Remove headers that are unnecessary for proxy target #34076
Conversation
k8s-github-robot
added
size/S
|
@liggitt wasn't this there for a reason? |
|
rephrase - I thought there are use cases where callers are using On Wed, Oct 5, 2016 at 2:06 AM, k8s-ci-robot notifications@github.com
|
|
I think the proxy target should not use authorization token meant to be for API server. |
agree, but we proxy in several places, and I'm not sure this is the right place to remove the header |
|
It's an open question (to me) as to whether there are legitimate use cases for having user creds passed through the proxy to the k8s service -- e.g. the k8s UI/dashboard? It also seems like an open question as to whether there's a security issue in blithely always forwarding these tokens along, which could result in unexpected disclosure of user creds. If it's better security, but a nominally-breaking change, need to work through those impacts? Also @philips fyi in case there's a CoreOS perspective here. Any other vendors who we should also CC? |
|
@liggitt What other places are you talking about? As far as I can tell, this is the entry point for all proxy calls. |
|
@erictune has plans for an impersonation mechanism. I do not think it is reasonable for people to use this in the short term--hopefully no one is. Perhaps we should test the UIs to make sure. |
|
I've tried UI with this change (getting lists of pods, deployments, etc., creating apps, pods, ...). It looks fine. If there is an automated testing or a process to test the whole UI, I am not aware of it, but the UI looks fine to me. |
there are also proxy calls via more broadly, I wonder if the authentication layer should consume the Authorization header (we do that in OpenShift as seen here) |
|
@liggitt Removing authorization header in authentication layer is a good idea, but I think an Authenticator is not a place for it. First we do not expect an authenticator to mutate the request, and second we are chaining authenticators together and if a valid token is passed in header but another authenticator succeeded before we consume it, we will still send a valid token to the proxy target. I've removed it at the end of authentication cycle (if succeeded). Please take another look. |
mbohlool
added
the
priority/important-soon
| @@ -60,6 +60,9 @@ func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, a | |||
| return | |||
| } | |||
|
|
|||
| // authorization header is not required anymore in case of a successful authorization. | |||
There was a problem hiding this comment.
in case of successful authentication
There was a problem hiding this comment.
also, update function godoc to describe the Authorization header being removed on success
|
LGTM cc @kubernetes/sig-auth |
liggitt
added
release-note-none
|
Jenkins verification failed for commit 5d3a8c7. Full PR test history. The magic incantation to run this job again is |
mbohlool
added
do-not-merge
mbohlool
added
the
lgtm
|
This is in the v1.4 milestone do you need it for 1.4.1? |
|
Automatic merge from submit-queue |
|
Sure, will do. |
jessfraz
added
the
cherry-pick-approved
|
Thanks! On Thu, Oct 6, 2016 at 4:46 PM, mbohlool notifications@github.com wrote:
|
jessfraz
added
release-note
|
Commit found in the "release-1.4" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked. |
…ck-of-#34076-upstream-release-1.4 Automatic merge from submit-queue Automated cherry pick of kubernetes#34076 Cherry pick of kubernetes#34076 on release-1.4. kubernetes#34076: Remove unnecessary authorization headers after authorization
…ck-of-#34076-upstream-release-1.3 Automatic merge from submit-queue Automated cherry pick of kubernetes#34076 Cherry pick of kubernetes#34076 on release-1.3. kubernetes#34076: Remove unnecessary authorization headers after authorization
Some headers like authorization is unnecessary to pass to the proxy target. We should start removing these headers in proxy requests.
This change is