Don't give builds/custom access to system:authenticated by default #11411
Conversation
|
let's reach agreement first in the bz that this is something we want to do in the default policy |
| os::cmd::expect_success_and_text 'oadm policy who-can create builds/source' 'system:authenticated' | ||
| os::cmd::expect_success_and_text 'oadm policy who-can create builds/jenkinspipeline' 'system:authenticated' | ||
| # if this method for removing access to docker/custom/source/jenkinspipeline builds changes, docs need to be updated as well | ||
| os::cmd::expect_success 'oadm policy remove-cluster-role-from-group system:build-strategy-custom system:authenticated' | ||
| os::cmd::expect_failure 'oadm policy remove-cluster-role-from-group system:build-strategy-custom system:authenticated' |
There was a problem hiding this comment.
reverse this test and update the one below: add the role and test os::cmd::expect_success_and_text 'oadm policy who-can create builds/custom' 'system:authenticated'
|
Need to fix up TestPolicyBasedRestrictionOfBuildConfigCreateAndInstantiateByStrategy |
|
@liggitt Thanks for checking in on me though, I appreciate it! |
| os::cmd::expect_success_and_text 'oadm policy who-can create builds/docker' 'system:authenticated' | ||
| os::cmd::expect_success_and_text 'oadm policy who-can create builds/custom' 'system:authenticated' |
There was a problem hiding this comment.
Custom builds are no longer like any of the other build types, the comments over the blocks of tests no longer apply. Group the custom build tests together and comment them separately
| @@ -23,7 +35,7 @@ func TestPolicyBasedRestrictionOfBuildCreateAndCloneByStrategy(t *testing.T) { | |||
| builds := map[string]*buildapi.Build{} | |||
|
|
|||
| // Create builds to setup test | |||
| for _, strategy := range buildStrategyTypes() { | |||
| for _, strategy := range buildStrategyTypesDefault() { | |||
There was a problem hiding this comment.
I'd rather keep trying to create all types and ensure an error is returned for build types not granted by default (applies to all of these tests)
There was a problem hiding this comment.
I think you could just add a couple things to the beginning of the original test and keep the remainder of the file unmodified:
New: ensure restricted types fail, unrestricted types succeed
New: Grant restricted
… continue with original test case:
Ensure all types succeed
Remove permissions
Ensure all types fail
| @@ -127,8 +139,43 @@ func TestPolicyBasedRestrictionOfBuildConfigCreateAndInstantiateByStrategy(t *te | |||
| } | |||
| } | |||
|
|
|||
| func buildStrategyTypes() []string { | |||
| return []string{"source", "docker", "custom", "jenkinspipeline"} | |||
There was a problem hiding this comment.
I don't think this test is needed if you add the restricted/allowed check to the beginning of the previous test
There was a problem hiding this comment.
I think this comment referred to the test that I removed, but ended up on the wrong line somehow?
| @@ -201,14 +248,14 @@ func setupBuildStrategyTest(t *testing.T, includeControllers bool) (clusterAdmin | |||
|
|
|||
| func removeBuildStrategyRoleResources(t *testing.T, clusterAdminClient, projectAdminClient, projectEditorClient *client.Client) { | |||
| // remove resources from role so that certain build strategies are forbidden | |||
| for _, role := range []string{bootstrappolicy.BuildStrategyCustomRoleName, bootstrappolicy.BuildStrategyDockerRoleName, bootstrappolicy.BuildStrategySourceRoleName, bootstrappolicy.BuildStrategyJenkinsPipelineRoleName} { | |||
There was a problem hiding this comment.
Shouldn't need to change this
| RoleBindingAccessor: clusterRoleBindingAccessor, | ||
| Subjects: subjects, | ||
| } | ||
| options.AddRole() |
There was a problem hiding this comment.
Need to wait for role change to become effective (see other integration tests for example)
There was a problem hiding this comment.
This is corrected in the line below, not sure why this isn't marked as outdated now.
|
@liggitt The requested updates have been made, and the tests are still passing, please review |
| os::cmd::expect_success 'oadm policy remove-cluster-role-from-group system:build-strategy-docker system:authenticated' | ||
| os::cmd::expect_success 'oadm policy remove-cluster-role-from-group system:build-strategy-source system:authenticated' | ||
| os::cmd::expect_success 'oadm policy remove-cluster-role-from-group system:build-strategy-jenkinspipeline system:authenticated' | ||
| # ensure build strategy permissions no longer exist | ||
| os::cmd::try_until_failure 'oadm policy who-can create builds/source | grep system:authenticated' | ||
| os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/docker' 'system:authenticated' | ||
| os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/custom' 'system:authenticated' | ||
| os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/source' 'system:authenticated' | ||
| os::cmd::expect_success_and_not_text 'oadm policy who-can create builds/jenkinspipeline' 'system:authenticated' | ||
| os::cmd::expect_success 'oadm policy reconcile-cluster-role-bindings --confirm' |
There was a problem hiding this comment.
move this line after the custom build test block
| @@ -61,6 +62,30 @@ func TestSimpleImageChangeBuildTriggerFromImageStreamTagDockerWithConfigChange(t | |||
| func TestSimpleImageChangeBuildTriggerFromImageStreamTagCustom(t *testing.T) { | |||
| defer testutil.DumpEtcdOnFailure(t) | |||
| projectAdminClient := setup(t) | |||
|
|
|||
| clusterAdminClient, err := testutil.GetClusterAdminClient(testutil.GetBaseDir() + "/openshift.local.config/master/admin.kubeconfig") | |||
There was a problem hiding this comment.
don't hard-code relative paths like this, change setup() to also return the clusterAdminClient
| var err error | ||
| builds[string(strategy)+clientType], err = createBuild(t, client.Builds(testutil.Namespace()), strategy) | ||
| _, restricted := restrictedStrategies[strategy] | ||
| if err != nil && !restricted { |
There was a problem hiding this comment.
check specifically for a forbidden error (kapierrors.IsForbidden(err))
|
LGTM once jenkins is green |
|
[test] |
|
Possibly due to flake #11661 |
Updated bootstrap policy to not grant builds/custom privs for system:authenticated users by default Permissions can still be granted by an administrator if needed
|
Evaluated for origin test up to 206991f |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10915/) (Base Commit: df195a9) |
|
@liggitt tests have passed, please merge |
|
LGTM, [merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/10915/) (Image: devenv-rhel7_5291) |
|
Evaluated for origin merge up to 206991f |
Updated bootstrap policy to not grant builds/custom privs for system:authenticated users by default
Permissions can still be granted by an administrator if needed
Fixes bug 1380462 - https://bugzilla.redhat.com/show_bug.cgi?id=1380462