From 9a7bb2843a8b52f9f99d0f0e7d85a16cd85e3247 Mon Sep 17 00:00:00 2001 From: mikebrow Date: Mon, 4 Apr 2016 12:15:19 -0500 Subject: [PATCH] fixes issue #7159; refactor list formatting Signed-off-by: mikebrow --- docs/admin/authorization.md | 123 +++++++++++++++++++++++------------- 1 file changed, 80 insertions(+), 43 deletions(-) diff --git a/docs/admin/authorization.md b/docs/admin/authorization.md index 2571fb94a8..3b521b5df1 100644 --- a/docs/admin/authorization.md +++ b/docs/admin/authorization.md @@ -13,31 +13,35 @@ policies. An API call must be allowed by some policy in order to proceed. The following implementations are available, and are selected by flag: - - `--authorization-mode=AlwaysDeny` - - `--authorization-mode=AlwaysAllow` - - `--authorization-mode=ABAC` - - `--authorization-mode=Webhook` - -`AlwaysDeny` blocks all requests (used in tests). -`AlwaysAllow` allows all requests; use if you don't need authorization. -`ABAC` allows for user-configured authorization policy. ABAC stands for Attribute-Based Access Control. -`Webhook` allows for authorization to be driven by a remote service using REST. + - `--authorization-mode=AlwaysDeny` blocks all requests (used in tests). + - `--authorization-mode=AlwaysAllow` allows all requests; use if you don't +need authorization. + - `--authorization-mode=ABAC`allows for user-configured authorization policy. +ABAC stands for + Attribute-Based Access Control. + - `--authorization-mode=Webhook` allows for authorization to be driven by a +remote service using REST. ## ABAC Mode ### Request Attributes A request has the following attributes that can be considered for authorization: + - user (the user-string which a user was authenticated as). - group (the list of group names the authenticated user is a member of). - whether the request is for an API resource. - the request path. - - allows authorizing access to miscellaneous endpoints like `/api` or `/healthz` (see [kubectl](#kubectl)). + - allows authorizing access to miscellaneous endpoints like `/api` or +`/healthz` (see [kubectl](#kubectl)). - the request verb. - - API verbs like `get`, `list`, `create`, `update`, `watch`, `delete`, and `deletecollection` are used for API requests - - HTTP verbs like `get`, `post`, `put`, and `delete` are used for non-API requests + - API verbs like `get`, `list`, `create`, `update`, `watch`, `delete`, and +`deletecollection` are used for API requests + - HTTP verbs like `get`, `post`, `put`, and `delete` are used for non-API +requests - what resource is being accessed (for API requests only) - - the namespace of the object being accessed (for namespaced API requests only) + - the namespace of the object being accessed (for namespaced API requests +only) - the API group being accessed (for API requests only) We anticipate adding more attributes to allow finer grained access control and @@ -47,33 +51,33 @@ to assist in policy management. For mode `ABAC`, also specify `--authorization-policy-file=SOME_FILENAME`. -The file format is [one JSON object per line](http://jsonlines.org/). There should be no enclosing list or map, just -one map per line. +The file format is [one JSON object per line](http://jsonlines.org/). There +should be no enclosing list or map, just one map per line. + +Each line is a "policy object". A policy object is a map with the following +properties: -Each line is a "policy object". A policy object is a map with the following properties: - Versioning properties: - `apiVersion`, type string; valid values are "abac.authorization.kubernetes.io/v1beta1". Allows versioning and conversion of the policy format. - `kind`, type string: valid values are "Policy". Allows versioning and conversion of the policy format. - - `spec` property set to a map with the following properties: - Subject-matching properties: - `user`, type string; the user-string from `--token-auth-file`. If you specify `user`, it must match the username of the authenticated user. `*` matches all requests. - `group`, type string; if you specify `group`, it must match one of the groups of the authenticated user. `*` matches all requests. - - `readonly`, type boolean, when true, means that the policy only applies to get, list, and watch operations. - - Resource-matching properties: - `apiGroup`, type string; an API group, such as `extensions`. `*` matches all API groups. - `namespace`, type string; a namespace string. `*` matches all resource requests. - `resource`, type string; a resource, such as `pods`. `*` matches all resource requests. - - Non-resource-matching properties: - `nonResourcePath`, type string; matches the non-resource request paths (like `/version` and `/apis`). `*` matches all non-resource requests. `/foo/*` matches `/foo/` and all of its subpaths. -An unset property is the same as a property set to the zero value for its type (e.g. empty string, 0, false). -However, unset should be preferred for readability. +An unset property is the same as a property set to the zero value for its type +(e.g. empty string, 0, false). However, unset should be preferred for +readability. -In the future, policies may be expressed in a JSON format, and managed via a REST interface. +In the future, policies may be expressed in a JSON format, and managed via a +REST interface. ### Authorization Algorithm @@ -84,23 +88,32 @@ are set to the zero value of its type (e.g. empty string, 0, false). A property set to "*" will match any value of the corresponding attribute. -The tuple of attributes is checked for a match against every policy in the policy file. -If at least one line matches the request attributes, then the request is authorized (but may fail later validation). +The tuple of attributes is checked for a match against every policy in the +policy file. If at least one line matches the request attributes, then the +request is authorized (but may fail later validation). -To permit any user to do something, write a policy with the user property set to "*". -To permit a user to do anything, write a policy with the apiGroup, namespace, resource, and nonResourcePath properties set to "*". +To permit any user to do something, write a policy with the user property set to +"*". + +To permit a user to do anything, write a policy with the apiGroup, namespace, +resource, and nonResourcePath properties set to "*". ### Kubectl -Kubectl uses the `/api` and `/apis` endpoints of api-server to negotiate client/server versions. To validate objects sent to the API by create/update operations, kubectl queries certain swagger resources. For API version `v1` those would be `/swaggerapi/api/v1` & `/swaggerapi/experimental/v1`. +Kubectl uses the `/api` and `/apis` endpoints of api-server to negotiate +client/server versions. To validate objects sent to the API by create/update +operations, kubectl queries certain swagger resources. For API version `v1` +those would be `/swaggerapi/api/v1` & `/swaggerapi/experimental/v1`. -When using ABAC authorization, those special resources have to be explicitly exposed via the `nonResourcePath` property in a policy (see [examples](#examples) below): +When using ABAC authorization, those special resources have to be explicitly +exposed via the `nonResourcePath` property in a policy (see [examples](#examples) below): * `/api`, `/api/*`, `/apis`, and `/apis/*` for API version negotiation. * `/version` for retrieving the server version via `kubectl version`. * `/swaggerapi/*` for create/update operations. -To inspect the HTTP calls involved in a specific kubectl operation you can turn up the verbosity: +To inspect the HTTP calls involved in a specific kubectl operation you can turn +up the verbosity: kubectl --v=8 version @@ -116,18 +129,22 @@ To inspect the HTTP calls involved in a specific kubectl operation you can turn ### A quick note on service accounts -A service account automatically generates a user. The user's name is generated according to the naming convention: +A service account automatically generates a user. The user's name is generated +according to the naming convention: ```shell system:serviceaccount:: ``` -Creating a new namespace also causes a new service account to be created, of this form:* +Creating a new namespace also causes a new service account to be created, of +this form:* ```shell system:serviceaccount::default ``` -For example, if you wanted to grant the default service account in the kube-system full privilege to the API, you would add this line to your policy file: +For example, if you wanted to grant the default service account in the +kube-system full privilege to the API, you would add this line to your policy +file: ```json {"apiVersion":"abac.authorization.kubernetes.io/v1beta1","kind":"Policy","user":"system:serviceaccount:kube-system:default","namespace":"*","resource":"*","apiGroup":"*"} @@ -137,13 +154,17 @@ The apiserver will need to be restarted to pickup the new policy lines. ## Webhook Mode -When specified, mode `Webhook` causes Kubernetes to query an outside REST service when determining user privileges. +When specified, mode `Webhook` causes Kubernetes to query an outside REST +service when determining user privileges. ### Configuration File Format -Mode `Webhook` requires a file for HTTP configuration, specify by the `--authorization-webhook-config-file=SOME_FILENAME` flag. +Mode `Webhook` requires a file for HTTP configuration, specify by the +`--authorization-webhook-config-file=SOME_FILENAME` flag. -The configuration file uses the [kubeconfig](/docs/user-guide/kubeconfig-file/) file format. Within the file "users" refers to the API Server webhook and "clusters" refers to the remote service. +The configuration file uses the [kubeconfig](/docs/user-guide/kubeconfig-file/) +file format. Within the file "users" refers to the API Server webhook and +"clusters" refers to the remote service. A configuration example which uses HTTPS client auth: @@ -173,9 +194,17 @@ contexts: ### Request Payloads -When faced with an authorization decision, the API Server POSTs a JSON serialized api.authorization.v1beta1.SubjectAccessReview object describing the action. This object contains fields describing the user attempting to make the request, and either details about the resource being accessed or requests attributes. +When faced with an authorization decision, the API Server POSTs a JSON +serialized api.authorization.v1beta1.SubjectAccessReview object describing the +action. This object contains fields describing the user attempting to make the +request, and either details about the resource being accessed or requests +attributes. -Note that webhook API objects are subject to the same [versioning compatibility rules](/docs/api/) as other Kubernetes API objects. Implementers should be aware of loser compatibility promises for beta objects and check the "apiVersion" field of the request to ensure correct deserialization. Additionally, the API Server must enable the `authorization.k8s.io/v1beta1` API extensions group (`--runtime-config=authorization.k8s.io/v1beta1=true`). +Note that webhook API objects are subject to the same [versioning compatibility rules](/docs/api/) +as other Kubernetes API objects. Implementers should be aware of loser +compatibility promises for beta objects and check the "apiVersion" field of the +request to ensure correct deserialization. Additionally, the API Server must +enable the `authorization.k8s.io/v1beta1` API extensions group (`--runtime-config=authorization.k8s.io/v1beta1=true`). An example request body: @@ -199,7 +228,9 @@ An example request body: } ``` -The remote service is expected to fill the SubjectAccessReviewStatus field of the request and respond to either allow or disallow access. The response body's "spec" field is ignored and may be omitted. A permissive response would return: +The remote service is expected to fill the SubjectAccessReviewStatus field of +the request and respond to either allow or disallow access. The response body's +"spec" field is ignored and may be omitted. A permissive response would return: ```json { @@ -244,9 +275,15 @@ Access to non-resource paths are sent as: } ``` -Non-resource paths include: `/api`, `/apis`, `/metrics`, `/resetMetrics`, `/logs`, `/debug`, `/healthz`, `/swagger-ui/`, `/swaggerapi/`, `/ui`, and `/version.` Clients require access to `/api`, `/api/*/`, `/apis/`, `/apis/*`, `/apis/*/*`, and `/version` to discover what resources and versions are present on the server. Access to other non-resource paths can be disallowed without restricting access to the REST api. +Non-resource paths include: `/api`, `/apis`, `/metrics`, `/resetMetrics`, +`/logs`, `/debug`, `/healthz`, `/swagger-ui/`, `/swaggerapi/`, `/ui`, and +`/version.` Clients require access to `/api`, `/api/*/`, `/apis/`, `/apis/*`, +`/apis/*/*`, and `/version` to discover what resources and versions are present +on the server. Access to other non-resource paths can be disallowed without +restricting access to the REST api. -For further documentation refer to the authorization.v1beta1 API objects and plugin/pkg/auth/authorizer/webhook/webhook.go. +For further documentation refer to the authorization.v1beta1 API objects and +plugin/pkg/auth/authorizer/webhook/webhook.go. ## Plugin Development @@ -267,5 +304,5 @@ Authorization plugin code goes in `pkg/auth/authorizer/$MODULENAME`. An authorization module can be completely implemented in go, or can call out to a remote authorization service. Authorization modules can implement their own caching to reduce the cost of repeated authorization calls with the -same or similar arguments. Developers should then consider the interaction between -caching and revocation of permissions. \ No newline at end of file +same or similar arguments. Developers should then consider the interaction +between caching and revocation of permissions.