Merge pull request #36769 from deads2k/auth-03-fix-impersonation

Automatic merge from submit-queue

clear impersonation headers

If you clone a request that came in after impersonation, you were also cloning the impersonation headers that came with it.  These seem roughly analogous to the `Authorization` header, so this clears them.

@kubernetes/sig-auth
This commit is contained in:
Kubernetes Submit Queue 2016-12-01 04:52:09 -08:00 committed by GitHub
commit d00696a0d8

View File

@ -123,6 +123,15 @@ func WithImpersonation(handler http.Handler, requestContextMapper api.RequestCon
oldUser, _ := api.UserFrom(ctx)
httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser)
// clear all the impersonation headers from the request
req.Header.Del(authenticationapi.ImpersonateUserHeader)
req.Header.Del(authenticationapi.ImpersonateGroupHeader)
for headerName := range req.Header {
if strings.HasPrefix(headerName, authenticationapi.ImpersonateUserExtraHeaderPrefix) {
req.Header.Del(headerName)
}
}
handler.ServeHTTP(w, req)
})
}