github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #39918 from liggitt/e2e-examples-permissions

Browse Source 
Automatic merge from submit-queue

Fix examples e2e permission check

Ref #39382
Follow-up from #39896

Permission check should be done within the e2e test namespace, not cluster-wide

Also improved RBAC audit logging to make the scope of the permission check clearer
This commit is contained in:
Kubernetes Submit Queue 2017-01-16 06:30:29 -08:00 committed by GitHub
commit 8fa23586cf
2 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
plugin/pkg/auth/authorizer/rbac/rbac.go
View File

@ -19,6 +19,7 @@ package rbac
import ( import (
"fmt" "fmt"
"github.com/golang/glog" "github.com/golang/glog"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
@ -45,8 +46,29 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
return true, "", nil return true, "", nil
} }
glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), // Build a detailed log of the denial.
requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource()) // Make the whole block conditional so we don't do a lot of string-building we won't use.
if glog.V(2) {
var operation string
if requestAttributes.IsResourceRequest() {
operation = fmt.Sprintf(
"%q on \"%v.%v/%v\"",
requestAttributes.GetVerb(),
requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource(),
)
} else {
operation = fmt.Sprintf("%q nonResourceURL %q", requestAttributes.GetVerb(), requestAttributes.GetPath())
}
var scope string
if ns := requestAttributes.GetNamespace(); len(ns) > 0 {
scope = fmt.Sprintf("in namespace %q", ns)
} else {
scope = "cluster-wide"
}
glog.Infof("RBAC DENY: user %q groups %v cannot %s %s", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), operation, scope)
}
reason := "" reason := ""
if ruleResolutionError != nil { if ruleResolutionError != nil {

2
test/e2e/examples.go
View File

@ -75,7 +75,7 @@ var _ = framework.KubeDescribe("[Feature:Example]", func() {
err := framework.WaitForAuthorizationUpdate(c.Authorization(), err := framework.WaitForAuthorizationUpdate(c.Authorization(),
serviceaccount.MakeUsername(f.Namespace.Name, "default"), serviceaccount.MakeUsername(f.Namespace.Name, "default"),
"", "create", schema.GroupResource{Resource: "pods"}, true) f.Namespace.Name, "create", schema.GroupResource{Resource: "pods"}, true)
framework.ExpectNoError(err) framework.ExpectNoError(err)
}) })