VW: Fix permission checking in root
#1686
Conversation
sttts
force-pushed
the
fix-root-vw-permissions
branch
from
e76d851 to
e8acb00
Compare
| @@ -36,6 +40,19 @@ const ( | |||
| func clusterRoleBindings() []rbacv1.ClusterRoleBinding { | |||
| return []rbacv1.ClusterRoleBinding{ | |||
| clusterRoleBindingCustomName(rbacv1helpers.NewClusterBinding("cluster-admin").Groups(SystemKcpClusterWorkspaceAdminGroup, SystemKcpAdminGroup).BindingOrDie(), "system:kcp:clusterworkspace:admin"), | |||
| clusterRoleBindingCustomName(rbacv1helpers.NewClusterBinding("system:kcp:tenancy:reader").Groups(SystemKcpClusterWorkspaceAccessGroup).BindingOrDie(), "system:kcp:clusterworkspace:access"), | |||
There was a problem hiding this comment.
so this is saying, system:kcp:clusterworkspace:access group will be assigned to system:kcp:tenancy:reader role, which allows list/watch on clusterworkspaces/workspace
There was a problem hiding this comment.
which users are assigned to system:kcp:clusterworkspace:access group?
There was a problem hiding this comment.
| { | ||
| ObjectMeta: metav1.ObjectMeta{Name: "system:kcp:tenancy:reader"}, | ||
| Rules: []rbacv1.PolicyRule{ | ||
| rbacv1helpers.NewRule("list", "watch").Groups(tenancy.GroupName).Resources("clusterworkspaces/workspace").RuleOrDie(), // "get" is by workspace name through workspace VW |
There was a problem hiding this comment.
what does list mean in this context? (clusterworkspaces/workspace)
| subjects: | ||
| - apiGroup: rbac.authorization.k8s.io | ||
| kind: Group | ||
| name: system:authenticated |
There was a problem hiding this comment.
I think a user can be system:authenticated but not in SystemKcpClusterWorkspaceAccessGroup
There was a problem hiding this comment.
that's intentional. That's one of the batteries in #1688. In a real service this binding might not make sense. But for demo and development it does.
sttts
force-pushed
the
fix-root-vw-permissions
branch
2 times, most recently
from
5a41438 to
66f688a
Compare
|
/lgtm |
sttts
force-pushed
the
fix-root-vw-permissions
branch
from
66f688a to
e0cde97
Compare
|
/approve |
openshift-ci
bot
added
the
approved
|
/cherry-pick release-0.8 |
|
@sttts: once the present PR merges, I will cherry-pick it on top of release-0.8 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ncdc, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherry-pick release-0.7 |
|
@sttts: once the present PR merges, I will cherry-pick it on top of release-0.7 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sttts: cannot checkout In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sttts: new pull request created: #1691 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Summary
We should only skip permission checking in the
rootworkspace for thelistverb, so that any user can always list the workspaces he hasaccessto and canget.Related issue(s)
No issues