Merge pull request #94204 from tkashem/impersonation-with-apf
Impersonated user with a specified group should not fail flow schema match in Priority & Fairness Kubernetes-commit: 6e663379ed4585a08f35115684e43a8fb7b074ac
This commit is contained in:
Kubernetes Publisher
commit
1b34be40d3
|
|
@ -668,7 +668,7 @@
|
|||
},
|
||||
{
|
||||
"ImportPath": "k8s.io/api",
|
||||
"Rev": "4022903d1fba"
|
||||
"Rev": "9a1561067c54"
|
||||
},
|
||||
{
|
||||
"ImportPath": "k8s.io/apimachinery",
|
||||
|
|
@ -676,7 +676,7 @@
|
|||
},
|
||||
{
|
||||
"ImportPath": "k8s.io/client-go",
|
||||
"Rev": "e4aeb38be13a"
|
||||
"Rev": "aeb5f1a7757b"
|
||||
},
|
||||
{
|
||||
"ImportPath": "k8s.io/component-base",
|
||||
|
|
|
|||
8
go.mod
8
go.mod
|
|
@ -41,9 +41,9 @@ require (
|
|||
gopkg.in/natefinch/lumberjack.v2 v2.0.0
|
||||
gopkg.in/square/go-jose.v2 v2.2.2
|
||||
gopkg.in/yaml.v2 v2.2.8
|
||||
k8s.io/api v0.0.0-20200830011551-4022903d1fba
|
||||
k8s.io/api v0.0.0-20200831211624-9a1561067c54
|
||||
k8s.io/apimachinery v0.0.0-20200830011411-94222d04a590
|
||||
k8s.io/client-go v0.0.0-20200828171813-e4aeb38be13a
|
||||
k8s.io/client-go v0.0.0-20200902051830-aeb5f1a7757b
|
||||
k8s.io/component-base v0.0.0-20200828052305-e83f66bbf913
|
||||
k8s.io/klog/v2 v2.2.0
|
||||
k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6
|
||||
|
|
@ -54,8 +54,8 @@ require (
|
|||
)
|
||||
|
||||
replace (
|
||||
k8s.io/api => k8s.io/api v0.0.0-20200830011551-4022903d1fba
|
||||
k8s.io/api => k8s.io/api v0.0.0-20200831211624-9a1561067c54
|
||||
k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200830011411-94222d04a590
|
||||
k8s.io/client-go => k8s.io/client-go v0.0.0-20200828171813-e4aeb38be13a
|
||||
k8s.io/client-go => k8s.io/client-go v0.0.0-20200902051830-aeb5f1a7757b
|
||||
k8s.io/component-base => k8s.io/component-base v0.0.0-20200828052305-e83f66bbf913
|
||||
)
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -507,9 +507,9 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
|
|||
honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
|
||||
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
|
||||
k8s.io/api v0.0.0-20200830011551-4022903d1fba/go.mod h1:5BitZN65u1la1OS/5z3nGIi+SrJ2LusBghXaztMVE0Q=
|
||||
k8s.io/api v0.0.0-20200831211624-9a1561067c54/go.mod h1:qMn0Ckwm7+s/YbS3iDBlHErlW/SeOXttpV83LV5iO5M=
|
||||
k8s.io/apimachinery v0.0.0-20200830011411-94222d04a590/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA=
|
||||
k8s.io/client-go v0.0.0-20200828171813-e4aeb38be13a/go.mod h1:mwKncselNJ9LbnUgMTQIM4lYQ5xp0vAdQAmz+vmfrHM=
|
||||
k8s.io/client-go v0.0.0-20200902051830-aeb5f1a7757b/go.mod h1:nlzxA8HNRwxNEbk4tOITg7LLVhjbthrQ69vw+2jhfYc=
|
||||
k8s.io/component-base v0.0.0-20200828052305-e83f66bbf913/go.mod h1:uWiI7f7Tvt3aVPEoe7YmG+5By+6mhbkGnX16+GxpDYg=
|
||||
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
|
||||
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
|
||||
|
|
|
|||
|
|
@ -117,10 +117,37 @@ func WithImpersonation(handler http.Handler, a authorizer.Authorizer, s runtime.
|
|||
}
|
||||
}
|
||||
|
||||
if !groupsSpecified && username != user.Anonymous {
|
||||
// When impersonating a non-anonymous user, if no groups were specified
|
||||
// include the system:authenticated group in the impersonated user info
|
||||
groups = append(groups, user.AllAuthenticated)
|
||||
if username != user.Anonymous {
|
||||
// When impersonating a non-anonymous user, include the 'system:authenticated' group
|
||||
// in the impersonated user info:
|
||||
// - if no groups were specified
|
||||
// - if a group has been specified other than 'system:authenticated'
|
||||
//
|
||||
// If 'system:unauthenticated' group has been specified we should not include
|
||||
// the 'system:authenticated' group.
|
||||
addAuthenticated := true
|
||||
for _, group := range groups {
|
||||
if group == user.AllAuthenticated || group == user.AllUnauthenticated {
|
||||
addAuthenticated = false
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if addAuthenticated {
|
||||
groups = append(groups, user.AllAuthenticated)
|
||||
}
|
||||
} else {
|
||||
addUnauthenticated := true
|
||||
for _, group := range groups {
|
||||
if group == user.AllUnauthenticated {
|
||||
addUnauthenticated = false
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if addUnauthenticated {
|
||||
groups = append(groups, user.AllUnauthenticated)
|
||||
}
|
||||
}
|
||||
|
||||
newUser := &user.DefaultInfo{
|
||||
|
|
|
|||
|
|
@ -163,7 +163,7 @@ func TestImpersonationFilter(t *testing.T) {
|
|||
impersonationGroups: []string{"some-group"},
|
||||
expectedUser: &user.DefaultInfo{
|
||||
Name: "system:admin",
|
||||
Groups: []string{"some-group"},
|
||||
Groups: []string{"some-group", "system:authenticated"},
|
||||
Extra: map[string][]string{},
|
||||
},
|
||||
expectedCode: http.StatusOK,
|
||||
|
|
@ -308,7 +308,7 @@ func TestImpersonationFilter(t *testing.T) {
|
|||
impersonationUser: "system:anonymous",
|
||||
expectedUser: &user.DefaultInfo{
|
||||
Name: "system:anonymous",
|
||||
Groups: []string{},
|
||||
Groups: []string{"system:unauthenticated"},
|
||||
Extra: map[string][]string{},
|
||||
},
|
||||
expectedCode: http.StatusOK,
|
||||
|
|
@ -341,6 +341,48 @@ func TestImpersonationFilter(t *testing.T) {
|
|||
},
|
||||
expectedCode: http.StatusOK,
|
||||
},
|
||||
{
|
||||
name: "specified-authenticated-group-prevents-double-adding-authenticated-group",
|
||||
user: &user.DefaultInfo{
|
||||
Name: "dev",
|
||||
Groups: []string{"wheel", "group-impersonater"},
|
||||
},
|
||||
impersonationUser: "system:admin",
|
||||
impersonationGroups: []string{"some-group", "system:authenticated"},
|
||||
expectedUser: &user.DefaultInfo{
|
||||
Name: "system:admin",
|
||||
Groups: []string{"some-group", "system:authenticated"},
|
||||
Extra: map[string][]string{},
|
||||
},
|
||||
expectedCode: http.StatusOK,
|
||||
},
|
||||
{
|
||||
name: "anonymous-user-should-include-unauthenticated-group",
|
||||
user: &user.DefaultInfo{
|
||||
Name: "system:admin",
|
||||
},
|
||||
impersonationUser: "system:anonymous",
|
||||
expectedUser: &user.DefaultInfo{
|
||||
Name: "system:anonymous",
|
||||
Groups: []string{"system:unauthenticated"},
|
||||
Extra: map[string][]string{},
|
||||
},
|
||||
expectedCode: http.StatusOK,
|
||||
},
|
||||
{
|
||||
name: "anonymous-user-prevents-double-adding-unauthenticated-group",
|
||||
user: &user.DefaultInfo{
|
||||
Name: "system:admin",
|
||||
},
|
||||
impersonationUser: "system:anonymous",
|
||||
impersonationGroups: []string{"system:unauthenticated"},
|
||||
expectedUser: &user.DefaultInfo{
|
||||
Name: "system:anonymous",
|
||||
Groups: []string{"system:unauthenticated"},
|
||||
Extra: map[string][]string{},
|
||||
},
|
||||
expectedCode: http.StatusOK,
|
||||
},
|
||||
}
|
||||
|
||||
var ctx context.Context
|
||||
|
|
@ -398,42 +440,44 @@ func TestImpersonationFilter(t *testing.T) {
|
|||
defer server.Close()
|
||||
|
||||
for _, tc := range testCases {
|
||||
func() {
|
||||
lock.Lock()
|
||||
defer lock.Unlock()
|
||||
ctx = request.WithUser(request.NewContext(), tc.user)
|
||||
}()
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
func() {
|
||||
lock.Lock()
|
||||
defer lock.Unlock()
|
||||
ctx = request.WithUser(request.NewContext(), tc.user)
|
||||
}()
|
||||
|
||||
req, err := http.NewRequest("GET", server.URL, nil)
|
||||
if err != nil {
|
||||
t.Errorf("%s: unexpected error: %v", tc.name, err)
|
||||
continue
|
||||
}
|
||||
if len(tc.impersonationUser) > 0 {
|
||||
req.Header.Add(authenticationapi.ImpersonateUserHeader, tc.impersonationUser)
|
||||
}
|
||||
for _, group := range tc.impersonationGroups {
|
||||
req.Header.Add(authenticationapi.ImpersonateGroupHeader, group)
|
||||
}
|
||||
for extraKey, values := range tc.impersonationUserExtras {
|
||||
for _, value := range values {
|
||||
req.Header.Add(authenticationapi.ImpersonateUserExtraHeaderPrefix+extraKey, value)
|
||||
req, err := http.NewRequest("GET", server.URL, nil)
|
||||
if err != nil {
|
||||
t.Errorf("%s: unexpected error: %v", tc.name, err)
|
||||
return
|
||||
}
|
||||
if len(tc.impersonationUser) > 0 {
|
||||
req.Header.Add(authenticationapi.ImpersonateUserHeader, tc.impersonationUser)
|
||||
}
|
||||
for _, group := range tc.impersonationGroups {
|
||||
req.Header.Add(authenticationapi.ImpersonateGroupHeader, group)
|
||||
}
|
||||
for extraKey, values := range tc.impersonationUserExtras {
|
||||
for _, value := range values {
|
||||
req.Header.Add(authenticationapi.ImpersonateUserExtraHeaderPrefix+extraKey, value)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
t.Errorf("%s: unexpected error: %v", tc.name, err)
|
||||
continue
|
||||
}
|
||||
if resp.StatusCode != tc.expectedCode {
|
||||
t.Errorf("%s: expected %v, actual %v", tc.name, tc.expectedCode, resp.StatusCode)
|
||||
continue
|
||||
}
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
t.Errorf("%s: unexpected error: %v", tc.name, err)
|
||||
return
|
||||
}
|
||||
if resp.StatusCode != tc.expectedCode {
|
||||
t.Errorf("%s: expected %v, actual %v", tc.name, tc.expectedCode, resp.StatusCode)
|
||||
return
|
||||
}
|
||||
|
||||
if !reflect.DeepEqual(actualUser, tc.expectedUser) {
|
||||
t.Errorf("%s: expected %#v, actual %#v", tc.name, tc.expectedUser, actualUser)
|
||||
continue
|
||||
}
|
||||
if !reflect.DeepEqual(actualUser, tc.expectedUser) {
|
||||
t.Errorf("%s: expected %#v, actual %#v", tc.name, tc.expectedUser, actualUser)
|
||||
return
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue