Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authz library #8002

Merged
merged 16 commits into from
Jun 17, 2024
Merged

Add authz library #8002

merged 16 commits into from
Jun 17, 2024

Conversation

creydr
Copy link
Member

@creydr creydr commented Jun 14, 2024

Fixes #7985

Add library to support on AuthZ work

Proposed Changes

  • 🎁 GetEventPoliciesForResource(eplister, gvk, meta) returns a list of EventPolicies which apply for a given resource (gvk & meta)
  • 🎁 ResolveSubjects(resolver, eventPolicy) returns a list of resolved subjects of an EventPolicy
  • 🎁 Function SubjectContained(sub, allowedSubs) to check if a given subject is part of a list of allowed subjects (includes * matching)

Requires knative/pkg#3056 to be merged
/hold

@creydr creydr requested a review from pierDipi June 14, 2024 13:41
@knative-prow knative-prow bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 14, 2024
@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 14, 2024
@codecov Codecov
Copy link

codecov bot commented Jun 14, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 87.87879% with 8 lines in your changes missing coverage. Please review.

Project coverage is 67.72%. Comparing base (43cf75a) to head (6dc6990).
Report is 3 commits behind head on main.

Files Patch % Lines
pkg/auth/event_policy.go 87.87% 4 Missing and 4 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8002      +/-   ##
==========================================
+ Coverage   67.65%   67.72%   +0.07%     
==========================================
  Files         361      362       +1     
  Lines       16638    16705      +67     
==========================================
+ Hits        11256    11314      +58     
- Misses       4690     4695       +5     
- Partials      692      696       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

pierDipi
pierDipi reviewed Jun 14, 2024
View reviewed changes
pkg/auth/event_policy.go Outdated Show resolved Hide resolved
pierDipi
pierDipi reviewed Jun 14, 2024
View reviewed changes
pkg/auth/event_policy.go Outdated
Comment on lines 55 to 60
strings.EqualFold(to.Selector.APIVersion, resourceAPIVersion) &&
strings.EqualFold(to.Selector.Kind, resourceGVK.Kind) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to match the full APIVersion and Kind or just kind + group ? what happens when there is a new version?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, but still I don't think we want to match the version here, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated as discussed

Copy link
Member Author

@creydr creydr Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Damn. I deleted my original comment by accident 🤦
Only for history: We thought about this initially in the design doc , but then discarded it, because we needed the full api version for the client. I wasn't sure then, if this was still a requirement, but it turned out, we need it for the client/tracker.

pierDipi
pierDipi reviewed Jun 14, 2024
View reviewed changes
pkg/auth/event_policy.go Outdated
Comment on lines 46 to 52
strings.EqualFold(to.Ref.Name, resourceObjectMeta.GetName()) &&
strings.EqualFold(to.Ref.APIVersion, resourceAPIVersion) &&
strings.EqualFold(to.Ref.Kind, resourceGVK.Kind) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to match the full APIVersion and Kind or just kind + group ? what happens when there is a new version?

Copy link
Member

@pierDipi pierDipi Jun 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we want to just have "Group + Kind" in the To and Selector API?

pierDipi
pierDipi reviewed Jun 14, 2024
View reviewed changes
pkg/auth/event_policy.go Outdated Show resolved Hide resolved
@knative-prow knative-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 17, 2024
@creydr creydr changed the title [WIP] Add authz library Add authz library Jun 17, 2024
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 17, 2024
@creydr
Copy link
Member Author

creydr commented Jun 17, 2024

/unhold
as knative/pkg#3056 and #8004 merged and this PR was rebased afterwards

@knative-prow knative-prow bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 17, 2024
@creydr creydr requested a review from pierDipi June 17, 2024 08:48
pierDipi
pierDipi reviewed Jun 17, 2024
View reviewed changes
pkg/auth/event_policy.go Outdated Show resolved Hide resolved
pierDipi
pierDipi reviewed Jun 17, 2024
View reviewed changes
pkg/auth/event_policy.go Outdated Show resolved Hide resolved
pierDipi
pierDipi reviewed Jun 17, 2024
View reviewed changes
pkg/auth/event_policy.go Outdated Show resolved Hide resolved
pierDipi
pierDipi reviewed Jun 17, 2024
View reviewed changes
pkg/auth/event_policy.go Outdated Show resolved Hide resolved
pierDipi
pierDipi approved these changes Jun 17, 2024
View reviewed changes
Copy link
Member

@pierDipi pierDipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Jun 17, 2024
@knative-prow Knative Prow
Copy link

knative-prow bot commented Jun 17, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@creydr
Copy link
Member Author

creydr commented Jun 17, 2024

/test upgrade-tests

@knative-prow knative-prow bot merged commit e298f32 into knative:main Jun 17, 2024
35 of 36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierDipi pierDipi pierDipi approved these changes

@aliok aliok Awaiting requested review from aliok

@lionelvillard lionelvillard Awaiting requested review from lionelvillard

Assignees

@pierDipi pierDipi

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Library to support on AuthZ
2 participants
@creydr @pierDipi