Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop authorizer wrapper #20379

Merged
merged 3 commits into from
Aug 7, 2018
Merged

Conversation

simo5
Copy link
Contributor

@simo5 simo5 commented Jul 20, 2018

The openshift authorizer was wrapping kube authorizer only to generate
Forbidden messages, but upstream already generate similar messages and we
cannot intercept and change those. So let's just stop duplicating errors
and use the upstream authorizer and error messages as is.

Fixes #15828
https://bugzilla.redhat.com/show_bug.cgi?id=1573558

@openshift-ci-robot openshift-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 20, 2018
@simo5
Copy link
Contributor Author

simo5 commented Jul 20, 2018

@enj PTAL

@enj
Copy link
Contributor

enj commented Jul 21, 2018

Lots of failing tests as expected. Idea looks fine. Deferring LGTM to others once this is green.

/approve

Note that we will still print Error from server (Forbidden): namespaces "ci-op-b11b8c1ba3" is forbidden: User "smarterclayton" cannot delete namespaces in the namespace "ci-op-b11b8c1ba3". The error message is weird but it is correct. The code for this is all upstream.

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 21, 2018
@enj enj removed the request for review from knobunc July 21, 2018 03:03
@enj
Copy link
Contributor

enj commented Jul 21, 2018

@openshift/sig-security

@@ -47,7 +47,7 @@ os::cmd::expect_success "oc policy can-i --list"
whoamitoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=whoami SCOPE=user:info USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')"
os::cmd::expect_success_and_text "oc get user/~ --token='${whoamitoken}'" "${username}"
os::cmd::expect_success_and_text "oc whoami --token='${whoamitoken}'" "${username}"
os::cmd::expect_failure_and_text "oc get pods --token='${whoamitoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in project \"${project}\""
os::cmd::expect_failure_and_text "oc get pods --token='${whoamitoken}' -n '${project}'" "pods is forbidden: User \"scoped-user\" cannot list pods in the namespace \"${project}\""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with it, but @liggitt this takes from project to namespace in the text. I'm betting it also changes the text for a forbidden project request.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We already include the kube forbidden message since we use their request handlers. Saying just namespace is less confusing than saying both namespace and project as we do today.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deads2k beats having duplicated text, we have "no way" to not make errors still print namespace anyway

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deads2k beats having duplicated text, we have "no way" to not make errors still print namespace anyway

I'm not arguing against it. I'm pointing out the difference so that no one claims they're surprised. I wasn't the guy who wanted it to begin with. That person liked users more.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this takes from project to namespace in the text

/shrugs

oc options 
...
-n, --namespace='': If present, the namespace scope for this CLI request

@deads2k
Copy link
Contributor

deads2k commented Jul 23, 2018

I'd really like to see this wrapper die.

@simo5
Copy link
Contributor Author

simo5 commented Jul 23, 2018

@deads2k @liggitt t, the concerning thing for me is that there are a couple of places where now we return no error text at all, see tests where I changed Reason to an empty string. Is that a compromise we are ok with ?

@deads2k
Copy link
Contributor

deads2k commented Jul 23, 2018

@deads2k @LiGgit, the concerning thing for me is that there are a couple of places where now we return no error text at all, see tests where I changed Reason to an empty string. Is that a compromise we are ok with ?

I had assumed that was a bug. Isn't that particular test still failing?

@simo5
Copy link
Contributor Author

simo5 commented Jul 23, 2018

@deads2k not bug, it was failing because I handn't removed reason from all places where I needed to ... it now passes locally all butchered like that.

@deads2k
Copy link
Contributor

deads2k commented Jul 23, 2018

@deads2k not bug, it was failing because I handn't removed reason from all places where I needed to ... it now passes locally all butchered like that.

Then that seems odd. Doesn't the kube endpoint return a reason for rejection?

@simo5
Copy link
Contributor Author

simo5 commented Jul 23, 2018

@deads2k for many things it does, but apparently not for all, seem like it dislikes returning errors when creation is not permitted

@simo5
Copy link
Contributor Author

simo5 commented Jul 23, 2018

Looking more closely, it seems upstream does not like to return an error when the result is a denial ...

@openshift-ci-robot openshift-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 23, 2018
@liggitt
Copy link
Contributor

liggitt commented Jul 23, 2018

updated RBAC to return a generic reason about no RBAC policies matching in https://github.com/kubernetes/kubernetes/pull/65906/files

the top level authorization filter constructs a denial message user <user> is not allowed to <verb> <resource>...

@simo5
Copy link
Contributor Author

simo5 commented Jul 23, 2018

/retest

@openshift-bot openshift-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 31, 2018
@simo5
Copy link
Contributor Author

simo5 commented Aug 2, 2018

/retest

@openshift-bot openshift-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 2, 2018
@openshift-ci-robot openshift-ci-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 2, 2018
@simo5
Copy link
Contributor Author

simo5 commented Aug 2, 2018

@deads2k added

@simo5
Copy link
Contributor Author

simo5 commented Aug 3, 2018

/test gcp

@@ -1364,14 +1364,6 @@ func TestBrowserSafeAuthorizer(t *testing.T) {
proxyVerb := []string{"api", "v1", "proxy", "namespaces", "ns", "pods", "podX1:8080"}
proxySubresource := []string{"api", "v1", "namespaces", "ns", "pods", "podX1:8080", "proxy", "appEndPoint"}

isUnsafeErr := func(errProxy error) (matches bool) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to update the NewBrowserSafeAuthorizer to include extra information when it changes the verb and that change leads to a deny. Otherwise the error message will say "you cannot proxy here" when it should say "you cannot unsafe proxy here".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I looked into it briefly when I had to drop this code, I did not see an obvious way to do it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

liggitt and others added 2 commits August 6, 2018 08:47
@simo5 simo5 force-pushed the kill401MsgMkr branch 2 times, most recently from ceb3cbc to 70b54e7 Compare August 6, 2018 13:51
@@ -51,7 +51,7 @@ func TestBrowserSafeAuthorizer(t *testing.T) {
safeAuthorizer := NewBrowserSafeAuthorizer(delegateAuthorizer, "system:authenticated")

authorized, reason, err := safeAuthorizer.Authorize(tc.attributes)
if authorized == authorizer.DecisionAllow || len(reason) != 0 || err != nil {
if authorized == authorizer.DecisionAllow || err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if authorized != authorizer.DecisionNoOpinion || err != nil {

The test should probably also check to make sure the reason string makes sense.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if it were a generic test I would agree, but here seem really superfluous, what case would possibly generate a string we do not like ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unit test to make sure the string building works as written seems appropriate. I am sure at some point in the future we will need to mess with this again, so catching regressions and expected changes would be nice. But not a big deal since the logic is simple.

@enj
Copy link
Contributor

enj commented Aug 7, 2018

/lgtm

@deads2k you want to approve?

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 7, 2018
@@ -890,7 +890,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) {
kubeAuthInterface: clusterAdminSARGetter,
response: authorizationapi.SubjectAccessReviewResponse{
Allowed: false,
Reason: `User "harold" cannot get horizontalpodautoscalers in project "hammer-project"`,
Reason: ``,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should have a reason now.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do now, fixed

@deads2k
Copy link
Contributor

deads2k commented Aug 7, 2018

The integration tests should now be able to confirm the message that the upstream commit added.

lgtm otherwise

@enj
Copy link
Contributor

enj commented Aug 7, 2018

you should have a reason now.

Integration test seems to be passing?

/test integration

The openshift authorizer was wrapping kube authorizer only to generate
Forbidden messages, but upstream already generate similar messages and we
cannot intercept and change those. So let's just stop duplicating errors
and use the upstream authorizer and error messages as is.

Signed-off-by: Simo Sorce <simo@redhat.com>
@openshift-ci-robot openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Aug 7, 2018
@enj
Copy link
Contributor

enj commented Aug 7, 2018

/test all
/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 7, 2018
@deads2k
Copy link
Contributor

deads2k commented Aug 7, 2018

/lgtm

@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, enj, simo5

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 7, 2018
@simo5
Copy link
Contributor Author

simo5 commented Aug 7, 2018

/test end_to_end

@openshift-merge-robot openshift-merge-robot merged commit f0fba65 into openshift:master Aug 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. sig/security size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants