-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxy not providing user info should cause error #42421
Conversation
@@ -111,5 +95,23 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, *spec.Secur | |||
if c.Anonymous { | |||
authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator()) | |||
} | |||
|
|||
// front proxies go first, but since they provide group information, we need to ensure that we don't add *more* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
watch the if len(authenticators) == 0
case above
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might be more straightforward to build the top-level chain at the end, and skip the early returns, e.g.
topLevelAuthenticators []authenticator.Request{}
if c.RequestHeaderConfig != nil {
topLevelAuthenticators = append(topLevelAuthenticators, ...)
}
if len(authenticators) > 0 {
topLevelAuthenticators = append(topLevelAuthenticators, group.NewGroupAdder(unionauth.New(authenticators...), []string{user.AllAuthenticated}))
}
if c.Anonymous {
topLevelAuthenticators = append(topLevelAuthenticators, anonymous.NewAuthenticator())
}
return unionauth.NewFailOnError(topLevelAuthenticators...)
748887b
to
238dc3e
Compare
made it a switch case covering all four cases. |
8dcee4b
to
21c3ff3
Compare
@@ -122,10 +123,13 @@ func (a *Verifier) AuthenticateRequest(req *http.Request) (user.Info, bool, erro | |||
} | |||
|
|||
if _, err := req.TLS.PeerCertificates[0].Verify(optsCopy); err != nil { | |||
return nil, false, err | |||
if invalidCertErr, ok := err.(x509.CertificateInvalidError); ok && invalidCertErr.Reason == x509.Expired { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unknown authority is a separate error (x509.UnknownAuthorityError). all the CertificateInvalidError reasons seem like things we'd want to bubble on (and the godoc supports that that error is for "odd" errors and should probably be dealt with uniformly)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
21c3ff3
to
4e660fb
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED The following people have approved this PR: deads2k, liggitt Needs approval from an approver in each of these OWNERS Files:
We suggest the following people: |
@@ -107,7 +108,7 @@ func NewSecure(clientCA string, proxyClientNames []string, nameHeaders []string, | |||
func (a *requestHeaderAuthRequestHandler) AuthenticateRequest(req *http.Request) (user.Info, bool, error) { | |||
name := headerValue(req.Header, a.nameHeaders) | |||
if len(name) == 0 { | |||
return nil, false, nil | |||
return nil, false, errors.New("proxy did not provide user information") | |||
} | |||
groups := allHeaderValues(req.Header, a.groupHeaders) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we need to require at least one group as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nope. auth proxies would be well-advised to include either system:authenticated
or system:unauthenticated
, but are the final say on the identity of the incoming user
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, bears more thought. will discuss tomorrow.
We could make an empty usrername from a front proxy turn into system:anonymous and system:unauthenticated and then have a conditional group adder for system:authenticated. It would mean I went through a lot of motion today, but might match expectation. |
How about:
I see a few problems with it though:
|
4e660fb
to
d28a8de
Compare
Updated to special case the anonymous user in our proxy. |
d28a8de
to
83f7d34
Compare
This has implications for auth proxies that pass through requests with authorization headers without adding user info. Will revisit the proxy client cert fallback issue in 1.7. Go ahead and open a smaller PR for 1.6 that just includes the improvement to the group adder to fix #42437 |
@deads2k: The following test(s) failed:
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Automatic merge from submit-queue make the system:authenticated group adder smarter Fixes #42437 This prevents the group adder from adding the system:authenticated group when: 1. it's already in the list 2. the user is system:anonymous 3. system:unauthenticated is in the list Smaller alternative to #42421 for 1.6. @kubernetes/sig-auth-pr-reviews @enj @liggitt
@deads2k PR needs rebase |
Keep open for now I suppose? |
This PR hasn't been active in 90 days. Closing this PR. Please reopen if you would like to work towards merging this change, if/when the PR is ready for the next round of review. You can add 'keep-open' label to prevent this from happening again, or add a comment to keep it open another 90 days |
Fixes #42437
When using a front proxy authenticator it should behave like this:
In addition, the group information should come from the front proxy and not be later manipulated. Having that separation eliminates weird cases like the proxy saying a user is
system:anonymous
and the authentication chain adding groupsystem:authenticated
.@kubernetes/sig-auth-pr-reviews