remove subjectlocator shim and divide responsibility #18152
Conversation
openshift-ci-robot
added
approved
|
|
||
| func RBACSubjectsToUsersAndGroups(subjects []rbac.Subject, defaultNamespace string) (users []string, groups []string) { | ||
| for _, subject := range subjects { | ||
| if subject.APIGroup != rbac.GroupName { |
There was a problem hiding this comment.
misses service account subjects, right? is there a test that would have caught that?
There was a problem hiding this comment.
misses service account subjects, right? is there a test that would have caught that?
betting we'll find out.
There was a problem hiding this comment.
This goes in pkg/authorization/util/subject.go
There was a problem hiding this comment.
misses service account subjects, right? is there a test that would have caught that?
betting we'll find out.
Yes, there are integration tests that fail when this is wrong.
| if len(subject.Namespace) > 0 { | ||
| ns = subject.Namespace | ||
| } | ||
| if len(ns) >= 0 { |
There was a problem hiding this comment.
= 0, huh?
ze germans?
|
Bruno had started this work in #16034 |
pkg/cmd/server/origin/authorizer.go
Outdated
| rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation" | ||
| "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node" | ||
| rbacauthorizer "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac" | ||
| kbootstrappolicy "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy" | ||
|
|
||
| "github.com/openshift/origin/pkg/authorization/authorizer" | ||
| oauthorizer "github.com/openshift/origin/pkg/authorization/authorizer" |
There was a problem hiding this comment.
I think I called this openshiftauthorizer elsewhere. I do not care what we use, but lets make them match.
| if len(subject.Namespace) > 0 { | ||
| ns = subject.Namespace | ||
| } | ||
| if len(ns) >= 0 { |
|
|
||
| func RBACSubjectsToUsersAndGroups(subjects []rbac.Subject, defaultNamespace string) (users []string, groups []string) { | ||
| for _, subject := range subjects { | ||
| if subject.APIGroup != rbac.GroupName { |
There was a problem hiding this comment.
This goes in pkg/authorization/util/subject.go
| if len(subject.Namespace) > 0 { | ||
| ns = subject.Namespace | ||
| } | ||
| if len(ns) >= 0 { |
Issue to track? |
deads2k
force-pushed
the
authz-12-upstreamsubjectlocator
branch
from
61269b1 to
dde2bf2
Compare
|
comments addressed |
pkg/project/auth/reviewer.go
Outdated
| @@ -1,9 +1,9 @@ | |||
| package auth | |||
|
|
|||
| import ( | |||
| authorizationutil "github.com/openshift/origin/pkg/authorization/util" | |||
There was a problem hiding this comment.
nit: separate origin import from kube
deads2k
force-pushed
the
authz-12-upstreamsubjectlocator
branch
from
dde2bf2 to
5f4c30a
Compare
|
fixed |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
@deads2k: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue (batch tested with PRs 18129, 18152, 17403, 18020, 18165). |
This removes an unnecessary shim interface, makes construction of separate things separate, makes an existing bug obvious (RAR doesn't take into account node authorizer), and will ease rebases.
@openshift/sig-security
/assign enj
/assign simo5
/assign soltysh
Fixes #15816