add act-as powers #23549
add act-as powers #23549
Conversation
k8s-github-robot
added
the
size/L
|
GCE e2e build/test failed for commit dc718777fad2ea724d839eee85899485a06b46ed. Please reference the list of currently known flakes when examining this failure. If you request a re-test, you must reference the issue describing the flake. |
|
GCE e2e build/test passed for commit 85844c419933c4a507225d52bfa542f8922685e1. |
| newCtx, _ := requestContextMapper.Get(req) | ||
| oldUser, _ := api.UserFrom(ctx) | ||
| newUser, _ := api.UserFrom(newCtx) | ||
| glog.V(3).Infof("%v is acting as %v on %v", oldUser, newUser, req.URL) |
There was a problem hiding this comment.
Is this request going to go into the HTTP log as the original or the impersonated user? I think the original user is more useful from a debugging and audit logging perspective, so we should try to preserve that. If it is possible to decorate the logs lines with the impersonated user name, that would be nice, but not as important as logging the original user.
There was a problem hiding this comment.
isn't it logging both the original and new user?
There was a problem hiding this comment.
from this point on, anything that pulls the user out of the context will get the impersonated user
There was a problem hiding this comment.
I was talking about the logs that the go http server emits to stdout and go into /var/log/kube-apiserver.log on a typical kubernetes cluster. That doesn't use glog.
There was a problem hiding this comment.
I thought that was logging the username here but it is just logging the User-Agent header. So, never mind.
There was a problem hiding this comment.
Please do httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser) to actually associate this message with the request in addition to logging directly here.
There was a problem hiding this comment.
That's nifty… didn't know about that
There was a problem hiding this comment.
|
looks good to me, but let lavalamp review too. |
| func TestActAsIsForbidden(t *testing.T) { | ||
| framework.DeleteAllEtcdKeys() | ||
|
|
||
| // This file has alice and bob in it. |
|
Two things:
|
deads2k
force-pushed
the
acting-as
branch
2 times, most recently
from
7469b3a to
4a98512
Compare
|
GCE e2e build/test passed for commit 7469b3ad8cc156021c05b9b3a7954d5ad2dfc6cf. |
|
GCE e2e build/test passed for commit 4a985123d8c39b79ef31a8588091828e72349eb0. |
k8s-github-robot
added
the
needs-rebase
|
Apparently "X-" is deprecated for headers. "Act-As" is so terse that I think it is unlikely to ever become a standard for this sort of thing, and doesn't document itself if someone is trying to understand our protocol by looking at the headers. "Impersonation" is sort of a term-of-art, and it is suggestive that the header relates to auth. So, I vote for David's third option, |
|
Agree. I would change the verb check to "impersonate" as well |
|
Fine with For your item 2, David, are you suggesting something like this for a service account: actingAsAttributes := &authorizer.AttributesRecord{
User: requestor,
Verb: "act-as",
APIGroup: api.GroupName,
Resource: "serviceAccounts",
ResourceName: serviceAccountName,
ResourceRequest: true,
}And possibly code to verify existence of the service account object in question in the namespace? |
| Verb: "act-as", | ||
| APIGroup: api.GroupName, | ||
| Resource: "users", | ||
| // ResourceName: requestedSubject, |
There was a problem hiding this comment.
If I approve the "GetExtra" PR the would you put requestor user.Info.GetExtras["full-username"] or something like that?
There was a problem hiding this comment.
If I approve the "GetExtra" PR the would you put requestor user.Info.GetExtras["full-username"] or something like that?
I think I'd like to namespace the key, but I'm ok with that. Would you prefer that to filling in something more structured on the context itself?
Yes.
I don't know that I'd force existence. I could imagine it being useful to impersonate someone who can't actually log in themselves. |
k8s-github-robot
removed
the
needs-rebase
|
GCE e2e build/test failed for commit a40dff392f38e3428ae37a3fd57282b0083aeb4c. Please reference the list of currently known flakes when examining this failure. If you request a re-test, you must reference the issue describing the flake. |
k8s-github-robot
removed
the
lgtm
deads2k
added
the
lgtm
deads2k
added
lgtm
|
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
|
/cc @cjcullen |
|
@k8s-bot test this Tests are more than 48 hours old. Re-running tests. |
|
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
|
@k8s-bot test this Tests are more than 48 hours old. Re-running tests. |
|
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
|
@k8s-bot test this Tests are more than 48 hours old. Re-running tests. |
|
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit 11a328b48ecedb70a5d57cdde8b8b8553e041532. |
deads2k
added
lgtm
|
GCE e2e build/test passed for commit ac4c545. |
|
This change is |
This adds the ability for a user to Act-As another user if he has the ability to verb="impersonate", resource="users", resourceName=
<value of Act-As Header>.@erictune @kubernetes/kube-iam @liggitt @smarterclayton
I'll need to update the authorizer to handle resource names through the interface, but I don't plan to update the abac policy file.