Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add missing UID in SubjectAccessReviewSpec #49677

Conversation

dims
Copy link
Member

@dims dims commented Jul 27, 2017

What this PR does / why we need it:
WebhookAuthorizer's Authorize should send all the information
present in the user.Info data structure. We are not sending the
UID currently.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

Release note:

The SubjectAccessReview API in the authorization.k8s.io API group now allows providing the user uid.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 27, 2017
@k8s-github-robot k8s-github-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note-label-needed release-note-none Denotes a PR that doesn't merit a release note. and removed release-note-label-needed labels Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from 8430aed to 8d94f4d Compare July 27, 2017 03:37
@k8s-github-robot k8s-github-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from 8d94f4d to 54e4880 Compare July 27, 2017 03:49
@k8s-github-robot k8s-github-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from 54e4880 to 9821d49 Compare July 27, 2017 04:05
@k8s-github-robot k8s-github-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from 9821d49 to c8f3420 Compare July 27, 2017 11:47
@k8s-github-robot k8s-github-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jul 27, 2017
@ericchiang
Copy link
Contributor

/cc @kubernetes/sig-auth-pr-reviews

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jul 27, 2017
@deads2k
Copy link
Contributor

deads2k commented Jul 27, 2017

/approve

@@ -144,6 +144,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (authorized bo
if user := attr.GetUser(); user != nil {
r.Spec = authorization.SubjectAccessReviewSpec{
User: user.GetName(),
UID: user.GetUID(),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a corresponding change in sarApprover.authorize and the CSR API propagating the uid would make sense to me

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dims want to take that in this PR? If not i can send one.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed a few more spots. Will wait for the CI to run to see if the changes hold up

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ericchiang i found the "sarApprover.authorize" but not sure if i have covered all the cases, please see latest patch.

@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from c8f3420 to beb83f6 Compare July 27, 2017 17:16
@dims dims changed the title WIP : Add missing UID in SubjectAccessReviewSpec Add missing UID in SubjectAccessReviewSpec Jul 27, 2017
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch 2 times, most recently from ef4ea5a to 5835a10 Compare July 27, 2017 17:29
@wojtek-t wojtek-t assigned liggitt and unassigned wojtek-t Jul 27, 2017
@liggitt
Copy link
Member

liggitt commented Jul 28, 2017

cc @cjcullen for a new field sent to the authz webhook

@dims
Copy link
Member Author

dims commented Jul 28, 2017

/assign @smarterclayton

@ncdc
Copy link
Member

ncdc commented Jul 31, 2017

/unassign

@k8s-github-robot
Copy link

@k8s-bot test this

Tests are more than 96 hours old. Re-running tests.

@dims
Copy link
Member Author

dims commented Aug 2, 2017

/retest

@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from d412fad to ca8696f Compare August 2, 2017 09:50
@k8s-github-robot k8s-github-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 2, 2017
WebhookAuthorizer's Authorize should send *all* the information
present in the user.Info data structure. We are not sending the
UID currently.
@dims dims force-pushed the send-missing-uid-field-during-webhook-authorize branch from ca8696f to 9a761b1 Compare August 2, 2017 14:52
@k8s-github-robot k8s-github-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 2, 2017
@dims
Copy link
Member Author

dims commented Aug 2, 2017

/retest

2 similar comments
@dims
Copy link
Member Author

dims commented Aug 2, 2017

/retest

@dims
Copy link
Member Author

dims commented Aug 2, 2017

/retest

@dims
Copy link
Member Author

dims commented Aug 2, 2017

/assign @thockin
Can you please help with a review from the API perspective? This one is caught in the rebase+hack/update-all.sh+retest hell

@liggitt
Copy link
Member

liggitt commented Aug 3, 2017

/lgtm
Needs approval

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 3, 2017
@smarterclayton
Copy link
Contributor

/approve

This is relevant info and is important. It was not omitted intentionally.

@dims are there other endpoints that need this like external web hooks?

@smarterclayton
Copy link
Contributor

/approve no-issue

@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, dims, liggitt, smarterclayton

Associated issue requirement bypassed by: smarterclayton

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 3, 2017
@dims
Copy link
Member Author

dims commented Aug 3, 2017

@smarterclayton : thanks a ton. I will review more to see where else we are missing UID. i was focused on SubjectAccessReview, but will widen the net.

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 50103, 49677, 49449, 43586, 48969)

@k8s-github-robot k8s-github-robot merged commit 40d66b8 into kubernetes:master Aug 3, 2017
@dims dims deleted the send-missing-uid-field-during-webhook-authorize branch November 16, 2017 22:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants