github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #7425 from roberthbailey/basic-auth-headers

Browse Source 
Set the 'WWW-Authenticate' header on 401 responses when basic auth is enabled
This commit is contained in:
Brendan Burns 2015-04-28 11:10:05 -07:00
commit c9f4d8e57e
3 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/kube-apiserver/app/server.go
View File

@ -307,6 +307,7 @@ func (s *APIServer) Run(_ []string) error {
ReadWritePort: s.SecurePort, ReadWritePort: s.SecurePort,
PublicAddress: net.IP(s.BindAddress), PublicAddress: net.IP(s.BindAddress),
Authenticator: authenticator, Authenticator: authenticator,
SupportsBasicAuth: len(s.BasicAuthFile) > 0,
Authorizer: authorizer, Authorizer: authorizer,
AdmissionControl: admissionController, AdmissionControl: admissionController,
DisableV1Beta3: disableV1beta3, DisableV1Beta3: disableV1beta3,

13
pkg/auth/handlers/handlers.go
View File

@ -49,7 +49,18 @@ func NewRequestAuthenticator(mapper api.RequestContextMapper, auth authenticator
) )
} }
var Unauthorized http.HandlerFunc = unauthorized func Unauthorized(supportsBasicAuth bool) http.HandlerFunc {
if supportsBasicAuth {
return unauthorizedBasicAuth
}
return unauthorized
}
// unauthorizedBasicAuth serves an unauthorized message to clients.
func unauthorizedBasicAuth(w http.ResponseWriter, req *http.Request) {
w.Header().Set("WWW-Authenticate", `Basic realm="kubernetes-master"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
}
// unauthorized serves an unauthorized message to clients. // unauthorized serves an unauthorized message to clients.
func unauthorized(w http.ResponseWriter, req *http.Request) { func unauthorized(w http.ResponseWriter, req *http.Request) {

14
pkg/master/master.go
View File

@ -89,11 +89,13 @@ type Config struct {
// allow v1beta3 to be conditionally disabled // allow v1beta3 to be conditionally disabled
DisableV1Beta3 bool DisableV1Beta3 bool
// allow downstream consumers to disable the index route // allow downstream consumers to disable the index route
EnableIndex bool EnableIndex bool
EnableProfiling bool EnableProfiling bool
APIPrefix string APIPrefix string
CorsAllowedOriginList util.StringList CorsAllowedOriginList util.StringList
Authenticator authenticator.Request Authenticator authenticator.Request
// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
SupportsBasicAuth bool
Authorizer authorizer.Authorizer Authorizer authorizer.Authorizer
AdmissionControl admission.Interface AdmissionControl admission.Interface
MasterServiceNamespace string MasterServiceNamespace string
@ -500,7 +502,7 @@ func (m *Master) init(c *Config) {
// Install Authenticator // Install Authenticator
if c.Authenticator != nil { if c.Authenticator != nil {
authenticatedHandler, err := handlers.NewRequestAuthenticator(m.requestContextMapper, c.Authenticator, handlers.Unauthorized, handler) authenticatedHandler, err := handlers.NewRequestAuthenticator(m.requestContextMapper, c.Authenticator, handlers.Unauthorized(c.SupportsBasicAuth), handler)
if err != nil { if err != nil {
glog.Fatalf("Could not initialize authenticator: %v", err) glog.Fatalf("Could not initialize authenticator: %v", err)
} }