diff --git a/cluster/gce/gci/configure-kubeapiserver.sh b/cluster/gce/gci/configure-kubeapiserver.sh index 0e787c43cc8..f76a94fc5c9 100644 --- a/cluster/gce/gci/configure-kubeapiserver.sh +++ b/cluster/gce/gci/configure-kubeapiserver.sh @@ -101,9 +101,6 @@ function start-kube-apiserver { params+=" --service-account-key-file=${SERVICEACCOUNT_CERT_PATH}" fi params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv" - if [[ -n "${KUBE_PASSWORD:-}" && -n "${KUBE_USER:-}" ]]; then - params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv" - fi if [[ -n "${KUBE_APISERVER_REQUEST_TIMEOUT_SEC:-}" ]]; then params+=" --request-timeout=${KUBE_APISERVER_REQUEST_TIMEOUT_SEC}s" diff --git a/cmd/controller-manager/app/serve.go b/cmd/controller-manager/app/serve.go index 15c3ba031b8..25a6f39671d 100644 --- a/cmd/controller-manager/app/serve.go +++ b/cmd/controller-manager/app/serve.go @@ -37,7 +37,7 @@ import ( // BuildHandlerChain builds a handler chain with a base handler and CompletedConfig. func BuildHandlerChain(apiHandler http.Handler, authorizationInfo *apiserver.AuthorizationInfo, authenticationInfo *apiserver.AuthenticationInfo) http.Handler { requestInfoResolver := &apirequest.RequestInfoFactory{} - failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false) + failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs) handler := apiHandler if authorizationInfo != nil { diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go index 9afed6eb875..78bdb72cca0 100644 --- a/cmd/kube-apiserver/app/options/options_test.go +++ b/cmd/kube-apiserver/app/options/options_test.go @@ -276,7 +276,6 @@ func TestAddFlags(t *testing.T) { UsernameClaim: "sub", SigningAlgs: []string{"RS256"}, }, - PasswordFile: &kubeoptions.PasswordFileAuthenticationOptions{}, RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{}, ServiceAccounts: &kubeoptions.ServiceAccountAuthenticationOptions{ Lookup: true, diff --git a/cmd/kube-scheduler/app/server.go b/cmd/kube-scheduler/app/server.go index 306571053a3..430bf642062 100644 --- a/cmd/kube-scheduler/app/server.go +++ b/cmd/kube-scheduler/app/server.go @@ -262,7 +262,7 @@ func Run(ctx context.Context, cc schedulerserverconfig.CompletedConfig, outOfTre // buildHandlerChain wraps the given handler with the standard filters. func buildHandlerChain(handler http.Handler, authn authenticator.Request, authz authorizer.Authorizer) http.Handler { requestInfoResolver := &apirequest.RequestInfoFactory{} - failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs, false) + failedHandler := genericapifilters.Unauthorized(legacyscheme.Codecs) handler = genericapifilters.WithAuthorization(handler, authz, legacyscheme.Codecs) handler = genericapifilters.WithAuthentication(handler, authn, failedHandler, nil) diff --git a/pkg/kubeapiserver/authenticator/BUILD b/pkg/kubeapiserver/authenticator/BUILD index ba70ad6e388..106f075aa0a 100644 --- a/pkg/kubeapiserver/authenticator/BUILD +++ b/pkg/kubeapiserver/authenticator/BUILD @@ -27,8 +27,6 @@ go_library( "//staging/src/k8s.io/apiserver/pkg/authentication/token/union:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", - "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:go_default_library", - "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:go_default_library", "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc:go_default_library", "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:go_default_library", "//staging/src/k8s.io/client-go/plugin/pkg/client/auth:go_default_library", diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go index c54c64651cd..4e1eee4b5ef 100644 --- a/pkg/kubeapiserver/authenticator/config.go +++ b/pkg/kubeapiserver/authenticator/config.go @@ -36,8 +36,6 @@ import ( tokenunion "k8s.io/apiserver/pkg/authentication/token/union" "k8s.io/apiserver/pkg/server/dynamiccertificates" utilfeature "k8s.io/apiserver/pkg/util/feature" - "k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile" - "k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth" "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc" "k8s.io/apiserver/plugin/pkg/authenticator/token/webhook" @@ -51,7 +49,6 @@ import ( // Config contains the data on how to authenticate a request to the Kube API Server type Config struct { Anonymous bool - BasicAuthFile string BootstrapToken bool TokenAuthFile string @@ -109,22 +106,6 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, requestHeaderAuthenticator)) } - // basic auth - if len(config.BasicAuthFile) > 0 { - basicAuth, err := newAuthenticatorFromBasicAuthFile(config.BasicAuthFile) - if err != nil { - return nil, nil, err - } - authenticators = append(authenticators, authenticator.WrapAudienceAgnosticRequest(config.APIAudiences, basicAuth)) - - securityDefinitions["HTTPBasic"] = &spec.SecurityScheme{ - SecuritySchemeProps: spec.SecuritySchemeProps{ - Type: "basic", - Description: "HTTP Basic authentication", - }, - } - } - // X509 methods if config.ClientCAContentProvider != nil { certAuth := x509.NewDynamic(config.ClientCAContentProvider.VerifyOptions, x509.CommonNameUserConversion) @@ -235,16 +216,6 @@ func IsValidServiceAccountKeyFile(file string) bool { return err == nil } -// newAuthenticatorFromBasicAuthFile returns an authenticator.Request or an error -func newAuthenticatorFromBasicAuthFile(basicAuthFile string) (authenticator.Request, error) { - basicAuthenticator, err := passwordfile.NewCSV(basicAuthFile) - if err != nil { - return nil, err - } - - return basicauth.New(basicAuthenticator), nil -} - // newAuthenticatorFromTokenFile returns an authenticator.Token or an error func newAuthenticatorFromTokenFile(tokenAuthFile string) (authenticator.Token, error) { tokenAuthenticator, err := tokenfile.NewCSV(tokenAuthFile) diff --git a/pkg/kubeapiserver/options/authentication.go b/pkg/kubeapiserver/options/authentication.go index c7b4ac5bdb5..cdc716b5016 100644 --- a/pkg/kubeapiserver/options/authentication.go +++ b/pkg/kubeapiserver/options/authentication.go @@ -43,7 +43,6 @@ type BuiltInAuthenticationOptions struct { BootstrapToken *BootstrapTokenAuthenticationOptions ClientCert *genericoptions.ClientCertAuthenticationOptions OIDC *OIDCAuthenticationOptions - PasswordFile *PasswordFileAuthenticationOptions RequestHeader *genericoptions.RequestHeaderAuthenticationOptions ServiceAccounts *ServiceAccountAuthenticationOptions TokenFile *TokenFileAuthenticationOptions @@ -73,10 +72,6 @@ type OIDCAuthenticationOptions struct { RequiredClaims map[string]string } -type PasswordFileAuthenticationOptions struct { - BasicAuthFile string -} - type ServiceAccountAuthenticationOptions struct { KeyFiles []string Lookup bool @@ -108,7 +103,6 @@ func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { WithBootstrapToken(). WithClientCert(). WithOIDC(). - WithPasswordFile(). WithRequestHeader(). WithServiceAccounts(). WithTokenFile(). @@ -135,11 +129,6 @@ func (s *BuiltInAuthenticationOptions) WithOIDC() *BuiltInAuthenticationOptions return s } -func (s *BuiltInAuthenticationOptions) WithPasswordFile() *BuiltInAuthenticationOptions { - s.PasswordFile = &PasswordFileAuthenticationOptions{} - return s -} - func (s *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticationOptions { s.RequestHeader = &genericoptions.RequestHeaderAuthenticationOptions{} return s @@ -274,13 +263,6 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { "Repeat this flag to specify multiple claims.") } - if s.PasswordFile != nil { - fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+ - "If set, the file that will be used to admit requests to the secure port of the API server "+ - "via http basic authentication.") - fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.") - } - if s.RequestHeader != nil { s.RequestHeader.AddFlags(fs) } @@ -377,10 +359,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() (kubeauthenticat ret.OIDCRequiredClaims = s.OIDC.RequiredClaims } - if s.PasswordFile != nil { - ret.BasicAuthFile = s.PasswordFile.BasicAuthFile - } - if s.RequestHeader != nil { var err error ret.RequestHeaderConfig, err = s.RequestHeader.ToAuthenticationRequestHeaderConfig() @@ -447,8 +425,6 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error } } - c.Authentication.SupportsBasicAuth = o.PasswordFile != nil && len(o.PasswordFile.BasicAuthFile) > 0 - c.Authentication.APIAudiences = o.APIAudiences if o.ServiceAccounts != nil && o.ServiceAccounts.Issuer != "" && len(o.APIAudiences) == 0 { c.Authentication.APIAudiences = authenticator.Audiences{o.ServiceAccounts.Issuer} diff --git a/pkg/kubeapiserver/options/authentication_test.go b/pkg/kubeapiserver/options/authentication_test.go index 60e907a1e88..615a33878c8 100644 --- a/pkg/kubeapiserver/options/authentication_test.go +++ b/pkg/kubeapiserver/options/authentication_test.go @@ -120,9 +120,6 @@ func TestToAuthenticationConfig(t *testing.T) { IssuerURL: "testIssuerURL", ClientID: "testClientID", }, - PasswordFile: &PasswordFileAuthenticationOptions{ - BasicAuthFile: "/testBasicAuthFile", - }, RequestHeader: &apiserveroptions.RequestHeaderAuthenticationOptions{ UsernameHeaders: []string{"x-remote-user"}, GroupHeaders: []string{"x-remote-group"}, @@ -144,7 +141,6 @@ func TestToAuthenticationConfig(t *testing.T) { expectConfig := kubeauthenticator.Config{ APIAudiences: authenticator.Audiences{"http://foo.bar.com"}, Anonymous: false, - BasicAuthFile: "/testBasicAuthFile", BootstrapToken: false, ClientCAContentProvider: nil, // this is nil because you can't compare functions TokenAuthFile: "/testTokenFile", diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go b/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go index e3b1b622cba..8ff979b8074 100644 --- a/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go +++ b/staging/src/k8s.io/apiserver/pkg/authentication/authenticator/interfaces.go @@ -35,13 +35,6 @@ type Request interface { AuthenticateRequest(req *http.Request) (*Response, bool, error) } -// Password checks a username and password against a backing authentication -// store and returns a Response or an error if the password could not be -// checked. -type Password interface { - AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error) -} - // TokenFunc is a function that implements the Token interface. type TokenFunc func(ctx context.Context, token string) (*Response, bool, error) @@ -58,14 +51,6 @@ func (f RequestFunc) AuthenticateRequest(req *http.Request) (*Response, bool, er return f(req) } -// PasswordFunc is a function that implements the Password interface. -type PasswordFunc func(ctx context.Context, user, password string) (*Response, bool, error) - -// AuthenticatePassword implements authenticator.Password. -func (f PasswordFunc) AuthenticatePassword(ctx context.Context, user, password string) (*Response, bool, error) { - return f(ctx, user, password) -} - // Response is the struct returned by authenticator interfaces upon successful // authentication. It contains information about whether the authenticator // authenticated the request, information about the context of the diff --git a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go index 58430b7b3a5..2806edc79b0 100644 --- a/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/endpoints/filters/authentication.go @@ -71,11 +71,8 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, failed }) } -func Unauthorized(s runtime.NegotiatedSerializer, supportsBasicAuth bool) http.Handler { +func Unauthorized(s runtime.NegotiatedSerializer) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { - if supportsBasicAuth { - w.Header().Set("WWW-Authenticate", `Basic realm="kubernetes-master"`) - } ctx := req.Context() requestInfo, found := genericapirequest.RequestInfoFrom(ctx) if !found { diff --git a/staging/src/k8s.io/apiserver/pkg/server/config.go b/staging/src/k8s.io/apiserver/pkg/server/config.go index db5368bf02f..1c1b3934b7f 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config.go @@ -272,10 +272,6 @@ type AuthenticationInfo struct { APIAudiences authenticator.Audiences // Authenticator determines which subject is making the request Authenticator authenticator.Request - // SupportsBasicAuth indicates that's at least one Authenticator supports basic auth - // If this is true, a basic auth challenge is returned on authentication failure - // TODO(roberthbailey): Remove once the server no longer supports http basic auth. - SupportsBasicAuth bool } type AuthorizationInfo struct { @@ -670,7 +666,7 @@ func DefaultBuildHandlerChain(apiHandler http.Handler, c *Config) http.Handler { } handler = genericapifilters.WithImpersonation(handler, c.Authorization.Authorizer, c.Serializer) handler = genericapifilters.WithAudit(handler, c.AuditBackend, c.AuditPolicyChecker, c.LongRunningFunc) - failedHandler := genericapifilters.Unauthorized(c.Serializer, c.Authentication.SupportsBasicAuth) + failedHandler := genericapifilters.Unauthorized(c.Serializer) failedHandler = genericapifilters.WithFailedAuthenticationAudit(failedHandler, c.AuditBackend, c.AuditPolicyChecker) handler = genericapifilters.WithAuthentication(handler, c.Authentication.Authenticator, failedHandler, c.Authentication.APIAudiences) handler = genericfilters.WithCORS(handler, c.CorsAllowedOriginList, nil, nil, nil, "true") diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go index 9a395c94a73..1df0fccf601 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go @@ -319,7 +319,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(authenticationInfo *server.Aut if openAPIConfig != nil { openAPIConfig.SecurityDefinitions = securityDefinitions } - authenticationInfo.SupportsBasicAuth = false return nil } diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/BUILD b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/BUILD index e64f5289807..8e943d3ed4c 100644 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/BUILD +++ b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/BUILD @@ -23,8 +23,6 @@ filegroup( name = "all-srcs", srcs = [ ":package-srcs", - "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password:all-srcs", - "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth:all-srcs", "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/oidc:all-srcs", "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest:all-srcs", "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/token/webhook:all-srcs", diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/BUILD b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/BUILD deleted file mode 100644 index aeb1b31673b..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/BUILD +++ /dev/null @@ -1,29 +0,0 @@ -package(default_visibility = ["//visibility:public"]) - -load( - "@io_bazel_rules_go//go:def.bzl", - "go_library", -) - -go_library( - name = "go_default_library", - srcs = ["doc.go"], - importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/password", - importpath = "k8s.io/apiserver/plugin/pkg/authenticator/password", -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [ - ":package-srcs", - "//staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile:all-srcs", - ], - tags = ["automanaged"], -) diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/doc.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/doc.go deleted file mode 100644 index 0f917cc36ed..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/doc.go +++ /dev/null @@ -1,18 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package password contains authenticator.Password implementations -package password // import "k8s.io/apiserver/plugin/pkg/authenticator/password" diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/BUILD b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/BUILD deleted file mode 100644 index fc5981bd6b5..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/BUILD +++ /dev/null @@ -1,39 +0,0 @@ -package(default_visibility = ["//visibility:public"]) - -load( - "@io_bazel_rules_go//go:def.bzl", - "go_library", - "go_test", -) - -go_test( - name = "go_default_test", - srcs = ["passwordfile_test.go"], - embed = [":go_default_library"], - deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library"], -) - -go_library( - name = "go_default_library", - srcs = ["passwordfile.go"], - importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile", - importpath = "k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile", - deps = [ - "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", - "//vendor/k8s.io/klog:go_default_library", - ], -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [":package-srcs"], - tags = ["automanaged"], -) diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go deleted file mode 100644 index e17a5eb0de8..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go +++ /dev/null @@ -1,95 +0,0 @@ -/* -Copyright 2015 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package passwordfile - -import ( - "context" - "crypto/subtle" - "encoding/csv" - "fmt" - "io" - "os" - "strings" - - "k8s.io/klog" - - "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/pkg/authentication/user" -) - -// PasswordAuthenticator authenticates users by password -type PasswordAuthenticator struct { - users map[string]*userPasswordInfo -} - -type userPasswordInfo struct { - info *user.DefaultInfo - password string -} - -// NewCSV returns a PasswordAuthenticator, populated from a CSV file. -// The CSV file must contain records in the format "password,username,useruid" -func NewCSV(path string) (*PasswordAuthenticator, error) { - file, err := os.Open(path) - if err != nil { - return nil, err - } - defer file.Close() - - recordNum := 0 - users := make(map[string]*userPasswordInfo) - reader := csv.NewReader(file) - reader.FieldsPerRecord = -1 - for { - record, err := reader.Read() - if err == io.EOF { - break - } - if err != nil { - return nil, err - } - if len(record) < 3 { - return nil, fmt.Errorf("password file '%s' must have at least 3 columns (password, user name, user uid), found %d", path, len(record)) - } - obj := &userPasswordInfo{ - info: &user.DefaultInfo{Name: record[1], UID: record[2]}, - password: record[0], - } - if len(record) >= 4 { - obj.info.Groups = strings.Split(record[3], ",") - } - recordNum++ - if _, exist := users[obj.info.Name]; exist { - klog.Warningf("duplicate username '%s' has been found in password file '%s', record number '%d'", obj.info.Name, path, recordNum) - } - users[obj.info.Name] = obj - } - - return &PasswordAuthenticator{users}, nil -} - -// AuthenticatePassword returns user info if authentication is successful, nil otherwise -func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, username, password string) (*authenticator.Response, bool, error) { - user, ok := a.users[username] - if !ok { - return nil, false, nil - } - if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 { - return nil, false, nil - } - return &authenticator.Response{User: user.info}, true, nil -} diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile_test.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile_test.go deleted file mode 100644 index e9f43d6dcba..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile_test.go +++ /dev/null @@ -1,161 +0,0 @@ -/* -Copyright 2015 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package passwordfile - -import ( - "context" - "io/ioutil" - "os" - "reflect" - "testing" - - "k8s.io/apiserver/pkg/authentication/user" -) - -func TestPasswordFile(t *testing.T) { - auth, err := newWithContents(t, ` -password1,user1,uid1 -password2,user2,uid2 -password3,user3,uid3,"group1,group2" -password4,user4,uid4,"group2" -password5,user5,uid5,group5 -password6,user6,uid6,group5,otherdata -password7,user7,uid7,"group1,group2",otherdata -`) - if err != nil { - t.Fatalf("unable to read passwordfile: %v", err) - } - - testCases := []struct { - Username string - Password string - User *user.DefaultInfo - Ok bool - Err bool - }{ - { - Username: "user1", - Password: "password1", - User: &user.DefaultInfo{Name: "user1", UID: "uid1"}, - Ok: true, - }, - { - Username: "user2", - Password: "password2", - User: &user.DefaultInfo{Name: "user2", UID: "uid2"}, - Ok: true, - }, - { - Username: "user1", - Password: "password2", - }, - { - Username: "user2", - Password: "password1", - }, - { - Username: "user3", - Password: "password3", - User: &user.DefaultInfo{Name: "user3", UID: "uid3", Groups: []string{"group1", "group2"}}, - Ok: true, - }, - { - Username: "user4", - Password: "password4", - User: &user.DefaultInfo{Name: "user4", UID: "uid4", Groups: []string{"group2"}}, - Ok: true, - }, - { - Username: "user5", - Password: "password5", - User: &user.DefaultInfo{Name: "user5", UID: "uid5", Groups: []string{"group5"}}, - Ok: true, - }, - { - Username: "user6", - Password: "password6", - User: &user.DefaultInfo{Name: "user6", UID: "uid6", Groups: []string{"group5"}}, - Ok: true, - }, - { - Username: "user7", - Password: "password7", - User: &user.DefaultInfo{Name: "user7", UID: "uid7", Groups: []string{"group1", "group2"}}, - Ok: true, - }, - { - Username: "user7", - Password: "passwordbad", - }, - { - Username: "userbad", - Password: "password7", - }, - { - Username: "user8", - Password: "password8", - }, - } - for i, testCase := range testCases { - resp, ok, err := auth.AuthenticatePassword(context.Background(), testCase.Username, testCase.Password) - if err != nil { - t.Errorf("%d: unexpected error: %v", i, err) - } - if testCase.User == nil { - if resp != nil { - t.Errorf("%d: unexpected non-nil user %#v", i, resp.User) - } - } else if !reflect.DeepEqual(testCase.User, resp.User) { - t.Errorf("%d: expected user %#v, got %#v", i, testCase.User, resp.User) - } - if testCase.Ok != ok { - t.Errorf("%d: expected auth %v, got %v", i, testCase.Ok, ok) - } - } -} - -func TestBadPasswordFile(t *testing.T) { - if _, err := newWithContents(t, ` -password1,user1,uid1 -password2,user2,uid2 -password3,user3 -password4 -`); err == nil { - t.Fatalf("unexpected non error") - } -} - -func TestInsufficientColumnsPasswordFile(t *testing.T) { - if _, err := newWithContents(t, "password4\n"); err == nil { - t.Fatalf("unexpected non error") - } -} - -func newWithContents(t *testing.T, contents string) (auth *PasswordAuthenticator, err error) { - f, err := ioutil.TempFile("", "passwordfile_test") - if err != nil { - t.Fatalf("unexpected error creating passwordfile: %v", err) - } - f.Close() - defer os.Remove(f.Name()) - - if err := ioutil.WriteFile(f.Name(), []byte(contents), 0700); err != nil { - t.Fatalf("unexpected error writing passwordfile: %v", err) - } - - return NewCSV(f.Name()) -} diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/BUILD b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/BUILD deleted file mode 100644 index 4d6a346ba84..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/BUILD +++ /dev/null @@ -1,38 +0,0 @@ -package(default_visibility = ["//visibility:public"]) - -load( - "@io_bazel_rules_go//go:def.bzl", - "go_library", - "go_test", -) - -go_test( - name = "go_default_test", - srcs = ["basicauth_test.go"], - embed = [":go_default_library"], - deps = [ - "//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", - ], -) - -go_library( - name = "go_default_library", - srcs = ["basicauth.go"], - importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth", - importpath = "k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth", - deps = ["//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library"], -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [":package-srcs"], - tags = ["automanaged"], -) diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth.go deleted file mode 100644 index 7b8894a915c..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth.go +++ /dev/null @@ -1,53 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package basicauth - -import ( - "errors" - "net/http" - - "k8s.io/apiserver/pkg/authentication/authenticator" -) - -// Authenticator authenticates requests using basic auth -type Authenticator struct { - auth authenticator.Password -} - -// New returns a request authenticator that validates credentials using the provided password authenticator -func New(auth authenticator.Password) *Authenticator { - return &Authenticator{auth} -} - -var errInvalidAuth = errors.New("invalid username/password combination") - -// AuthenticateRequest authenticates the request using the "Authorization: Basic" header in the request -func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) { - username, password, found := req.BasicAuth() - if !found { - return nil, false, nil - } - - resp, ok, err := a.auth.AuthenticatePassword(req.Context(), username, password) - - // If the password authenticator didn't error, provide a default error - if !ok && err == nil { - err = errInvalidAuth - } - - return resp, ok, err -} diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth_test.go b/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth_test.go deleted file mode 100644 index c23e0ce082b..00000000000 --- a/staging/src/k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth/basicauth_test.go +++ /dev/null @@ -1,126 +0,0 @@ -/* -Copyright 2014 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package basicauth - -import ( - "context" - "errors" - "net/http" - "testing" - - "k8s.io/apiserver/pkg/authentication/authenticator" - "k8s.io/apiserver/pkg/authentication/user" -) - -type testPassword struct { - Username string - Password string - Called bool - - User user.Info - OK bool - Err error -} - -func (t *testPassword) AuthenticatePassword(ctx context.Context, user, password string) (*authenticator.Response, bool, error) { - t.Called = true - t.Username = user - t.Password = password - return &authenticator.Response{User: t.User}, t.OK, t.Err -} - -func TestBasicAuth(t *testing.T) { - testCases := map[string]struct { - Header string - Password testPassword - - ExpectedCalled bool - ExpectedUsername string - ExpectedPassword string - - ExpectedUser string - ExpectedOK bool - ExpectedErr bool - }{ - "no auth": {}, - "empty password basic header": { - ExpectedCalled: true, - ExpectedUsername: "user_with_empty_password", - ExpectedPassword: "", - ExpectedErr: true, - }, - "valid basic header": { - ExpectedCalled: true, - ExpectedUsername: "myuser", - ExpectedPassword: "mypassword:withcolon", - ExpectedErr: true, - }, - "password auth returned user": { - Password: testPassword{User: &user.DefaultInfo{Name: "returneduser"}, OK: true}, - ExpectedCalled: true, - ExpectedUsername: "myuser", - ExpectedPassword: "mypw", - ExpectedUser: "returneduser", - ExpectedOK: true, - }, - "password auth returned error": { - Password: testPassword{Err: errors.New("auth error")}, - ExpectedCalled: true, - ExpectedUsername: "myuser", - ExpectedPassword: "mypw", - ExpectedErr: true, - }, - } - - for k, testCase := range testCases { - password := testCase.Password - auth := authenticator.Request(New(&password)) - - req, _ := http.NewRequest("GET", "/", nil) - if testCase.ExpectedUsername != "" || testCase.ExpectedPassword != "" { - req.SetBasicAuth(testCase.ExpectedUsername, testCase.ExpectedPassword) - } - - resp, ok, err := auth.AuthenticateRequest(req) - - if testCase.ExpectedCalled != password.Called { - t.Errorf("%s: Expected called=%v, got %v", k, testCase.ExpectedCalled, password.Called) - continue - } - if testCase.ExpectedUsername != password.Username { - t.Errorf("%s: Expected called with username=%v, got %v", k, testCase.ExpectedUsername, password.Username) - continue - } - if testCase.ExpectedPassword != password.Password { - t.Errorf("%s: Expected called with password=%v, got %v", k, testCase.ExpectedPassword, password.Password) - continue - } - - if testCase.ExpectedErr != (err != nil) { - t.Errorf("%s: Expected err=%v, got err=%v", k, testCase.ExpectedErr, err) - continue - } - if testCase.ExpectedOK != ok { - t.Errorf("%s: Expected ok=%v, got ok=%v", k, testCase.ExpectedOK, ok) - continue - } - if testCase.ExpectedUser != "" && testCase.ExpectedUser != resp.User.GetName() { - t.Errorf("%s: Expected user.GetName()=%v, got %v", k, testCase.ExpectedUser, resp.User.GetName()) - continue - } - } -} diff --git a/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml b/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml index b2540000d39..308e106f319 100644 --- a/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml +++ b/test/fixtures/doc-yaml/admin/high-availability/kube-apiserver.yaml @@ -13,7 +13,7 @@ spec: - /usr/local/bin/kube-apiserver --address=127.0.0.1 --etcd-servers=http://127.0.0.1:4001 --cloud-provider=gce --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota --service-cluster-ip-range=10.0.0.0/16 --client-ca-file=/srv/kubernetes/ca.crt - --basic-auth-file=/srv/kubernetes/basic_auth.csv --cluster-name=e2e-test-bburns + --cluster-name=e2e-test-bburns --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key --secure-port=443 --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2 --allow-privileged=False 1>>/var/log/kube-apiserver.log 2>&1 diff --git a/test/kubemark/resources/start-kubemark-master.sh b/test/kubemark/resources/start-kubemark-master.sh index d6ee06e84dd..8010f5d181a 100755 --- a/test/kubemark/resources/start-kubemark-master.sh +++ b/test/kubemark/resources/start-kubemark-master.sh @@ -547,7 +547,6 @@ function compute-kube-apiserver-params { params+=" --client-ca-file=/etc/srv/kubernetes/ca.crt" params+=" --token-auth-file=/etc/srv/kubernetes/known_tokens.csv" params+=" --secure-port=443" - params+=" --basic-auth-file=/etc/srv/kubernetes/basic_auth.csv" params+=" --target-ram-mb=$((NUM_NODES * 60))" params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" params+=" --admission-control=${CUSTOM_ADMISSION_PLUGINS}" diff --git a/vendor/modules.txt b/vendor/modules.txt index 21b2f05eb77..5f59d0330ac 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1401,8 +1401,6 @@ k8s.io/apiserver/plugin/pkg/audit/dynamic/enforced k8s.io/apiserver/plugin/pkg/audit/log k8s.io/apiserver/plugin/pkg/audit/truncate k8s.io/apiserver/plugin/pkg/audit/webhook -k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile -k8s.io/apiserver/plugin/pkg/authenticator/request/basicauth k8s.io/apiserver/plugin/pkg/authenticator/token/oidc k8s.io/apiserver/plugin/pkg/authenticator/token/tokentest k8s.io/apiserver/plugin/pkg/authenticator/token/webhook