Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check pull access when tagging imagestreams #10109

Merged
merged 1 commit into from
Aug 2, 2016
Merged

Check pull access when tagging imagestreams #10109

merged 1 commit into from
Aug 2, 2016

Conversation

liggitt
Copy link
Contributor

@liggitt liggitt commented Jul 29, 2016
edited
Loading

When tagging across namespaces, a user must have pull permission on the source image stream. This means they need get access on the imagestreams/layers resource in the source namespace. The admin, edit, and system:image-puller roles all grant this permission.

@liggitt
Copy link
Contributor Author

liggitt commented Jul 29, 2016

@smarterclayton, shouldn't we be checking pull access for an image stream layer, not just view access on the image stream object?

@deads2k for scoped usage

@smarterclayton
Copy link
Contributor

smarterclayton commented Jul 30, 2016 via email

@liggitt
Copy link
Contributor Author

liggitt commented Jul 30, 2016

imagestreams/layers is what the registry checks before letting you pull that image stream

@liggitt
Copy link
Contributor Author

liggitt commented Jul 30, 2016

[test]

@smarterclayton
Copy link
Contributor

Hope this doesn't break too many people. Release note please?

@smarterclayton
Copy link
Contributor

Agree with change (logically tag and pull/push are identical permissions), is there an easy test case to add?

Does this have any implications for third party clients?

@smarterclayton
Copy link
Contributor

smarterclayton commented Jul 31, 2016 via email

@liggitt
Copy link
Contributor Author

liggitt commented Jul 31, 2016

Hope this doesn't break too many people. Release note please?

The only role we have that allows someone to get imagestreams but not pull is the view role. Remind me where we're collecting release notes again?

Deployments can tag images in their hook so the deployer SA needs this permission.

This check is only done when tagging from another namespace... no deployer SA will ever automatically have a permission in another namespace.

deads2k
deads2k reviewed Aug 1, 2016
View reviewed changes
pkg/image/registry/imagestream/strategy.go
@@ -433,19 +432,18 @@ func (v *TagVerifier) Verify(old, stream *api.ImageStream, user user.Info) field
continue
}

subjectAccessReview := authorizationapi.SubjectAccessReview{
// Make sure this user can pull the specified image before allowing them to tag it into another imagestream
subjectAccessReview := authorizationapi.AddUserToSAR(user, &authorizationapi.SubjectAccessReview{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AddUserToSAR usage is correct.

@stevekuznetsov
Copy link
Contributor

re[test]

@openshift-bot
Copy link
Contributor

Evaluated for origin test up to 8115614

@openshift-bot
Copy link
Contributor

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7350/)

@liggitt
Copy link
Contributor Author

liggitt commented Aug 2, 2016

[merge]

@openshift-bot
Copy link
Contributor

Evaluated for origin merge up to 8115614

@openshift-bot
Copy link
Contributor

openshift-bot commented Aug 2, 2016
edited
Loading

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7350/) (Image: devenv-rhel7_4724)

@openshift-bot openshift-bot merged commit ea16ac6 into openshift:master Aug 2, 2016
@liggitt liggitt mentioned this pull request Aug 2, 2016
Closed
@liggitt liggitt deleted the imagestreamtag branch August 3, 2016 03:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@liggitt @smarterclayton @stevekuznetsov @openshift-bot @deads2k