Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Skip maximal permission policy authorizer for deep SAR requests #2385

Merged
merged 4 commits into from
Dec 7, 2022
Merged

🐛 Skip maximal permission policy authorizer for deep SAR requests #2385

merged 4 commits into from
Dec 7, 2022

Conversation

astefanutti
Copy link
Member

Summary

This PR fixes authorization for deep SAR requests on attributes that resolve to workspace with local maximum permission policy, where the APIExport is also bound, such as the APIExport in the root workspace.

Related issue(s)

Fixes #2384.

@astefanutti astefanutti mentioned this pull request Nov 18, 2022
Open
@astefanutti
Copy link
Member Author

/retest

3 similar comments
@astefanutti
Copy link
Member Author

/retest

@astefanutti
Copy link
Member Author

/retest

@astefanutti
Copy link
Member Author

/retest

@astefanutti
Copy link
Member Author

Hitting kcp-dev/contrib-tmc#78 and kcp-dev/contrib-tmc#77 flakes.

@astefanutti
Copy link
Member Author

/retest

@stevekuznetsov
Copy link
Contributor

/assign @s-urbaniak

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 21, 2022
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 22, 2022
@ncdc ncdc requested a review from s-urbaniak November 29, 2022 16:47
@astefanutti
Copy link
Member Author

/milestone v0.10

@astefanutti astefanutti added this to the v0.10 milestone Dec 1, 2022
@s-urbaniak
Copy link
Contributor

As an after-though this looks correct. Initially I assumed this has to go via the maximum permission policy authorizer but in the deep SAR case it indeed has to be delegated up to the actual local authorizer.

@s-urbaniak
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 7, 2022
@s-urbaniak
Copy link
Contributor

/approve

1 similar comment
@ncdc
Copy link
Member

ncdc commented Dec 7, 2022

/approve

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 7, 2022
@astefanutti
Copy link
Member Author

/retest

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Dec 7, 2022
@ncdc
Copy link
Member

ncdc commented Dec 7, 2022

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 7, 2022
@ncdc
Copy link
Member

ncdc commented Dec 7, 2022

/lgtm cancel

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Dec 7, 2022
ncdc
ncdc reviewed Dec 7, 2022
View reviewed changes
test/e2e/virtual/apiexport/authorizer_test.go Outdated
},
},
}
err = retry.OnError(retry.DefaultBackoff, errors.IsForbidden, func() error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use framework.Eventually

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, why is it being forbidden?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It happens the ClusterRole and ClusterRoleBinding created few lines above do not apply synchronously, so the creation of the APIBinding can fail until they are effectively applied. That is actually the reason why I favoured retry.OnError over framework.Eventually, because it's only useful to retry on 403, and it can fail-fast otherwise.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stevekuznetsov wdyt?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Next commit changes to use framework.Eventually - but to the point I'd say it's highly unlikely we get an error we can fail fast on and the benefit from the eventually bit is good. We can try to improve framework.Eventually for a short-circuit exit if we want

@stevekuznetsov
Copy link
Contributor

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 7, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 7, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncdc, s-urbaniak, stevekuznetsov

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 21ed4c6 into kcp-dev:main Dec 7, 2022
@astefanutti astefanutti deleted the pr-23 branch December 7, 2022 15:44
@s-urbaniak s-urbaniak mentioned this pull request Jan 12, 2023
Merged
@kcp-ci-bot kcp-ci-bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncdc ncdc ncdc left review comments

@s-urbaniak s-urbaniak s-urbaniak left review comments

@stevekuznetsov stevekuznetsov stevekuznetsov left review comments

@kylape kylape Awaiting requested review from kylape

@shawn-hurley shawn-hurley Awaiting requested review from shawn-hurley

Assignees

@ncdc ncdc

@s-urbaniak s-urbaniak

@stevekuznetsov stevekuznetsov

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v0.10
6 participants
@astefanutti @stevekuznetsov @s-urbaniak @ncdc @openshift-merge-robot @kcp-ci-bot