-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow users list their own access tokens #24
allow users list their own access tokens #24
Conversation
d1c33f8
to
1e2c154
Compare
19109e0
to
b34f6eb
Compare
ab1916b
to
89cfe78
Compare
pkg/oauth/apiserver/registry/personaltokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/personaltokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/personaltokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/personaltokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/personaltokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/personaltokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
created, | ||
expires, | ||
personalAccessToken.RedirectURI, | ||
strings.Join(personalAccessToken.Scopes, ","), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Anandnatraj these are the columns with oc.
eac485d
to
5445619
Compare
/retest |
Addressed all comments. The PR now depends on openshift/api#774 (aside from the enhancement merging) |
5445619
to
4e2abf8
Compare
name: "set label selector to get own tokens and of others", | ||
userToken: mirkaTokenString, | ||
userName: "mirka", | ||
labelSelector: parseLabelSelectorOrDie("randomLabel notin (mirka,franta)"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would add the simple case too: userName == somebody else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there's a fieldSelector like this, but I'll add a label to one of the basic tokens above and will attempt to list it, too
pkg/oauth/apiserver/registry/useroauthaccesstokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
|
||
tokenListGenericObj, err := r.accessTokenStorage.List(ctx, sanitizedListOpts) | ||
if err != nil { | ||
return nil, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we mask the err ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should be fine with the error as is
|
||
tokenList, ok := tokenListGenericObj.(*oauthapi.OAuthAccessTokenList) | ||
if !ok { | ||
return nil, errors.NewInternalError(fmt.Errorf("failed to convert generic accesstoken LIST result to its typed version")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we be more specific and log the underlying type for tokenListGenericObj
and OAuthAccessTokenList
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error gets propagated to the user, does it not? I think it might be confusing when they see a mention of a different type from what they requested
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When the conversion can fail? Can it only happen when the wiring is wrong?
In that case, I would prefer to see a very clear and specific error so that I can debug it.
pkg/oauth/apiserver/registry/useroauthaccesstokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/useroauthaccesstokens/delegate/proxywatcher.go
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/useroauthaccesstokens/delegate/proxywatcher.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/useroauthaccesstokens/delegate/proxywatcher.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/useroauthaccesstokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/useroauthaccesstokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
pkg/oauth/apiserver/registry/useroauthaccesstokens/delegate/delegate.go
Outdated
Show resolved
Hide resolved
168d24c
to
801262c
Compare
801262c
to
7e86c0e
Compare
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stlaz, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The component tests are currently failing because openshift/cluster-authentication-operator#381 hasn't merged yet edit: and it won't because we test our default RBAC policies... (I did not realize that) |
/retest Please review the full test history for this PR and help us cut down flakes. |
/hold |
/retest |
we still need openshift/cluster-authentication-operator#381 for the tests to pass :/ |
/hold cancel |
/retest |
Adds an endpoint that mirrors the oauthaccesstokens that only belong to the requesting user. The new endpoint allows these operations:
cc @deads2k @sttts
enhancement ref: openshift/enhancements#507