New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid method for determining the user's permissions #72
Comments
cc @deads2k @liggitt @smarterclayton in case you guys have any opinions. |
This is only specific to a user seeing the logs in the |
@ewolinetz We have multiple instances of customers who are trying to see those specific logs but are failing to do so because they belong to a group that grants them cluster admin privileges instead of being directly bound to the role.
That seems like a very broad check. I am not familiar with the contents of the logs so I cannot say who should be able to see them. A SubjectRulesReview may be more appropriate. |
I just opened BZ 1446217 for this. |
@ewolinetz Maybe we should do SAR for viewing on all 'operations' namespaces and determine ops user on being able to view them all. I think we have a list in the plugin that is configurable. |
If this is about viewing logs, it may be more appropriate to look for the power to get pods/logs across all namespaces or the one you're interested in. |
I think the second SAR is almost right, but should be checking a |
The isOperationsUser method incorrectly assumes that a user must be directly bound to
cluster-admins
orcluster-readers
to see the logs. This is incorrect in two scenarios:Instead, the method should perform a SubjectAccessReview based on the username and group information (you will probably need to build a reverse index of groups). The following
SAR
is equivalent to cluster admin:The following
SAR
could serve as a proxy forcluster-reader
but that is up to you guys:cc @ewolinetz @jcantrill @richm
@gabemontero may be able to provide guidance on how to perform a
SAR
in Java.The text was updated successfully, but these errors were encountered: