Disallow AttributeRestrictions in PolicyRules #13466
Conversation
|
@smarterclayton I want this to plug a rolling update hole before you tag a level. |
| @@ -252,7 +252,13 @@ func ValidateRole(role *authorizationapi.Role, isNamespaced bool) field.ErrorLis | |||
| } | |||
|
|
|||
| func validateRole(role *authorizationapi.Role, isNamespaced bool, fldPath *field.Path) field.ErrorList { | |||
There was a problem hiding this comment.
Everything funnels to validateRole.
There was a problem hiding this comment.
Everything funnels to validateRole.
So it does. update text and bug me for merge.
pkg/authorization/api/helpers.go
Outdated
| @@ -366,6 +366,10 @@ func (r *PolicyRuleBuilder) RuleOrDie() PolicyRule { | |||
| } | |||
|
|
|||
| func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) { | |||
| if r.PolicyRule.AttributeRestrictions != nil { | |||
| return PolicyRule{}, fmt.Errorf("rule may not have attributeRestrictions as they are deprecated and ignored: %#v", r.PolicyRule) | |||
There was a problem hiding this comment.
because they are deprecated and ignored.
| allErrs := validation.ValidateObjectMeta(&role.ObjectMeta, isNamespaced, path.ValidatePathSegmentName, fldPath.Child("metadata")) | ||
| for i, rule := range role.Rules { | ||
| if rule.AttributeRestrictions != nil { | ||
| allErrs = append(allErrs, field.Invalid(fldPath.Child("rules").Index(i).Child("attributeRestrictions"), rule.AttributeRestrictions, "must be null as they are deprecated and ignored")) |
There was a problem hiding this comment.
Actually, don't have to say why, just "must be null"
enj
force-pushed
the
enj/f/disallow_attribute_restrictions
branch
from
73c2b36 to
a29c8a7
Compare
| @@ -33,15 +33,6 @@ items: | |||
| - projects | |||
| verbs: | |||
| - list | |||
| - apiGroups: null | |||
There was a problem hiding this comment.
Add the replacement rule for this
| @@ -42,15 +42,6 @@ objects: | |||
| - projects | |||
| verbs: | |||
| - list | |||
| - apiGroups: null | |||
There was a problem hiding this comment.
Add the replacement rule for this
enj
force-pushed
the
enj/f/disallow_attribute_restrictions
branch
from
a29c8a7 to
aef39f1
Compare
Signed-off-by: Monis Khan <[email protected]>
enj
force-pushed
the
enj/f/disallow_attribute_restrictions
branch
from
aef39f1 to
847e3fc
Compare
|
lgtm [merge] |
| allErrs = append(allErrs, field.Invalid(fldPath.Child("rules").Index(i).Child("attributeRestrictions"), rule.AttributeRestrictions, "must be null")) | ||
| } | ||
| } | ||
| return allErrs |
There was a problem hiding this comment.
this is also where I was expecting to see validation to prevent a single rule from having both resource and non-resource data. if it's not here, it means we allow it, and have to split when converting to kube roles
There was a problem hiding this comment.
we also don't require apigroups, resources, verbs, or nonresourceurls to contain items, which means our converted roles won't pass kube validation... we can either drop rules like that (since they weren't actually granting any permissions), fail the conversion, or fail when attempting to persist the converted role to kube
Or we could provide an |
Or convert and fail trying to persist it. It's ok if the converted resources don't all validate at first. If we provide |
|
@enj seems like something cracked in the namespace finalizer |
|
Evaluated for origin test up to 847e3fc |
|
re[merge] |
|
Evaluated for origin merge up to 847e3fc |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/368/) (Base Commit: 0343989) |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/168/) (Base Commit: 55e0221) (Image: devenv-rhel7_6093) |
|
This change is breaking the upgrade process in a job that installes and upgrades origin cluster: Not sure if its just a flake, but I could reproduce it seweral times in a row |
|
Are we sure that reconciliation will never try to persist a role with this attribute set in a rule ? I'm concerned about tightening validation with no announced deprecation or migration in place |
Addresses #13334 (comment)
cc @liggitt
[test]
Signed-off-by: Monis Khan [email protected]