Merge pull request #58598 from WanLinghao/rbac_improve

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. add a comment on specical case on authorization In file /staging/src/k8s.io/apiserver/pkg/endpoints/filters/authorization.go, function WithAuthorization() returns DecisionAllow before error check. It is intentional to avoid leaking authorization errors to attackers. This patch add a comment here to give a hint **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ``` Kubernetes-commit: 8f71d6d84013ddbe54a3087b879186bcd7ee4ce1
2018-01-31 03:23:16 -08:00 · 2018-01-31 03:23:16 -08:00 · 840f7e67cd
parent 38c16d509c 2eee1977e7
commit 840f7e67cd
2 changed files with 59 additions and 58 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -968,235 +968,235 @@
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/equality",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/errors",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/meta",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/resource",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing/fuzzer",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing/roundtrip",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/validation",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/validation/path",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery/announced",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery/registered",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/fuzzer",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/internalversion",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1/validation",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1alpha1",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion/queryparams",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/fields",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/labels",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/schema",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/json",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/protobuf",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/recognizer",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/streaming",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/versioning",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/selection",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/types",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/cache",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/clock",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/diff",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/errors",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/framer",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/httpstream",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/intstr",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/json",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/mergepatch",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/net",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/proxy",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/rand",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/runtime",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/sets",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/strategicpatch",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/uuid",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation/field",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/wait",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/waitgroup",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/yaml",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/version",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/watch",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/json",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/netutil",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/reflect",
-			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
+			"Rev": "150d32b09b5966b39cb02d7945f0d1bc7b9f1a19"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/discovery",
--- a/pkg/endpoints/filters/authorization.go
+++ b/pkg/endpoints/filters/authorization.go
@ -47,6 +47,7 @@ func WithAuthorization(handler http.Handler, requestContextMapper request.Reques
 			return
 		}
 		authorized, reason, err := a.Authorize(attributes)
+		// an authorizer like RBAC could encounter evaluation errors and still allow the request, so authorizer decision is checked before error here.
 		if authorized == authorizer.DecisionAllow {
 			handler.ServeHTTP(w, req)
 			return