-
Notifications
You must be signed in to change notification settings - Fork 40k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add missing UID in SubjectAccessReviewSpec #49677
Add missing UID in SubjectAccessReviewSpec #49677
Conversation
8430aed
to
8d94f4d
Compare
8d94f4d
to
54e4880
Compare
54e4880
to
9821d49
Compare
9821d49
to
c8f3420
Compare
/cc @kubernetes/sig-auth-pr-reviews |
/approve |
@@ -144,6 +144,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (authorized bo | |||
if user := attr.GetUser(); user != nil { | |||
r.Spec = authorization.SubjectAccessReviewSpec{ | |||
User: user.GetName(), | |||
UID: user.GetUID(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a corresponding change in sarApprover.authorize and the CSR API propagating the uid would make sense to me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dims want to take that in this PR? If not i can send one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed a few more spots. Will wait for the CI to run to see if the changes hold up
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ericchiang i found the "sarApprover.authorize" but not sure if i have covered all the cases, please see latest patch.
c8f3420
to
beb83f6
Compare
ef4ea5a
to
5835a10
Compare
cc @cjcullen for a new field sent to the authz webhook |
/assign @smarterclayton |
/unassign |
@k8s-bot test this Tests are more than 96 hours old. Re-running tests. |
/retest |
d412fad
to
ca8696f
Compare
WebhookAuthorizer's Authorize should send *all* the information present in the user.Info data structure. We are not sending the UID currently.
ca8696f
to
9a761b1
Compare
/retest |
2 similar comments
/retest |
/retest |
/assign @thockin |
/lgtm |
/approve This is relevant info and is important. It was not omitted intentionally. @dims are there other endpoints that need this like external web hooks? |
/approve no-issue |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, dims, liggitt, smarterclayton Associated issue requirement bypassed by: smarterclayton The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
@smarterclayton : thanks a ton. I will review more to see where else we are missing UID. i was focused on SubjectAccessReview, but will widen the net. |
Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969) |
What this PR does / why we need it:
WebhookAuthorizer's Authorize should send all the information
present in the user.Info data structure. We are not sending the
UID currently.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #Special notes for your reviewer:
Release note: