Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include system:authenticated group when impersonating #44076

Merged
merged 1 commit into from
Apr 21, 2017
Merged

Include system:authenticated group when impersonating #44076

merged 1 commit into from
Apr 21, 2017

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Apr 5, 2017
edited
Loading

Fixes #43227

An authorized impersonation request solely for a specific username previously resulted in a user.Info that did not include either the system:authenticated or system:unauthenticated groups. That meant that permissions intended to be granted to all users, like discovery, would be denied the impersonated user.

This allows kubectl get pods --as=<username> to work as expected

API requests using impersonation now include the `system:authenticated` group in the impersonated user automatically.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 5, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@k8s-github-robot k8s-github-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note-label-needed labels Apr 5, 2017
@liggitt liggitt added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-label-needed labels Apr 5, 2017
@k8s-github-robot k8s-github-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 5, 2017
@liggitt liggitt added area/security sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Apr 5, 2017
@liggitt
Copy link
Member Author

liggitt commented Apr 5, 2017

@k8s-bot non-cri e2e test this

deads2k
deads2k reviewed Apr 10, 2017
View reviewed changes
staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
}
}
if !found {
groups = append(groups, user.AllAuthenticated)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If any groups have been specified, I don't think that we should auto-add something else to the list. The caller knew how to send the groups and chose not to.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hard pressed to think of any scenario where that behavior would be helpful and not confusing.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm hard pressed to think of any scenario where that behavior would be helpful and not confusing.

If you don't do that, you're stealing power from the API. I can see why you'd add the group for cases where its not found (same as the downstream "groupify for me"), but to take what the user requested and decide, "I'll add this too" (which we don't do downstream), seems wrong to me.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

@liggitt
Copy link
Member Author

liggitt commented Apr 18, 2017

@k8s-bot cvm gce e2e test this

@deads2k
Copy link
Contributor

deads2k commented Apr 21, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 21, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, liggitt

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 936137d into kubernetes:master Apr 21, 2017
@liggitt liggitt deleted the impersonation-groupify branch April 25, 2017 02:07
@wongma7 wongma7 mentioned this pull request Jun 25, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

Assignees

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/security cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Impersonating a user does not automatically include the system:authenticated group
5 participants
@liggitt @k8s-reviewable @deads2k @k8s-github-robot @k8s-ci-robot