + "X-Remote-User": {"Alice"}, + "X-Remote-Uid-1": {"one"}, + "X-Remote-Uid-2": {"two", "three"}, + }, + }, + "uid case-insensitive": { + nameHeaders: []string{"X-Remote-USER"}, + uidHeaders: []string{"X-REMOTE-UID-1"}, + requestHeaders: http.Header{ + "X-Remote-User": {"Alice"}, + "X-Remote-Uid-1": {"one"}, + }, + }, "extra prefix matches case-insensitive": { nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-Uid-1"}, groupHeaders: []string{"X-Remote-Group-1", "X-Remote-Group-2"}, extraPrefixHeaders: []string{"X-Remote-Extra-1-", "X-Remote-Extra-2-"}, requestHeaders: http.Header{ "X-Remote-User": {"Bob"}, + "X-Remote-Uid-1": {"bobs-uid"}, "X-Remote-Group-1": {"one-a", "one-b"}, "X-Remote-Group-2": {"two-a", "two-b"}, "X-Remote-extra-1-key1": {"alfa", "bravo"}, @@ -354,12 +381,15 @@ func TestAuthenticateRequestClearHeaders(t *testing.T) { "extra prefix matches case-insensitive with unrelated headers": { nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-Uid"}, groupHeaders: []string{"X-Remote-Group-1", "X-Remote-Group-2"}, extraPrefixHeaders: []string{"X-Remote-Extra-1-", "X-Remote-Extra-2-"}, requestHeaders: http.Header{ "X-Group-Remote": {"snorlax"}, // unrelated header "X-Group-Bear": {"panda"}, // another unrelated header + "X-Uid-Remote": {"bobs-unrelated-uid"}, "X-Remote-User": {"Bob"}, + "X-Remote-Uid": {"bobs-uid"}, "X-Remote-Group-1": {"one-a", "one-b"}, "X-Remote-Group-2": {"two-a", "two-b"}, "X-Remote-extra-1-key1": {"alfa", "bravo"}, @@ -372,15 +402,18 @@ func TestAuthenticateRequestClearHeaders(t *testing.T) { finalHeaders: http.Header{ "X-Group-Remote": {"snorlax"}, "X-Group-Bear": {"panda"}, + "X-Uid-Remote": {"bobs-unrelated-uid"}, }, }, "custom config but request contains standard headers": { nameHeaders: []string{"foo"}, + uidHeaders: []string{"footoo"}, groupHeaders: []string{"bar"}, extraPrefixHeaders: []string{"baz"}, requestHeaders: http.Header{ "X-Remote-User": {"Bob"}, + "X-Remote-Uid": {"bobs-uid"}, "X-Remote-Group-1": {"one-a", "one-b"}, "X-Remote-Group-2": {"two-a", "two-b"}, "X-Remote-extra-1-key1": {"alfa", "bravo"}, @@ -398,10 +431,12 @@ func TestAuthenticateRequestClearHeaders(t *testing.T) { "custom config but request contains standard and custom headers": { nameHeaders: []string{"one"}, + uidHeaders: []string{"onetoo"}, groupHeaders: []string{"two"}, extraPrefixHeaders: []string{"three-"}, requestHeaders: http.Header{ "X-Remote-User": {"Bob"}, + "X-Remote-Uid": {"bobs-uid"}, "X-Remote-Group-3": {"one-a", "one-b"}, "X-Remote-Group-4": {"two-a", "two-b"}, "X-Remote-extra-1-key1": {"alfa", "bravo"}, @@ -422,10 +457,12 @@ func TestAuthenticateRequestClearHeaders(t *testing.T) { "escaped extra keys": { nameHeaders: []string{"X-Remote-User"}, + uidHeaders: []string{"X-Remote-Uid"}, groupHeaders: []string{"X-Remote-Group"}, extraPrefixHeaders: []string{"X-Remote-Extra-"}, requestHeaders: http.Header{ "X-Remote-User": {"Bob"}, + "X-Remote-Uid": {"bobs-uid"}, "X-Remote-Group": {"one-a", "one-b"}, "X-Remote-Extra-Alpha": {"alphabetical"}, "X-Remote-Extra-Alph4num3r1c": {"alphanumeric"}, @@ -455,6 +492,7 @@ func TestAuthenticateRequestClearHeaders(t *testing.T) { nil, &authenticatorfactory.RequestHeaderConfig{ UsernameHeaders: headerrequest.StaticStringSlice(testcase.nameHeaders), + UIDHeaders: headerrequest.StaticStringSlice(testcase.uidHeaders), GroupHeaders: headerrequest.StaticStringSlice(testcase.groupHeaders), ExtraHeaderPrefixes: headerrequest.StaticStringSlice(testcase.extraPrefixHeaders), }, diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go index c40e4cf4344..b994bd87733 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go @@ -56,6 +56,7 @@ type RequestHeaderAuthenticationOptions struct { ClientCAFile string UsernameHeaders []string + UIDHeaders []string GroupHeaders []string ExtraHeaderPrefixes []string AllowedNames []string @@ -67,6 +68,9 @@ func (s *RequestHeaderAuthenticationOptions) Validate() []error { if err := checkForWhiteSpaceOnly("requestheader-username-headers", s.UsernameHeaders...); err != nil { allErrors = append(allErrors, err) } + if err := checkForWhiteSpaceOnly("requestheader-uid-headers", s.UIDHeaders...); err != nil { + allErrors = append(allErrors, err) + } if err := checkForWhiteSpaceOnly("requestheader-group-headers", s.GroupHeaders...); err != nil { allErrors = append(allErrors, err) } @@ -80,6 +84,10 @@ func (s *RequestHeaderAuthenticationOptions) Validate() []error { if len(s.UsernameHeaders) > 0 && !caseInsensitiveHas(s.UsernameHeaders, "X-Remote-User") { klog.Warningf("--requestheader-username-headers is set without specifying the standard X-Remote-User header - API aggregation will not work") } + if len(s.UIDHeaders) > 0 && !caseInsensitiveHas(s.UIDHeaders, "X-Remote-Uid") { + // this was added later and so we are able to error out + allErrors = append(allErrors, fmt.Errorf("--requestheader-uid-headers is set without specifying the standard X-Remote-Uid header - API aggregation will not work")) + } if len(s.GroupHeaders) > 0 && !caseInsensitiveHas(s.GroupHeaders, "X-Remote-Group") { klog.Warningf("--requestheader-group-headers is set without specifying the standard X-Remote-Group header - API aggregation will not work") } @@ -117,6 +125,9 @@ func (s *RequestHeaderAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { fs.StringSliceVar(&s.UsernameHeaders, "requestheader-username-headers", s.UsernameHeaders, ""+ "List of request headers to inspect for usernames. X-Remote-User is common.") + fs.StringSliceVar(&s.UIDHeaders, "requestheader-uid-headers", s.UIDHeaders, ""+ + "List of request headers to inspect for UIDs. X-Remote-Uid is suggested.") + fs.StringSliceVar(&s.GroupHeaders, "requestheader-group-headers", s.GroupHeaders, ""+ "List of request headers to inspect for groups. X-Remote-Group is suggested.") @@ -148,6 +159,7 @@ func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig return &authenticatorfactory.RequestHeaderConfig{ UsernameHeaders: headerrequest.StaticStringSlice(s.UsernameHeaders), + UIDHeaders: headerrequest.StaticStringSlice(s.UIDHeaders), GroupHeaders: headerrequest.StaticStringSlice(s.GroupHeaders), ExtraHeaderPrefixes: headerrequest.StaticStringSlice(s.ExtraHeaderPrefixes), CAContentProvider: caBundleProvider, @@ -234,6 +246,7 @@ func NewDelegatingAuthenticationOptions() *DelegatingAuthenticationOptions { ClientCert: ClientCertAuthenticationOptions{}, RequestHeader: RequestHeaderAuthenticationOptions{ UsernameHeaders: []string{"x-remote-user"}, + UIDHeaders: []string{"x-remote-uid"}, GroupHeaders: []string{"x-remote-group"}, ExtraHeaderPrefixes: []string{"x-remote-extra-"}, }, @@ -423,6 +436,7 @@ func (s *DelegatingAuthenticationOptions) createRequestHeaderConfig(client kuber return &authenticatorfactory.RequestHeaderConfig{ CAContentProvider: dynamicRequestHeaderProvider, UsernameHeaders: headerrequest.StringSliceProvider(headerrequest.StringSliceProviderFunc(dynamicRequestHeaderProvider.UsernameHeaders)), + UIDHeaders: headerrequest.StringSliceProvider(headerrequest.StringSliceProviderFunc(dynamicRequestHeaderProvider.UIDHeaders)), GroupHeaders: headerrequest.StringSliceProvider(headerrequest.StringSliceProviderFunc(dynamicRequestHeaderProvider.GroupHeaders)), ExtraHeaderPrefixes: headerrequest.StringSliceProvider(headerrequest.StringSliceProviderFunc(dynamicRequestHeaderProvider.ExtraHeaderPrefixes)), AllowedClientNames: headerrequest.StringSliceProvider(headerrequest.StringSliceProviderFunc(dynamicRequestHeaderProvider.AllowedClientNames)), diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication_dynamic_request_header.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication_dynamic_request_header.go index 0dac3402187..4ef3d9b36ab 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication_dynamic_request_header.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication_dynamic_request_header.go @@ -55,6 +55,7 @@ func newDynamicRequestHeaderController(client kubernetes.Interface) (*DynamicReq authenticationConfigMapNamespace, client, "requestheader-username-headers", + "requestheader-uid-headers", "requestheader-group-headers", "requestheader-extra-headers-prefix", "requestheader-allowed-names", diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication_test.go index aa8de47cda8..d60cee13926 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication_test.go @@ -39,6 +39,7 @@ func TestToAuthenticationRequestHeaderConfig(t *testing.T) { name: "test when ClientCAFile is nil", testOptions: &RequestHeaderAuthenticationOptions{ UsernameHeaders: headerrequest.StaticStringSlice{"x-remote-user"}, + UIDHeaders: headerrequest.StaticStringSlice{"x-remote-uid"}, GroupHeaders: headerrequest.StaticStringSlice{"x-remote-group"}, ExtraHeaderPrefixes: headerrequest.StaticStringSlice{"x-remote-extra-"}, AllowedNames: headerrequest.StaticStringSlice{"kube-aggregator"}, @@ -49,12 +50,14 @@ func TestToAuthenticationRequestHeaderConfig(t *testing.T) { testOptions: &RequestHeaderAuthenticationOptions{ ClientCAFile: "testdata/root.pem", UsernameHeaders: headerrequest.StaticStringSlice{"x-remote-user"}, + UIDHeaders: headerrequest.StaticStringSlice{"x-remote-uid"}, GroupHeaders: headerrequest.StaticStringSlice{"x-remote-group"}, ExtraHeaderPrefixes: headerrequest.StaticStringSlice{"x-remote-extra-"}, AllowedNames: headerrequest.StaticStringSlice{"kube-aggregator"}, }, expectConfig: &authenticatorfactory.RequestHeaderConfig{ UsernameHeaders: headerrequest.StaticStringSlice{"x-remote-user"}, + UIDHeaders: headerrequest.StaticStringSlice{"x-remote-uid"}, GroupHeaders: headerrequest.StaticStringSlice{"x-remote-group"}, ExtraHeaderPrefixes: headerrequest.StaticStringSlice{"x-remote-extra-"}, CAContentProvider: nil, // this is nil because you can't compare functions diff --git a/staging/src/k8s.io/cloud-provider/options/options_test.go b/staging/src/k8s.io/cloud-provider/options/options_test.go index ec6135ce04f..b7f536e43cf 100644 --- a/staging/src/k8s.io/cloud-provider/options/options_test.go +++ b/staging/src/k8s.io/cloud-provider/options/options_test.go @@ -133,6 +133,7 @@ func TestDefaultFlags(t *testing.T) { ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{ UsernameHeaders: []string{"x-remote-user"}, + UIDHeaders: []string{"x-remote-uid"}, GroupHeaders: []string{"x-remote-group"}, ExtraHeaderPrefixes: []string{"x-remote-extra-"}, }, @@ -293,6 +294,7 @@ func TestAddFlags(t *testing.T) { ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{ UsernameHeaders: []string{"x-remote-user"}, + UIDHeaders: []string{"x-remote-uid"}, GroupHeaders: []string{"x-remote-group"}, ExtraHeaderPrefixes: []string{"x-remote-extra-"}, },