Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authorizers in virtual workspaces #1186

Merged
merged 5 commits into from
Jun 2, 2022
Merged

Add authorizers in virtual workspaces #1186

merged 5 commits into from
Jun 2, 2022

Conversation

davidfestal
Copy link
Member

Summary

Add authorizers in virtual workspaces

Related issue(s)

This is a pre-requisite for issues #1172 and #1151

@davidfestal
virtual: Avoid error logs for /readz requests
52fd3af 
Signed-off-by: David Festal <dfestal@redhat.com>
@davidfestal
Update virtual workspace VSCode debug configuration
613a8b7 
Signed-off-by: David Festal <dfestal@redhat.com>
@davidfestal
virtual: new authorizer delegating to the right virtual workspace
efecf42 
Signed-off-by: David Festal <dfestal@redhat.com>
@davidfestal
virtual: Wire the authorizer in both the standalone and embedded cases
66cc1dc 
Signed-off-by: David Festal <dfestal@redhat.com>
@davidfestal davidfestal force-pushed the authorizers-in-virtual-workspaces branch from a55eed7 to 66cc1dc Compare June 1, 2022 17:28
shawn-hurley
shawn-hurley approved these changes Jun 1, 2022
View reviewed changes
Copy link

@shawn-hurley shawn-hurley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the default for the authorizers should be NoOpinion if not set.

This might break some things that rely on this, I wonder if that is worth the price to pay?

pkg/virtual/framework/dynamic/types.go Outdated
if vw.Authorizer != nil {
return vw.Authorizer(ctx, a)
}
return authorizer.DecisionAllow, "", nil
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be NoOpinion?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So to avoid breaking anything we'd add an explicit AllowEverything authorizers in all the virtual workspace instances ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least to make it clear that there's still work to be done ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can break non-authorized tests (and ppl working without today). That's totally fine.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also a vw without authorizer should forbid every request.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed in cf98b01

@davidfestal davidfestal requested a review from sttts June 1, 2022 17:49
@davidfestal
Do not allow virtual workspaces by default...
cf98b01 
... when no autorizer is defined.

Signed-off-by: David Festal <dfestal@redhat.com>
@davidfestal davidfestal merged commit 64c9b48 into kcp-dev:main Jun 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sttts sttts sttts approved these changes

@shawn-hurley shawn-hurley shawn-hurley approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@davidfestal @sttts @shawn-hurley