From 48f7f6fb676eac9dca3332ad73b9321638fc7c69 Mon Sep 17 00:00:00 2001 From: Charles Eckman Date: Mon, 28 Jan 2019 15:27:02 -0800 Subject: [PATCH 1/3] Fix typo, and note when BoundObjectRef isn't checked - s/objet/object/ - A relying party (validating a token) may not have access to the resource named in the `BoundObjectRef`; only the API server can be asserted to have access. Note this in the field's documentation. --- pkg/apis/authentication/types.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/apis/authentication/types.go b/pkg/apis/authentication/types.go index 203bf22bb34..a33dfe98985 100644 --- a/pkg/apis/authentication/types.go +++ b/pkg/apis/authentication/types.go @@ -135,7 +135,9 @@ type TokenRequestSpec struct { ExpirationSeconds int64 // BoundObjectRef is a reference to an object that the token will be bound to. - // The token will only be valid for as long as the bound objet exists. + // The token will only be valid for as long as the bound object exists. + // NOTE: The API server will validate the BoundObjectRef, but other audiences + // may not. Keep ExpirationSeconds small if you want prompt revocation. BoundObjectRef *BoundObjectReference } From e6c26da886d4ccd85eec83f2a0fa1aa418ecc969 Mon Sep 17 00:00:00 2001 From: Charles Eckman Date: Fri, 1 Feb 2019 16:31:01 -0800 Subject: [PATCH 2/3] Address comment on TokenReview --- pkg/apis/authentication/types.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/apis/authentication/types.go b/pkg/apis/authentication/types.go index a33dfe98985..77aaa472e1d 100644 --- a/pkg/apis/authentication/types.go +++ b/pkg/apis/authentication/types.go @@ -136,8 +136,9 @@ type TokenRequestSpec struct { // BoundObjectRef is a reference to an object that the token will be bound to. // The token will only be valid for as long as the bound object exists. - // NOTE: The API server will validate the BoundObjectRef, but other audiences - // may not. Keep ExpirationSeconds small if you want prompt revocation. + // NOTE: The API server's TokenReview endpoint will validate the + // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds + // small if you want prompt revocation. BoundObjectRef *BoundObjectReference } From 492348c84b6653a65d8dc9caf32b59935b93902b Mon Sep 17 00:00:00 2001 From: Charles Eckman Date: Fri, 1 Feb 2019 16:57:37 -0800 Subject: [PATCH 3/3] Update staging directory as well --- staging/src/k8s.io/api/authentication/v1/generated.proto | 5 ++++- staging/src/k8s.io/api/authentication/v1/types.go | 5 ++++- .../api/authentication/v1/types_swagger_doc_generated.go | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/staging/src/k8s.io/api/authentication/v1/generated.proto b/staging/src/k8s.io/api/authentication/v1/generated.proto index b69636a814d..db7be173ddf 100644 --- a/staging/src/k8s.io/api/authentication/v1/generated.proto +++ b/staging/src/k8s.io/api/authentication/v1/generated.proto @@ -84,7 +84,10 @@ message TokenRequestSpec { optional int64 expirationSeconds = 4; // BoundObjectRef is a reference to an object that the token will be bound to. - // The token will only be valid for as long as the bound objet exists. + // The token will only be valid for as long as the bound object exists. + // NOTE: The API server's TokenReview endpoint will validate the + // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds + // small if you want prompt revocation. // +optional optional BoundObjectReference boundObjectRef = 3; } diff --git a/staging/src/k8s.io/api/authentication/v1/types.go b/staging/src/k8s.io/api/authentication/v1/types.go index d348c6fd405..c48b03691e4 100644 --- a/staging/src/k8s.io/api/authentication/v1/types.go +++ b/staging/src/k8s.io/api/authentication/v1/types.go @@ -155,7 +155,10 @@ type TokenRequestSpec struct { ExpirationSeconds *int64 `json:"expirationSeconds" protobuf:"varint,4,opt,name=expirationSeconds"` // BoundObjectRef is a reference to an object that the token will be bound to. - // The token will only be valid for as long as the bound objet exists. + // The token will only be valid for as long as the bound object exists. + // NOTE: The API server's TokenReview endpoint will validate the + // BoundObjectRef, but other audiences may not. Keep ExpirationSeconds + // small if you want prompt revocation. // +optional BoundObjectRef *BoundObjectReference `json:"boundObjectRef" protobuf:"bytes,3,opt,name=boundObjectRef"` } diff --git a/staging/src/k8s.io/api/authentication/v1/types_swagger_doc_generated.go b/staging/src/k8s.io/api/authentication/v1/types_swagger_doc_generated.go index f2c9b95c71f..09f6b920fd8 100644 --- a/staging/src/k8s.io/api/authentication/v1/types_swagger_doc_generated.go +++ b/staging/src/k8s.io/api/authentication/v1/types_swagger_doc_generated.go @@ -51,7 +51,7 @@ var map_TokenRequestSpec = map[string]string{ "": "TokenRequestSpec contains client provided parameters of a token request.", "audiences": "Audiences are the intendend audiences of the token. A recipient of a token must identitfy themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.", "expirationSeconds": "ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.", - "boundObjectRef": "BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound objet exists.", + "boundObjectRef": "BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.", } func (TokenRequestSpec) SwaggerDoc() map[string]string {