Proxy action always resolves as unsafeproxy, even with authenticated users #16710
Assignees
Comments
|
@deads2k have I missed something tricky here, or did we just not notice this because the HPA e2es aren't enabled and nothing else uses proxy? |
|
FWIW, if I had to guess (haven't done a bisect), this commit probably broke it: 689cdee -- it's sufficently recent (around the time of https://bugzilla.redhat.com/show_bug.cgi?id=1493057) and seems to reshuffle the related code. |
|
/assign enj I think @enj found this and has an idea to fix it. |
openshift-merge-robot
added a commit
that referenced
this issue
Oct 10, 2017
Automatic merge from submit-queue (batch tested with PRs 16741, 16692). Move browser safe proxy logic into an authorizer This change moves the browser safe proxy verification from a request info resolver to an authorizer. It is required because we moved to the upstream filters in 689cdee. The upstream handler chain resolves request info, then authentication and then authorization. Our old chain would mutate request info after authentication and before authorization. This meant that we had access to the user info data. Since the upstream handler chain does any mutation to the request info before authentication, our browser safe proxy request info resolver would never see any user data. This meant that it would incorrectly identify safe proxy requests as unsafe. To continue using the upstream chain, we must move this logic into an authorizer that wraps our existing authorizers. This will guarantee that it has access to the authentication information it requires. Since the authorizer only has access to authorization attributes, it cannot make any decisions based on the context or request info. In this case, it means that we can no longer honor the X-CSRF-Token header as a way of confirming that the request is not originating from a browser. This is an acceptable break from legacy behavior as that header was never documented as a way of passing the browser check. The most likely user of this feature is the proxy command, which is easy to use in an authenticated manner with either oc or kubectl. Administrators can continue to grant the unsafe verb to unauthenticated users should they desire to bypass this safety check entirely. Signed-off-by: Monis Khan <mkhan@redhat.com> Fixes #16619 Fixes #16710 /assign @liggitt @deads2k @openshift/sig-security cc @jwendell @DirectXMan12 since you guys encountered this issue.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Requests to the proxy subresource are transformed to be the
unsafeproxyaction, even when the users are authenticated and not coming from a direct browser request.The comment at
origin/pkg/authorization/authorizer/browser_safe_request_info_resolver.go
Line 56 in 050c9ea
proxyfor authenticated users / users not coming directly from a browser, andunsafeproxyfor non-authenticated users or direct browser requests.However, according to
origin/pkg/cmd/server/kubernetes/master/master_config.go
Line 403 in 050c9ea
origin/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/config.go
Line 491 in 050c9ea
UserFromreturns that the information is missing).This breaks the HPA, whose policy expects to be able to
/proxythe Heapster service. We could change the policy, but it seems like this filter just isn't working as intended.Version
master as of 050c9ea
Steps To Reproduce
/api/v1/namespaces/openshift-infra/services/https:heapster:/proxy/apisor any other use of the proxy subresource, and notice that we receive an error that our user cannotunsafeproxy, not that the user can'tproxy.Debugged this with @frobware
cc @deads2k since you seem to have been the last one to shuffle this code around ;-)
The text was updated successfully, but these errors were encountered: