github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-05 10:19:50 +00:00
Code Issues Projects Releases Wiki Activity

Add system: prefix to service account usernames

Browse Source
This commit is contained in:
Jordan Liggitt 2015-06-16 08:35:50 -04:00
parent 9f60f3ce44
commit dae4e82dca
2 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/serviceaccount/jwt.go
View File

@ -32,7 +32,7 @@ import (
)
const (
ServiceAccountUsernamePrefix = "serviceaccount"
ServiceAccountUsernamePrefix = "system:serviceaccount"
ServiceAccountUsernameSeparator = ":"
Issuer = "kubernetes/serviceaccount"
@ -84,11 +84,15 @@ func MakeUsername(namespace, name string) string {
// SplitUsername returns the namespace and ServiceAccount name embedded in the given username,
// or an error if the username is not a valid name produced by MakeUsername
func SplitUsername(username string) (string, string, error) {
parts := strings.Split(username, ServiceAccountUsernameSeparator)
if len(parts) != 3 || parts[0] != ServiceAccountUsernamePrefix || len(parts[1]) == 0 || len(parts[2]) == 0 {
if !strings.HasPrefix(username, ServiceAccountUsernamePrefix+ServiceAccountUsernameSeparator) {
return "", "", fmt.Errorf("Username must be in the form %s", MakeUsername("namespace", "name"))
}
return parts[1], parts[2], nil
username = strings.TrimPrefix(username, ServiceAccountUsernamePrefix+ServiceAccountUsernameSeparator)
parts := strings.Split(username, ServiceAccountUsernameSeparator)
if len(parts) != 2 || len(parts[0]) == 0 || len(parts[1]) == 0 {
return "", "", fmt.Errorf("Username must be in the form %s", MakeUsername("namespace", "name"))
}
return parts[0], parts[1], nil
}
// JWTTokenGenerator returns a TokenGenerator that generates signed JWT tokens, using the given privateKey.

21
pkg/serviceaccount/jwt_test.go
View File

@ -121,7 +121,7 @@ func TestReadPublicKey(t *testing.T) {
}
func TestTokenGenerateAndValidate(t *testing.T) {
expectedUserName := "serviceaccount:test:my-service-account"
expectedUserName := "system:serviceaccount:test:my-service-account"
expectedUserUID := "12345"
// Related API objects
@ -242,3 +242,22 @@ func TestTokenGenerateAndValidate(t *testing.T) {
}
}
}
func TestMakeSplitUsername(t *testing.T) {
username := MakeUsername("ns", "name")
ns, name, err := SplitUsername(username)
if err != nil {
t.Errorf("Unexpected error %v", err)
}
if ns != "ns" || name != "name" {
t.Errorf("Expected ns/name, got %s/%s", ns, name)
}
invalid := []string{"test", "system:serviceaccount", "system:serviceaccount:", "system:serviceaccount:ns", "system:serviceaccount:ns:name:extra"}
for _, n := range invalid {
_, _, err := SplitUsername("test")
if err == nil {
t.Errorf("Expected error for %s", n)
}
}
}