-
Notifications
You must be signed in to change notification settings - Fork 40.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add act-as powers #23549
add act-as powers #23549
Conversation
GCE e2e build/test failed for commit dc718777fad2ea724d839eee85899485a06b46ed. Please reference the list of currently known flakes when examining this failure. If you request a re-test, you must reference the issue describing the flake. |
GCE e2e build/test passed for commit 85844c419933c4a507225d52bfa542f8922685e1. |
newCtx, _ := requestContextMapper.Get(req) | ||
oldUser, _ := api.UserFrom(ctx) | ||
newUser, _ := api.UserFrom(newCtx) | ||
glog.V(3).Infof("%v is acting as %v on %v", oldUser, newUser, req.URL) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this request going to go into the HTTP log as the original or the impersonated user? I think the original user is more useful from a debugging and audit logging perspective, so we should try to preserve that. If it is possible to decorate the logs lines with the impersonated user name, that would be nice, but not as important as logging the original user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isn't it logging both the original and new user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from this point on, anything that pulls the user out of the context will get the impersonated user
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was talking about the logs that the go http server emits to stdout and go into /var/log/kube-apiserver.log
on a typical kubernetes cluster. That doesn't use glog
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought that was logging the username here but it is just logging the User-Agent header. So, never mind.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser)
to actually associate this message with the request in addition to logging directly here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's nifty… didn't know about that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me, but let lavalamp review too. |
func TestActAsIsForbidden(t *testing.T) { | ||
framework.DeleteAllEtcdKeys() | ||
|
||
// This file has alice and bob in it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What file?
Two things:
|
7469b3a
to
4a98512
Compare
GCE e2e build/test passed for commit 7469b3ad8cc156021c05b9b3a7954d5ad2dfc6cf. |
GCE e2e build/test passed for commit 4a985123d8c39b79ef31a8588091828e72349eb0. |
Apparently "X-" is deprecated for headers. "Act-As" is so terse that I think it is unlikely to ever become a standard for this sort of thing, and doesn't document itself if someone is trying to understand our protocol by looking at the headers. "Impersonation" is sort of a term-of-art, and it is suggestive that the header relates to auth. So, I vote for David's third option, |
Agree. I would change the verb check to "impersonate" as well |
Fine with For your item 2, David, are you suggesting something like this for a service account: actingAsAttributes := &authorizer.AttributesRecord{
User: requestor,
Verb: "act-as",
APIGroup: api.GroupName,
Resource: "serviceAccounts",
ResourceName: serviceAccountName,
ResourceRequest: true,
} And possibly code to verify existence of the service account object in question in the namespace? |
Verb: "act-as", | ||
APIGroup: api.GroupName, | ||
Resource: "users", | ||
// ResourceName: requestedSubject, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I approve the "GetExtra" PR the would you put requestor user.Info.GetExtras["full-username"] or something like that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I approve the "GetExtra" PR the would you put requestor user.Info.GetExtras["full-username"] or something like that?
I think I'd like to namespace the key, but I'm ok with that. Would you prefer that to filling in something more structured on the context itself?
Yes.
I don't know that I'd force existence. I could imagine it being useful to impersonate someone who can't actually log in themselves. |
GCE e2e build/test failed for commit a40dff392f38e3428ae37a3fd57282b0083aeb4c. Please reference the list of currently known flakes when examining this failure. If you request a re-test, you must reference the issue describing the flake. |
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
/cc @cjcullen |
@k8s-bot test this Tests are more than 48 hours old. Re-running tests. |
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
@k8s-bot test this Tests are more than 48 hours old. Re-running tests. |
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
@k8s-bot test this Tests are more than 48 hours old. Re-running tests. |
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
GCE e2e build/test passed for commit ac4c545. |
This adds the ability for a user to Act-As another user if he has the ability to verb="impersonate", resource="users", resourceName=
<value of Act-As Header>
.@erictune @kubernetes/kube-iam @liggitt @smarterclayton
I'll need to update the authorizer to handle resource names through the interface, but I don't plan to update the abac policy file.