mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 19:56:01 +00:00
Merge pull request #51803 from deads2k/server-01-authz-evaluation
Automatic merge from submit-queue (batch tested with PRs 50579, 50875, 51797, 51807, 51803) make url parsing in apiserver configurable We have known cases where the attributes for a request are assigned differently. The kubelet is one example. This makes the value an interface, not a struct, and provides a hook for (non-default) users to override it.
This commit is contained in:
commit
f24eb1da7c
@ -26,7 +26,7 @@ import (
|
||||
)
|
||||
|
||||
// WithRequestInfo attaches a RequestInfo to the context.
|
||||
func WithRequestInfo(handler http.Handler, resolver *request.RequestInfoFactory, requestContextMapper request.RequestContextMapper) http.Handler {
|
||||
func WithRequestInfo(handler http.Handler, resolver request.RequestInfoResolver, requestContextMapper request.RequestContextMapper) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
|
||||
ctx, ok := requestContextMapper.Get(req)
|
||||
if !ok {
|
||||
|
@ -24,6 +24,10 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
)
|
||||
|
||||
type RequestInfoResolver interface {
|
||||
NewRequestInfo(req *http.Request) (*RequestInfo, error)
|
||||
}
|
||||
|
||||
// RequestInfo holds information parsed from the http.Request
|
||||
type RequestInfo struct {
|
||||
// IsResourceRequest indicates whether or not the request is for an API resource or subresource
|
||||
|
@ -140,6 +140,9 @@ type Config struct {
|
||||
// RequestContextMapper maps requests to contexts. Exported so downstream consumers can provider their own mappers
|
||||
// TODO confirm that anyone downstream actually uses this and doesn't just need an accessor
|
||||
RequestContextMapper apirequest.RequestContextMapper
|
||||
// RequestInfoResolver is used to assign attributes (used by admission and authorization) based on a request URL.
|
||||
// Use-cases that are like kubelets may need to customize this.
|
||||
RequestInfoResolver apirequest.RequestInfoResolver
|
||||
// Serializer is required and provides the interface for serializing and converting objects to and from the wire
|
||||
// The default (api.Codecs) usually works fine.
|
||||
Serializer runtime.NegotiatedSerializer
|
||||
@ -372,6 +375,10 @@ func (c *Config) Complete() completedConfig {
|
||||
c.Authorizer = authorizerunion.New(tokenAuthorizer, c.Authorizer)
|
||||
}
|
||||
|
||||
if c.RequestInfoResolver == nil {
|
||||
c.RequestInfoResolver = NewRequestInfoResolver(c)
|
||||
}
|
||||
|
||||
return completedConfig{c}
|
||||
}
|
||||
|
||||
@ -490,7 +497,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler {
|
||||
handler = genericapifilters.WithAuthentication(handler, c.RequestContextMapper, c.Authenticator, failedHandler)
|
||||
handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true")
|
||||
handler = genericfilters.WithTimeoutForNonLongRunningRequests(handler, c.RequestContextMapper, c.LongRunningFunc, c.RequestTimeout)
|
||||
handler = genericapifilters.WithRequestInfo(handler, NewRequestInfoResolver(c), c.RequestContextMapper)
|
||||
handler = genericapifilters.WithRequestInfo(handler, c.RequestInfoResolver, c.RequestContextMapper)
|
||||
handler = apirequest.WithRequestContext(handler, c.RequestContextMapper)
|
||||
handler = genericfilters.WithPanicRecovery(handler)
|
||||
return handler
|
||||
|
@ -107,6 +107,7 @@ func setUp(t *testing.T) (*etcdtesting.EtcdTestServer, Config, *assert.Assertion
|
||||
// },
|
||||
// }
|
||||
config.SwaggerConfig = DefaultSwaggerConfig()
|
||||
config.Complete()
|
||||
|
||||
return etcdServer, *config, assert.New(t)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user