Controller should check authorization for /debug/pprof #12907
Conversation
smarterclayton
force-pushed
the
split_handlers
branch
from
c0e66f9 to
b8c776b
Compare
|
[test] |
|
Still need to make the change to have a short-circuit authorizer for /healthz (which always needs to be unauthenticated). |
| if len(review.Action.Path) == 0 { | ||
| allErrs = append(allErrs, field.Required(field.NewPath("path"), "")) | ||
| } | ||
| if len(review.Action.Resource) != 0 { |
There was a problem hiding this comment.
disallow all the resource-related fields (namespace, group, resource, resourcename) for non-resource urls
| @@ -48,7 +55,14 @@ func ValidateResourceAccessReview(review *authorizationapi.ResourceAccessReview) | |||
| if len(review.Action.Verb) == 0 { | |||
| allErrs = append(allErrs, field.Required(field.NewPath("verb"), "")) | |||
| } | |||
| if len(review.Action.Resource) == 0 { | |||
| if review.Action.IsNonResourceURL { | |||
There was a problem hiding this comment.
heh, that makes ResourceAccessReview slightly nonsensical. oh well
| if len(review.Action.Path) == 0 { | ||
| allErrs = append(allErrs, field.Required(field.NewPath("path"), "")) | ||
| } | ||
| if len(review.Action.Resource) != 0 { |
There was a problem hiding this comment.
prevent all resource-related attributes
| if len(review.Action.Path) == 0 { | ||
| allErrs = append(allErrs, field.Required(field.NewPath("path"), "")) | ||
| } | ||
| if len(review.Action.Resource) != 0 { |
There was a problem hiding this comment.
prevent all resource-related attributes
| if len(review.Action.Path) == 0 { | ||
| allErrs = append(allErrs, field.Required(field.NewPath("path"), "")) | ||
| } | ||
| if len(review.Action.Resource) != 0 { |
There was a problem hiding this comment.
prevent all resource-related attributes
| return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { | ||
| user, ok, err := authenticator.AuthenticateRequest(req) | ||
| if err != nil || !ok { | ||
| http.Error(w, "Unauthorized", http.StatusUnauthorized) |
There was a problem hiding this comment.
huh, hope everyone deals with non-API responses well
| return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { | ||
| user, ok, err := authenticator.AuthenticateRequest(req) | ||
| if err != nil || !ok { | ||
| http.Error(w, "Unauthorized", http.StatusUnauthorized) |
There was a problem hiding this comment.
surprised we were returning this from the API... I thought only the node did unstructured errors
|
assuming the big blocks were straight moves, seems mostly sane. still not quite sure about controller manager as a serviceaccount |
|
I think skip controllerm as service account for now. Doesn't help in short
term and long term unclear.
On Feb 10, 2017, at 1:35 AM, Jordan Liggitt <[email protected]> wrote:
assuming the big blocks were straight moves, seems mostly sane. still not
quite sure about controller manager as a serviceaccount
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#12907 (comment)>,
or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABG_pwZHuZRZ2Eo8mied9sqMP2A4gT_Pks5rbAUzgaJpZM4L88WH>
.
|
|
Yeah, surprised me as well. Should be negotiated now, will need to check
with @sttts on upstream code
On Feb 10, 2017, at 1:32 AM, Jordan Liggitt <[email protected]> wrote:
*@liggitt* commented on this pull request.
------------------------------
In pkg/cmd/server/origin/auth.go
<#12907 (review)>:
@@ -762,27 +762,3 @@ func (redirectSuccessHandler) AuthenticationSucceeded(user kuser.Info, then stri
http.Redirect(w, req, then, http.StatusFound)
return true, nil
}
-
-// authenticationHandlerFilter creates a filter object that will
enforce authentication directly
-func authenticationHandlerFilter(handler http.Handler, authenticator
authenticator.Request, contextMapper kapi.RequestContextMapper)
http.Handler {
- return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
- user, ok, err := authenticator.AuthenticateRequest(req)
- if err != nil || !ok {
- http.Error(w, "Unauthorized", http.StatusUnauthorized)
surprised we were returning this from the API... I thought only the node
did this
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#12907 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p1TAmEMARVuBrGuHXWNcBZhjGhfQks5rbAR5gaJpZM4L88WH>
.
|
|
All big blocks were moves. |
smarterclayton
force-pushed
the
split_handlers
branch
3 times, most recently
from
27819ab to
ae9da74
Compare
smarterclayton
changed the title
smarterclayton
force-pushed
the
split_handlers
branch
from
ae9da74 to
bd6cdf5
Compare
|
Ok, added a quick test and the /healthz and /healthz/ready bypass and tested locally. |
smarterclayton
force-pushed
the
split_handlers
branch
2 times, most recently
from
b24b58e to
94a1f12
Compare
|
[test] |
test/cmd/authentication.sh
Outdated
| os::cmd::expect_success 'oc login -u system:admin' | ||
| os::cmd::expect_failure_and_text 'oc get --raw /debug/pprof/ --as=user3' 'Forbidden' | ||
| os::cmd::expect_failure_and_text 'oc get --raw /metrics --as=user3' 'Forbidden' | ||
| os::cmd::expect_success 'oadm policy add-cluster-role-to-user cluster-debugger user3' |
There was a problem hiding this comment.
needs wait_for to avoid flakes in the gets below
| os::cmd::expect_success_and_text 'oc login -u user3 -p pw' 'Login successful' | ||
| os::cmd::expect_success 'oc login -u system:admin' | ||
| os::cmd::expect_failure_and_text 'oc get --raw /debug/pprof/ --as=user3' 'Forbidden' | ||
| os::cmd::expect_failure_and_text 'oc get --raw /metrics --as=user3' 'Forbidden' |
There was a problem hiding this comment.
test /healthz access is allowed even without the role?
| handler := serverhandlers.AuthorizationFilter(apiContainer.ServeMux, authz, c.AuthorizationAttributeBuilder, contextMapper) | ||
| handler = serverhandlers.AuthenticationHandlerFilter(handler, authn, contextMapper) | ||
| handler = kgenericfilters.WithPanicRecovery(handler, contextMapper) | ||
| handler = kapiserverfilters.WithRequestInfo(handler, genericapiserver.NewRequestInfoResolver(&genericapiserver.Config{}), contextMapper) |
There was a problem hiding this comment.
is this request info resolver going to try to build API attributes if the path starts with /apis, etc?
|
a few nits, LGTM |
|
Not a flake: |
smarterclayton
force-pushed
the
split_handlers
branch
from
94a1f12 to
209faa9
Compare
Will be replaced in a future release with generic upstream filters.
Give the controller the profiler endpoints and put it behind a remote authn|z story. Move the node authenticator to a reusable spot. Set a small cache size.
smarterclayton
force-pushed
the
split_handlers
branch
from
209faa9 to
50fa90e
Compare
|
Evaluated for origin test up to 50fa90e |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/145/) (Base Commit: cb863ae) |
|
Comments addressed, green [merge] |
|
Evaluated for origin merge up to 50fa90e |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin_future/148/) (Base Commit: e9c6020) (Image: devenv-rhel7_5905) |
Make standalone controllers be debuggable securely by exposing the pprof handlers and adding remote authz and authn filters with small caches.
Also fixes SAR to support Non resource URLs like upstream.