Skip to content

Implement support for references in permission claims #3670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Implement support for references in permission claims #3670

wants to merge 1 commit into from

Conversation

@xrstf
Copy link
Contributor

@xrstf xrstf commented Oct 21, 2025

Summary

What Type of PR Is This?

/kind feature

Related Issue(s)

Fixes #3409

Release Notes

TBD

@xrstf
simplify binding authorizer
bdd0a7c 
The old code would loop through all bound claims and for each matching (group/resource) claim it
would try to find the first (!) matching exported claim. And then check the verbs. If no exported
claim is found, the set of allowed verbs is empty, so the HasAny() check can never succeed. Hence
if no exported claim exists, we do not even have to check the verbs.

This commit improves the loop by comparing all bound claims against all (!) exported claims (with
the matching GRI) and skipping any guaranteed-false checks if no exported claim is found.

This loop now is ready to be extended to check for references, too.

On-behalf-of: @SAP christoph.mewes@sap.com
@kcp-ci-bot kcp-ci-bot added kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has signed the DCO. labels Oct 21, 2025
@kcp-ci-bot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@kcp-ci-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from xrstf. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kcp-ci-bot kcp-ci-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dco-signoff: yes Indicates the PR's author has signed the DCO. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feature: Extend permissions claims with references

2 participants

@xrstf @kcp-ci-bot