omit the reason if we don't have an error when using rbac

2025-07-29 14:37:00 +00:00 · 2017-01-04 11:41:43 +08:00 · 2017-01-04 11:41:43 +08:00 · 9b38eaf98e
commit 9b38eaf98e
parent f95362f953
2 changed files with 11 additions and 2 deletions
--- a/pkg/genericapiserver/api/handlers/responsewriters/errors.go
+++ b/pkg/genericapiserver/api/handlers/responsewriters/errors.go
@ -38,7 +38,12 @@ func Forbidden(attributes authorizer.Attributes, w http.ResponseWriter, req *htt
 	w.Header().Set("Content-Type", "text/plain")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
 	w.WriteHeader(http.StatusForbidden)
-	fmt.Fprintf(w, "%s: %q", msg, reason)
+
+	if len(reason) == 0 {
+		fmt.Fprintf(w, "%s", msg)
+	} else {
+		fmt.Fprintf(w, "%s: %q", msg, reason)
+	}
 }

 func forbiddenMessage(attributes authorizer.Attributes) string {
--- a/plugin/pkg/auth/authorizer/rbac/rbac.go
+++ b/plugin/pkg/auth/authorizer/rbac/rbac.go
@ -48,7 +48,11 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
 	glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(),
 		requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource())

-	return false, fmt.Sprintf("%v", ruleResolutionError), nil
+	reason := ""
+	if ruleResolutionError != nil {
+		reason = fmt.Sprintf("%v", ruleResolutionError)
+	}
+	return false, reason, nil
 }

 func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister) *RBACAuthorizer {