Cleanup genericapiserver handler chain #33164
Conversation
sttts
added
kind/cleanup
k8s-github-robot
added
needs-rebase
sttts
force-pushed
the
sttts-handler-chain-cleanup
branch
from
f19ef45
to
ccdfc49
Compare
sttts
added
release-note-none
k8s-github-robot
removed
the
needs-rebase
sttts
changed the title
| }), nil | ||
| } else { | ||
| return handler, errors.New("Unknown RequestContextMapper implementation.") | ||
| func WithRequestContext(handler http.Handler, mapper RequestContextMapper) http.Handler { |
There was a problem hiding this comment.
Any idea why it's in this package? Doesn't have to be this pull, but unless there's a strong reason, I'd like it moved eventually.
There was a problem hiding this comment.
Had the same question. Also the Context interface looks api independent. Doesn't have to be so deep in the package hierarchy. A good topic for a follow-up PR.
There was a problem hiding this comment.
Had the same question. Also the Context interface looks api independent. Doesn't have to be so deep in the package hierarchy. A good topic for a follow-up PR.
agreed.
| @@ -462,7 +144,7 @@ func (r *requestAttributeGetter) GetAttribs(req *http.Request) authorizer.Attrib | |||
| } | |||
|
|
|||
| // WithAuthorizationCheck passes all authorized requests on to handler, and returns a forbidden error otherwise. | |||
| func WithAuthorizationCheck(handler http.Handler, getAttribs RequestAttributeGetter, a authorizer.Authorizer) http.Handler { | |||
| func WithAuthorization(handler http.Handler, getAttribs RequestAttributeGetter, a authorizer.Authorizer) http.Handler { | |||
There was a problem hiding this comment.
If a == nil, let's be friendly, skip adding this, and glog a warning.
There was a problem hiding this comment.
Most filters just return the passed handler when the parameters are nil. Will do the same here.
| @@ -337,18 +346,64 @@ func (c Config) New() (*GenericAPIServer, error) { | |||
| }) | |||
| } | |||
|
|
|||
| if len(c.AuditLogPath) != 0 { | |||
There was a problem hiding this comment.
Let's add to our running issue. I think all the audit stuff should be gathered up into a pointer to a struct.
| } | ||
|
|
||
| func (s *GenericAPIServer) buildHandlerChains(c *Config, handler http.Handler) (secure http.Handler, insecure http.Handler) { | ||
| longRunningRE := regexp.MustCompile(c.LongRunningRequestRE) |
There was a problem hiding this comment.
Can't we push these into WithTimeoutForNonLongRunningRequests?
| longRunningFunc := genericfilters.BasicLongRunningRequestCheck(longRunningRE, map[string]string{"watch": "true"}) | ||
|
|
||
| // common filters | ||
| handler = genericfilters.WithCORS(handler, allowedOriginRegexps(c.CorsAllowedOriginList), nil, nil, "true") |
There was a problem hiding this comment.
common for secure and insecure.
There was a problem hiding this comment.
common for secure and insecure.
Yeah, I was suggesting a rename. Doesn't really matter to me.
| attributeGetter := apiserver.NewRequestAttributeGetter(c.RequestContextMapper, s.NewRequestInfoResolver()) | ||
| secure = handler | ||
| secure = apiserver.WithAuthorization(secure, attributeGetter, c.Authorizer) | ||
| secure = audit.WithAudit(secure, attributeGetter, s.auditWriter) // before impersonation to read original user |
There was a problem hiding this comment.
Isn't this after impersonation right now?
There was a problem hiding this comment.
Good spot. In origin it's correct.
| return s, nil | ||
| } | ||
|
|
||
| func (s *GenericAPIServer) buildHandlerChains(c *Config, handler http.Handler) (secure http.Handler, insecure http.Handler) { |
There was a problem hiding this comment.
So much cleaner. TODO to type the function and take it as an optional struct value in genericapiserver.
| return | ||
| } | ||
|
|
||
| func allowedOriginRegexps(allowedOrigins []string) []*regexp.Regexp { |
There was a problem hiding this comment.
Seems like this should live in your cors file
| "strings" | ||
| ) | ||
|
|
||
| // TODO: use restful.CrossOriginResourceSharing |
There was a problem hiding this comment.
I don't think we're likely to do this.
There was a problem hiding this comment.
Somebody somewhen was planning to do that :)
| // WithCORS is a simple CORS implementation that wraps an http Handler. | ||
| // Pass nil for allowedMethods and allowedHeaders to use the defaults. If allowedOriginPatterns | ||
| // is empty or nil, no CORS support is installed. | ||
| func WithCORS(handler http.Handler, allowedOriginPatterns []*regexp.Regexp, allowedMethods []string, allowedHeaders []string, allowCredentials string) http.Handler { |
|
Assuming most of the code is straight moves, I've got a few minor comments, but this looks a lot better. Any specific reason its still WIP? I'd be fine tying off this chunk without adding more to it. |
|
lgtm. squash and tag when you're happy with it. |
| secure = apiserver.WithImpersonation(secure, c.RequestContextMapper, c.Authorizer) | ||
| secure = audit.WithAudit(secure, attributeGetter, s.auditWriter) // before impersonation to read original user |
sttts
changed the title
sttts
force-pushed
the
sttts-handler-chain-cleanup
branch
from
3a31ed6
to
daef268
Compare
sttts
added
the
lgtm
|
Squashed. Waiting for #33095 to merge. |
k8s-github-robot
added
the
needs-rebase
Automatic merge from submit-queue Remove closing audit log file and add error check when writing to audit This picks the order fix from #33164. Additionally I've removed entirely closing the log file, since it didn't make sense where it was. I've also added error checks when actually writing to audit logs. @sttts ptal **1.4 justification:** Risk: the code only runs if auditing is enabled with an apiserver flag. So the risk is low. Rollback: nothing should depend on this Cost: the auditing feature is broken because the impersonation filter is applied before and you might not see the proper user when using `--as` flag. Additionally no errors are logged if writing to audit fails.
sttts
force-pushed
the
sttts-handler-chain-cleanup
branch
from
0b6ad8d
to
11a608a
Compare
|
Rebased. |
sttts
added
lgtm
k8s-github-robot
removed
the
needs-rebase
|
Jenkins verification failed for commit 11a608a6599ec1c7c705906b89f53798e8a71774. Full PR test history. The magic incantation to run this job again is |
sttts
force-pushed
the
sttts-handler-chain-cleanup
branch
from
11a608a
to
4a93c94
Compare
sttts
added
lgtm
k8s-github-robot
added
the
needs-rebase
sttts
force-pushed
the
sttts-handler-chain-cleanup
branch
from
4a93c94
to
1350325
Compare
sttts
added
lgtm
k8s-github-robot
added
needs-rebase
sttts
force-pushed
the
sttts-handler-chain-cleanup
branch
from
1350325
to
87356c0
Compare
sttts
added
lgtm
k8s-github-robot
removed
the
needs-rebase
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
pkg/genericapiserver/filtersgenericapiserver.New()pkg/apiserver)This change is