-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make default for --anonymous-auth be false. #38708
Conversation
erictune
commented
Dec 13, 2016
•
edited by saad-ali
edited by saad-ali
I'm not 100% sure this is the fix we want, but I am sending it so that we can talk about it and test it. |
This PR is not for the master branch but does not have the |
@saad-ali don't kick off after merging this. Still checking if federation change practical |
This PR is not for the master branch but does not have the |
@@ -293,7 +293,7 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { | |||
fs.BoolVar(&s.AnonymousAuth, "anonymous-auth", s.AnonymousAuth, ""+ | |||
"Enables anonymous requests to the secure port of the API server. "+ | |||
"Requests that are not rejected by another authentication method are treated as anonymous requests. "+ | |||
"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.") | |||
"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated. ") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
seems like a typo or something
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, absolutely not needed for the v1.5.1 cut
It's a shame, but I'm ok with it for 1.5. At some point we need to rip off the bandaid, but it doesn't have to be now. lgtm |
@erictune Can you add a release note please in the original post |
Ok to merge. @mahudustancs showed me that this covers federation too |
Awesome merging |
All checks are green:
Manually merging for v1.5.1 |
Let's make sure this gets merged back to master at some point |
@saad-ali @liggitt I think we want to try to switch the default again in 1.6. If we update the abac user star evaluation, eliminate the rbac user star (no need for it and its alpha), and use my default stomping pull I think we have a reasonable shot. |
#38968 makes ABAC safe with anonymous auth enabled |
#38981 removes special handling of * for RBAC bindings |
Ack. Feel free to correct me, as I'm completely out of my depth here, but wasn't the concern with this that the default authorization was |
#38706 is open to address the anonymous+AlwaysAllow combination there were secondary concerns with legacy RBAC/ABAC policies matching anonymous users unintentionally |
Perfect, thanks @liggitt |