Drop authorizer wrapper #20379

simo5 · 2018-07-20T16:42:10Z

The openshift authorizer was wrapping kube authorizer only to generate
Forbidden messages, but upstream already generate similar messages and we
cannot intercept and change those. So let's just stop duplicating errors
and use the upstream authorizer and error messages as is.

Fixes #15828
https://bugzilla.redhat.com/show_bug.cgi?id=1573558

simo5 · 2018-07-20T17:02:30Z

@enj PTAL

enj · 2018-07-21T02:35:40Z

Lots of failing tests as expected. Idea looks fine. Deferring LGTM to others once this is green.

/approve

Note that we will still print Error from server (Forbidden): namespaces "ci-op-b11b8c1ba3" is forbidden: User "smarterclayton" cannot delete namespaces in the namespace "ci-op-b11b8c1ba3". The error message is weird but it is correct. The code for this is all upstream.

enj · 2018-07-21T03:03:51Z

@openshift/sig-security

deads2k · 2018-07-23T13:07:26Z

test/cmd/authentication.sh

@@ -47,7 +47,7 @@ os::cmd::expect_success "oc policy can-i --list"
 whoamitoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-token-template.yaml" TOKEN_PREFIX=whoami SCOPE=user:info USER_NAME="${username}" USER_UID="${useruid}" | oc create -f - -o name | awk -F/ '{print $2}')"
 os::cmd::expect_success_and_text "oc get user/~ --token='${whoamitoken}'" "${username}"
 os::cmd::expect_success_and_text "oc whoami --token='${whoamitoken}'" "${username}"
-os::cmd::expect_failure_and_text "oc get pods --token='${whoamitoken}' -n '${project}'" "prevent this action; User \"scoped-user\" cannot list pods in project \"${project}\""
+os::cmd::expect_failure_and_text "oc get pods --token='${whoamitoken}' -n '${project}'" "pods is forbidden: User \"scoped-user\" cannot list pods in the namespace \"${project}\""


I'm fine with it, but @liggitt this takes from project to namespace in the text. I'm betting it also changes the text for a forbidden project request.

We already include the kube forbidden message since we use their request handlers. Saying just namespace is less confusing than saying both namespace and project as we do today.

@deads2k beats having duplicated text, we have "no way" to not make errors still print namespace anyway

@deads2k beats having duplicated text, we have "no way" to not make errors still print namespace anyway

I'm not arguing against it. I'm pointing out the difference so that no one claims they're surprised. I wasn't the guy who wanted it to begin with. That person liked users more.

this takes from project to namespace in the text

/shrugs

oc options ... -n, --namespace='': If present, the namespace scope for this CLI request

deads2k · 2018-07-23T13:07:36Z

I'd really like to see this wrapper die.

simo5 · 2018-07-23T13:22:38Z

@deads2k @liggitt t, the concerning thing for me is that there are a couple of places where now we return no error text at all, see tests where I changed Reason to an empty string. Is that a compromise we are ok with ?

deads2k · 2018-07-23T13:28:37Z

@deads2k @LiGgit, the concerning thing for me is that there are a couple of places where now we return no error text at all, see tests where I changed Reason to an empty string. Is that a compromise we are ok with ?

I had assumed that was a bug. Isn't that particular test still failing?

simo5 · 2018-07-23T14:44:46Z

@deads2k not bug, it was failing because I handn't removed reason from all places where I needed to ... it now passes locally all butchered like that.

deads2k · 2018-07-23T15:19:46Z

@deads2k not bug, it was failing because I handn't removed reason from all places where I needed to ... it now passes locally all butchered like that.

Then that seems odd. Doesn't the kube endpoint return a reason for rejection?

simo5 · 2018-07-23T16:34:57Z

@deads2k for many things it does, but apparently not for all, seem like it dislikes returning errors when creation is not permitted

simo5 · 2018-07-23T16:50:12Z

Looking more closely, it seems upstream does not like to return an error when the result is a denial ...

liggitt · 2018-07-23T17:39:55Z

updated RBAC to return a generic reason about no RBAC policies matching in https://github.com/kubernetes/kubernetes/pull/65906/files

the top level authorization filter constructs a denial message user <user> is not allowed to <verb> <resource>...

simo5 · 2018-07-23T18:15:36Z

/retest

simo5 · 2018-08-02T10:33:52Z

/retest

simo5 · 2018-08-02T15:53:42Z

@deads2k added

simo5 · 2018-08-03T12:16:51Z

/test gcp

enj · 2018-08-03T15:34:03Z

test/integration/authorization_test.go

@@ -1364,14 +1364,6 @@ func TestBrowserSafeAuthorizer(t *testing.T) {
 	proxyVerb := []string{"api", "v1", "proxy", "namespaces", "ns", "pods", "podX1:8080"}
 	proxySubresource := []string{"api", "v1", "namespaces", "ns", "pods", "podX1:8080", "proxy", "appEndPoint"}

-	isUnsafeErr := func(errProxy error) (matches bool) {


I think we need to update the NewBrowserSafeAuthorizer to include extra information when it changes the verb and that change leads to a deny. Otherwise the error message will say "you cannot proxy here" when it should say "you cannot unsafe proxy here".

Yeah I looked into it briefly when I had to drop this code, I did not see an obvious way to do it.

@simo5 simo5#18

Signed-off-by: Monis Khan <mkhan@redhat.com>

enj · 2018-08-06T20:10:54Z

pkg/authorization/authorizer/browsersafe/authorizer_test.go

@@ -51,7 +51,7 @@ func TestBrowserSafeAuthorizer(t *testing.T) {
 		safeAuthorizer := NewBrowserSafeAuthorizer(delegateAuthorizer, "system:authenticated")

 		authorized, reason, err := safeAuthorizer.Authorize(tc.attributes)
-		if authorized == authorizer.DecisionAllow || len(reason) != 0 || err != nil {
+		if authorized == authorizer.DecisionAllow || err != nil {


if authorized != authorizer.DecisionNoOpinion || err != nil {

The test should probably also check to make sure the reason string makes sense.

if it were a generic test I would agree, but here seem really superfluous, what case would possibly generate a string we do not like ?

Unit test to make sure the string building works as written seems appropriate. I am sure at some point in the future we will need to mess with this again, so catching regressions and expected changes would be nice. But not a big deal since the logic is simple.

enj · 2018-08-07T15:41:23Z

/lgtm

@deads2k you want to approve?

deads2k · 2018-08-07T15:41:53Z

test/integration/authorization_test.go

@@ -890,7 +890,7 @@ func TestAuthorizationSubjectAccessReviewAPIGroup(t *testing.T) {
 		kubeAuthInterface: clusterAdminSARGetter,
 		response: authorizationapi.SubjectAccessReviewResponse{
 			Allowed:   false,
-			Reason:    `User "harold" cannot get horizontalpodautoscalers in project "hammer-project"`,
+			Reason:    ``,


you should have a reason now.

I do now, fixed

deads2k · 2018-08-07T15:42:40Z

The integration tests should now be able to confirm the message that the upstream commit added.

lgtm otherwise

enj · 2018-08-07T15:44:58Z

you should have a reason now.

Integration test seems to be passing?

/test integration

The openshift authorizer was wrapping kube authorizer only to generate Forbidden messages, but upstream already generate similar messages and we cannot intercept and change those. So let's just stop duplicating errors and use the upstream authorizer and error messages as is. Signed-off-by: Simo Sorce <simo@redhat.com>

enj · 2018-08-07T17:50:54Z

/test all
/lgtm

deads2k · 2018-08-07T18:07:38Z

/lgtm

openshift-ci-robot · 2018-08-07T18:07:44Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, enj, simo5

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~pkg/authorization/OWNERS~~ [deads2k,enj,simo5]
~~pkg/cmd/OWNERS~~ [deads2k,enj]
~~test/cmd/OWNERS~~ [deads2k,enj]
~~test/integration/OWNERS~~ [deads2k,enj]
~~vendor/k8s.io/kubernetes/pkg/auth/OWNERS~~ [deads2k]
~~vendor/k8s.io/kubernetes/plugin/pkg/auth/OWNERS~~ [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

simo5 · 2018-08-07T19:45:48Z

/test end_to_end

openshift-ci-robot requested review from enj and knobunc July 20, 2018 16:42

openshift-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 20, 2018

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 21, 2018

enj removed the request for review from knobunc July 21, 2018 03:03

openshift-ci-robot added the sig/security label Jul 21, 2018

enj approved these changes Jul 21, 2018

View reviewed changes

simo5 force-pushed the kill401MsgMkr branch from dac5244 to c879762 Compare July 23, 2018 12:53

deads2k reviewed Jul 23, 2018

View reviewed changes

simo5 force-pushed the kill401MsgMkr branch from c879762 to 9641d4e Compare July 23, 2018 14:43

simo5 force-pushed the kill401MsgMkr branch from 9641d4e to 6d7602d Compare July 23, 2018 16:45

simo5 force-pushed the kill401MsgMkr branch from 6d7602d to 4f1bb6a Compare July 23, 2018 17:02

openshift-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 23, 2018

openshift-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 31, 2018

simo5 force-pushed the kill401MsgMkr branch from 4f1bb6a to 727863b Compare August 2, 2018 10:56

openshift-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 2, 2018

simo5 force-pushed the kill401MsgMkr branch from 727863b to c681861 Compare August 2, 2018 15:53

openshift-ci-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 2, 2018

simo5 force-pushed the kill401MsgMkr branch from c681861 to 0f5b255 Compare August 3, 2018 10:40

enj reviewed Aug 3, 2018

View reviewed changes

liggitt and others added 2 commits August 6, 2018 08:47

UPSTREAM: 65906: Improve multi-authorizer errors

7c57a53

browsersafe reason

fcf6cae

Signed-off-by: Monis Khan <mkhan@redhat.com>

simo5 force-pushed the kill401MsgMkr branch 2 times, most recently from ceb3cbc to 70b54e7 Compare August 6, 2018 13:51

enj reviewed Aug 6, 2018

View reviewed changes

simo5 force-pushed the kill401MsgMkr branch from 70b54e7 to 7da264d Compare August 7, 2018 13:32

enj mentioned this pull request Aug 7, 2018

move authorizer into the construction of the kubeapiserver #20552

Closed

openshift-ci-robot assigned enj Aug 7, 2018

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 7, 2018

deads2k reviewed Aug 7, 2018

View reviewed changes

simo5 force-pushed the kill401MsgMkr branch from 7da264d to feb2c85 Compare August 7, 2018 16:29

openshift-ci-robot removed the lgtm Indicates that a PR is ready to be merged. label Aug 7, 2018

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Aug 7, 2018

openshift-ci-robot assigned deads2k Aug 7, 2018

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 7, 2018

openshift-merge-robot merged commit f0fba65 into openshift:master Aug 7, 2018

Drop authorizer wrapper #20379

Drop authorizer wrapper #20379

Conversation

simo5 commented Jul 20, 2018 • edited Loading

simo5 commented Jul 20, 2018

enj commented Jul 21, 2018 • edited Loading

enj commented Jul 21, 2018

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

deads2k commented Jul 23, 2018

simo5 commented Jul 23, 2018 • edited Loading

deads2k commented Jul 23, 2018

simo5 commented Jul 23, 2018

deads2k commented Jul 23, 2018

simo5 commented Jul 23, 2018

simo5 commented Jul 23, 2018

liggitt commented Jul 23, 2018

simo5 commented Jul 23, 2018

simo5 commented Aug 2, 2018

simo5 commented Aug 2, 2018

simo5 commented Aug 3, 2018

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

enj commented Aug 7, 2018

Choose a reason for hiding this comment

Choose a reason for hiding this comment

deads2k commented Aug 7, 2018

enj commented Aug 7, 2018

enj commented Aug 7, 2018

deads2k commented Aug 7, 2018

openshift-ci-robot commented Aug 7, 2018

simo5 commented Aug 7, 2018

simo5 commented Jul 20, 2018 •

edited

Loading

enj commented Jul 21, 2018 •

edited

Loading

simo5 commented Jul 23, 2018 •

edited

Loading