Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add missing UID in SubjectAccessReviewSpec #49677

Merged
merged 1 commit into from
Aug 3, 2017
Merged

Add missing UID in SubjectAccessReviewSpec #49677

merged 1 commit into from
Aug 3, 2017

Conversation

dims
Copy link
Member

@dims dims commented Jul 27, 2017
edited by liggitt
Loading

What this PR does / why we need it:
WebhookAuthorizer's Authorize should send all the information
present in the user.Info data structure. We are not sending the
UID currently.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

Release note:

The SubjectAccessReview API in the authorization.k8s.io API group now allows providing the user uid.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 27, 2017
@k8s-github-robot k8s-github-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note-label-needed release-note-none Denotes a PR that doesn't merit a release note. and removed release-note-label-needed labels Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from 8430aed to 8d94f4d Compare July 27, 2017 03:37
@k8s-github-robot k8s-github-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from 8d94f4d to 54e4880 Compare July 27, 2017 03:49
@k8s-github-robot k8s-github-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from 54e4880 to 9821d49 Compare July 27, 2017 04:05
@k8s-github-robot k8s-github-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from 9821d49 to c8f3420 Compare July 27, 2017 11:47
@k8s-github-robot k8s-github-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 27, 2017
@ericchiang
Copy link
Contributor

/cc @kubernetes/sig-auth-pr-reviews

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jul 27, 2017
@deads2k
Copy link
Contributor

deads2k commented Jul 27, 2017

/approve

liggitt
liggitt reviewed Jul 27, 2017
View reviewed changes
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go Outdated
@@ -144,6 +144,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (authorized bo
if user := attr.GetUser(); user != nil {
r.Spec = authorization.SubjectAccessReviewSpec{
User: user.GetName(),
UID: user.GetUID(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a corresponding change in sarApprover.authorize and the CSR API propagating the uid would make sense to me

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dims want to take that in this PR? If not i can send one.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed a few more spots. Will wait for the CI to run to see if the changes hold up

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ericchiang i found the "sarApprover.authorize" but not sure if i have covered all the cases, please see latest patch.

@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from c8f3420 to beb83f6 Compare July 27, 2017 17:16
@dims dims changed the title WIP : Add missing UID in SubjectAccessReviewSpec Add missing UID in SubjectAccessReviewSpec Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch 2 times, most recently from ef4ea5a to 5835a10 Compare July 27, 2017 17:29
@wojtek-t wojtek-t assigned liggitt and unassigned wojtek-t Jul 27, 2017
@liggitt
Copy link
Member

liggitt commented Jul 28, 2017

cc @cjcullen for a new field sent to the authz webhook

@dims
Copy link
Member Author

dims commented Jul 28, 2017

/assign @smarterclayton

@ncdc
Copy link
Member

ncdc commented Jul 31, 2017

/unassign

@k8s-github-robot
Copy link

@k8s-bot test this

Tests are more than 96 hours old. Re-running tests.

@dims
Copy link
Member Author

dims commented Aug 2, 2017

/retest

@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from d412fad to ca8696f Compare August 2, 2017 09:50
@k8s-github-robot k8s-github-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 2, 2017
@dims
Add missing UID in SubjectAccessReviewSpec
9a761b1 
WebhookAuthorizer's Authorize should send *all* the information
present in the user.Info data structure. We are not sending the
UID currently.
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from ca8696f to 9a761b1 Compare August 2, 2017 14:52
@k8s-github-robot k8s-github-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 2, 2017
@dims
Copy link
Member Author

dims commented Aug 2, 2017

/retest

2 similar comments
@dims
Copy link
Member Author

dims commented Aug 2, 2017

/retest

@dims
Copy link
Member Author

dims commented Aug 2, 2017

/retest

@dims
Copy link
Member Author

dims commented Aug 2, 2017
edited
Loading

/assign @thockin
Can you please help with a review from the API perspective? This one is caught in the rebase+hack/update-all.sh+retest hell

@liggitt
Copy link
Member

liggitt commented Aug 3, 2017

/lgtm
Needs approval

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 3, 2017
@smarterclayton
Copy link
Contributor

/approve

This is relevant info and is important. It was not omitted intentionally.

@dims are there other endpoints that need this like external web hooks?

@smarterclayton
Copy link
Contributor

/approve no-issue

@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, dims, liggitt, smarterclayton

Associated issue requirement bypassed by: smarterclayton

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 3, 2017
@dims
Copy link
Member Author

dims commented Aug 3, 2017

@smarterclayton : thanks a ton. I will review more to see where else we are missing UID. i was focused on SubjectAccessReview, but will widen the net.

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969)

@k8s-github-robot k8s-github-robot merged commit 40d66b8 into kubernetes:master Aug 3, 2017
@dims dims deleted the send-missing-uid-field-during-webhook-authorize branch November 16, 2017 22:08
@reith reith mentioned this pull request Aug 4, 2020
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@liggitt liggitt liggitt left review comments

@ericchiang ericchiang ericchiang left review comments

Assignees

@liggitt liggitt

@smarterclayton smarterclayton

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@dims @ericchiang @deads2k @liggitt @ncdc @k8s-github-robot @smarterclayton @wojtek-t @k8s-ci-robot