Fix auth checks for cross-repo mount requests #9593
Conversation
|
I like it! Thanks. I'll cherry-pick to my #9582. |
| @@ -197,7 +237,11 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg | |||
| verifiedPrune = true | |||
| default: | |||
| if err := verifyImageStreamAccess(ctx, imageStreamNS, imageStreamName, verb, osClient); err != nil { | |||
| return nil, ac.wrapErr(err) | |||
| if verb == "pull" { | |||
There was a problem hiding this comment.
I don't see a possibility for the verb be set to "pull".
|
LGTM |
|
[test] |
liggitt
changed the title
|
[testextended][extended:core(builds)] |
|
[testextended][extended:core(images)] |
|
Evaluated for origin testextended up to 860fa7f |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/5524/) (Image: devenv-rhel7_4479) |
|
Evaluated for origin merge up to 860fa7f |
|
fyi @smarterclayton |
|
continuous-integration/openshift-jenkins/testextended SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin_extended/255/) (Extended Tests: core(images), core(builds)) |
|
Re[test] #9512 |
|
Evaluated for origin test up to 860fa7f |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/5524/) |
| @@ -197,7 +237,11 @@ func (ac *AccessController) Authorized(ctx context.Context, accessRecords ...reg | |||
| verifiedPrune = true | |||
| default: | |||
| if err := verifyImageStreamAccess(ctx, imageStreamNS, imageStreamName, verb, osClient); err != nil { | |||
| return nil, ac.wrapErr(err) | |||
| if access.Action == "pull" { | |||
There was a problem hiding this comment.
Nit: invert and return early
Fixes #9540
When pushing blobs to a target repo
targetRepo, if the client has knowledge that the blob exists in another reposourceRepoon the same server, clients may request the server cross-mount a blob from another reposourceRepoas an optimization.Before allowing that, the server ensures the client has the following authorizations:
pullandpushontargetRepopullonsourceRepoIn cases where the user is not authorized to
pullfromsourceRepo, rather than an authorization error, the blob push should just proceed unoptimized (requiring the user to push the full content of the blob totargetRepo, which proves they have access to it, since they just pushed it)This PR:
pullaccess check failures are likely to be related to cross-repo mounts:pushaccess request for the repo which failed thepullaccess checkpushaccess request for some other repo (which is required to pass)pullaccess checks to the request context, keyed by repo (ns+name)Createmethod to disable cross-repo mounting if the request context contains an access error for the source repo