-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 Skip maximal permission policy authorizer for deep SAR requests #2385
Conversation
fcd1dae
to
5f43d1b
Compare
/retest |
3 similar comments
/retest |
/retest |
/retest |
Hitting kcp-dev/contrib-tmc#78 and kcp-dev/contrib-tmc#77 flakes. |
/retest |
/assign @s-urbaniak |
/milestone v0.10 |
As an after-though this looks correct. Initially I assumed this has to go via the maximum permission policy authorizer but in the deep SAR case it indeed has to be delegated up to the actual local authorizer. |
/lgtm |
/approve |
1 similar comment
/approve |
/retest |
/lgtm |
/lgtm cancel |
}, | ||
}, | ||
} | ||
err = retry.OnError(retry.DefaultBackoff, errors.IsForbidden, func() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use framework.Eventually
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of curiosity, why is it being forbidden?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It happens the ClusterRole and ClusterRoleBinding created few lines above do not apply synchronously, so the creation of the APIBinding can fail until they are effectively applied. That is actually the reason why I favoured retry.OnError
over framework.Eventually
, because it's only useful to retry on 403, and it can fail-fast otherwise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stevekuznetsov wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Next commit changes to use framework.Eventually
- but to the point I'd say it's highly unlikely we get an error we can fail fast on and the benefit from the eventually bit is good. We can try to improve framework.Eventually
for a short-circuit exit if we want
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ncdc, s-urbaniak, stevekuznetsov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Summary
This PR fixes authorization for deep SAR requests on attributes that resolve to workspace with local maximum permission policy, where the APIExport is also bound, such as the APIExport in the
root
workspace.Related issue(s)
Fixes #2384.