Merge pull request #51803 from deads2k/server-01-authz-evaluation

Automatic merge from submit-queue (batch tested with PRs 50579, 50875, 51797, 51807, 51803)

make url parsing in apiserver configurable

We have known cases where the attributes for a request are assigned differently.  The kubelet is one example.  This makes the value an interface, not a struct, and provides a hook for (non-default) users to override it.
This commit is contained in:
Kubernetes Submit Queue 2017-09-03 08:46:31 -07:00 committed by GitHub
commit f24eb1da7c
4 changed files with 14 additions and 2 deletions

View File

@ -26,7 +26,7 @@ import (
)
// WithRequestInfo attaches a RequestInfo to the context.
func WithRequestInfo(handler http.Handler, resolver *request.RequestInfoFactory, requestContextMapper request.RequestContextMapper) http.Handler {
func WithRequestInfo(handler http.Handler, resolver request.RequestInfoResolver, requestContextMapper request.RequestContextMapper) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
ctx, ok := requestContextMapper.Get(req)
if !ok {

View File

@ -24,6 +24,10 @@ import (
"k8s.io/apimachinery/pkg/util/sets"
)
type RequestInfoResolver interface {
NewRequestInfo(req *http.Request) (*RequestInfo, error)
}
// RequestInfo holds information parsed from the http.Request
type RequestInfo struct {
// IsResourceRequest indicates whether or not the request is for an API resource or subresource

View File

@ -140,6 +140,9 @@ type Config struct {
// RequestContextMapper maps requests to contexts. Exported so downstream consumers can provider their own mappers
// TODO confirm that anyone downstream actually uses this and doesn't just need an accessor
RequestContextMapper apirequest.RequestContextMapper
// RequestInfoResolver is used to assign attributes (used by admission and authorization) based on a request URL.
// Use-cases that are like kubelets may need to customize this.
RequestInfoResolver apirequest.RequestInfoResolver
// Serializer is required and provides the interface for serializing and converting objects to and from the wire
// The default (api.Codecs) usually works fine.
Serializer runtime.NegotiatedSerializer
@ -372,6 +375,10 @@ func (c *Config) Complete() completedConfig {
c.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorizer)
}
if c.RequestInfoResolver == nil {
c.RequestInfoResolver = NewRequestInfoResolver(c)
}
return completedConfig{c}
}
@ -490,7 +497,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authenticator, failedHandler)
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc, c.RequestTimeout)
handler = genericapifilters.WithRequestInfo(handler, NewRequestInfoResolver(c), c.RequestContextMapper)
handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver, c.RequestContextMapper)
handler = apirequest.WithRequestContext(handler, c.RequestContextMapper)
handler = genericfilters.WithPanicRecovery(handler)
return handler

View File

@ -107,6 +107,7 @@ func setUp(t *testing.T) (*etcdtesting.EtcdTestServer, Config, *assert.Assertion
// },
// }
config.SwaggerConfig = DefaultSwaggerConfig()
config.Complete()
return etcdServer, *config, assert.New(t)
}