🐛 Fix double identities for wildcard requests from APIExport virtual workspace #2306
Conversation
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
ncdc
force-pushed
the
fix-double-identities
branch
from
61d279e to
9205f31
Compare
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
|
Wait. |
|
No decorateWildcardPathsWithResourceIdentities client should be used to forward requests from a VW. /hold |
openshift-ci
bot
added
the
do-not-merge/hold
ncdc
force-pushed
the
fix-double-identities
branch
from
9205f31 to
bb3c15a
Compare
|
Updated to change the VW server to use a "clean" client that doesn't inject identities. Had to reimplement similar logic in the initializing workspaces vw. PTAL. Happy to adjust as needed. |
| // It's possible the incoming request already has an identity specified. Make sure we exclude that when | ||
| // determining the resource in question. | ||
| parts := strings.SplitN(comps[5], ":", 2) | ||
| if len(parts) == 0 { |
There was a problem hiding this comment.
Probably not, but can't hurt to have the code here?
ncdc
force-pushed
the
fix-double-identities
branch
from
bb3c15a to
7916b6d
Compare
openshift-merge-robot
added
the
needs-rebase
Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
ncdc
force-pushed
the
fix-double-identities
branch
from
7916b6d to
635489a
Compare
openshift-merge-robot
removed
the
needs-rebase
1. Look up the root:tenancy.kcp.dev APIExport identity and use that when forwarding requests for clusterworkspaces from the initializingworkspaces service to kcp. 2. Fix security issue that exposed all workspaces regardless of phase and initializer for GET/UPDATE for a single clusterworkspace Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
ncdc
force-pushed
the
fix-double-identities
branch
from
635489a to
1f9ce1b
Compare
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
| factory, listFactory, destroyer, | ||
| strategy, tableConvertor, | ||
| resource, apiExportIdentityHash, categories, | ||
| dynamicClusterClient, []string{}, *patchConflictRetryBackoff, ctx.Done(), | ||
| ) | ||
| store := wrapper(resource.GroupResource(), delegate) | ||
| if wrapper != nil { |
There was a problem hiding this comment.
You have an inherent nil check in the implementation of Decorate() - do we need it here?
| func(_ schema.GroupResource, store *forwardingregistry.StoreFuncs) *forwardingregistry.StoreFuncs { | ||
| return store | ||
| }) | ||
| forwardingregistry.StorageWrapperFunc(func(_ schema.GroupResource, store *forwardingregistry.StoreFuncs) { |
There was a problem hiding this comment.
You have an inherent nil check - can we just omit this?
There was a problem hiding this comment.
If we keep the nil check in NewStorage, yes
| // We are explicitly setting forceAllowCreate to false in the call to the underlying storage because | ||
| // subresources should never allow create on update. | ||
| return delegateUpdate(ctx, name, objInfo, createValidation, updateValidation, false, options) | ||
| } | ||
| statusStore := wrapper(resource.GroupResource(), statusDelegate) | ||
| if wrapper != nil { |
There was a problem hiding this comment.
You have an inherent nil check in the implementation of Decorate() - do we need it here?
There was a problem hiding this comment.
I would keep it - you never know if some other implementation omits the nil check.
| ctx, | ||
| resource, | ||
| "", // ClusterWorkspaces have no identity |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stevekuznetsov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
Summary
Fix a bug where wildcard requests coming from the APIExport virtual workspace for "built-in" kcp types (e.g. ClusterWorkspaceTypes) had the identity set by the virtual workspace, then set a second time by
decorateWildcardPathsWithResourceIdentities.Related issue(s)
Fixes #2184
Fixes #2308
Incorporates & supersedes #2245