-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix role ARN comparison for user ID strict check #669
Fix role ARN comparison for user ID strict check #669
Conversation
Hi @DanielCKennedy. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test |
@nnmin-aws: The
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test all |
/ok-to-test |
/retest |
1e692cd
to
3e365e1
Compare
@@ -66,7 +67,8 @@ func (m *DynamicFileMapper) match(token *token.Identity, mappedARN, mappedUserID | |||
// If ARN is provided, ARN must be validated along with UserID. This avoids having to | |||
// support IAM user name/ARN changes. Without preventing this the mapping would look | |||
// invalid but still work and auditing would be difficult/impossible. | |||
if mappedARN != "" && token.ARN != mappedARN { | |||
strippedArn, _ := arn.StripPath(mappedARN) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a // TODO:
that says something along the lines of: this should potentially be moved to canonicalize or somehow shared by other mappers because it could fix the path issue but needs to be tested with other mappers first, e.g. in a cluster with existing custom resources for the CRD mapper.
3e365e1
to
e91d159
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: DanielCKennedy, nckturner The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@DanielCKennedy: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Fix role ARN comparison for user ID strict check (#669)
What this PR does / why we need it:
Fixes UserID strict ARN comparison for roles by comparing mapped arn against the identity's canonical arn (role representation) rather than the identity's arn (assume role format). Additionally strips the role path off of the dynamic file role mapping for this check since assumed roles don't have path info.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #