From 991a2a1776f68c7cd64324b53edb6ad9189c0822 Mon Sep 17 00:00:00 2001 From: Darren Shepherd Date: Fri, 23 Jul 2021 23:45:13 -0700 Subject: [PATCH 1/2] Don't mask errors when doing by name lookups --- pkg/stores/partition/store.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/stores/partition/store.go b/pkg/stores/partition/store.go index 1961423..547eec1 100644 --- a/pkg/stores/partition/store.go +++ b/pkg/stores/partition/store.go @@ -101,7 +101,7 @@ func (s *Store) List(apiOp *types.APIRequest, schema *types.APISchema) (types.AP result.Revision = lister.Revision() result.Continue = lister.Continue() - return result, nil + return result, lister.Err() } func (s *Store) Create(apiOp *types.APIRequest, schema *types.APISchema, data types.APIObject) (types.APIObject, error) { From eba8358f2aa02d4c9afe07dbd9d21776666324db Mon Sep 17 00:00:00 2001 From: Darren Shepherd Date: Fri, 23 Jul 2021 23:46:03 -0700 Subject: [PATCH 2/2] Fix issues when creating clusterrolebindings to namespaces objects --- pkg/accesscontrol/access_set.go | 25 ++++++++++++++++++++----- pkg/stores/proxy/proxy_store.go | 6 ++++++ 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/pkg/accesscontrol/access_set.go b/pkg/accesscontrol/access_set.go index 7597cf7..2c2d2c5 100644 --- a/pkg/accesscontrol/access_set.go +++ b/pkg/accesscontrol/access_set.go @@ -144,20 +144,35 @@ func (a AccessListByVerb) Granted(verb string) (result map[string]Resources) { verbs = append(verbs, "get") } - for _, verb := range verbs { - for _, access := range a[verb] { + for _, access := range a[verb] { + resources := result[access.Namespace] + if access.ResourceName == All { + resources.All = true + } else { + if resources.Names == nil { + resources.Names = sets.String{} + } + resources.Names.Insert(access.ResourceName) + } + result[access.Namespace] = resources + } + + if verb == "list" { + // look for objects referenced by get + for _, access := range a["get"] { resources := result[access.Namespace] if access.ResourceName == All { - resources.All = true - } else { + continue + } else if len(access.ResourceName) > 0 { if resources.Names == nil { resources.Names = sets.String{} } resources.Names.Insert(access.ResourceName) + result[access.Namespace] = resources } - result[access.Namespace] = resources } } + return result } diff --git a/pkg/stores/proxy/proxy_store.go b/pkg/stores/proxy/proxy_store.go index 7862b06..8be0bb3 100644 --- a/pkg/stores/proxy/proxy_store.go +++ b/pkg/stores/proxy/proxy_store.go @@ -213,6 +213,12 @@ func tableToObjects(obj map[string]interface{}) []unstructured.Unstructured { } func (s *Store) ByNames(apiOp *types.APIRequest, schema *types.APISchema, names sets.String) (types.APIObjectList, error) { + if apiOp.Namespace == "*" { + // This happens when you grant namespaced objects with "get" by name in a clusterrolebinding. We will treat + // this as an invalid situation instead of listing all objects in the cluster and filtering by name. + return types.APIObjectList{}, nil + } + adminClient, err := s.clientGetter.TableAdminClient(apiOp, schema, apiOp.Namespace) if err != nil { return types.APIObjectList{}, err