-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix 401/403 apiserver errors do not return 'Status' objects #47384
Conversation
6a6b608
to
7e12adc
Compare
@shiywang looks good. Can you add tests for both filter cases? Just add them below https://github.com/kubernetes/kubernetes/blob/ef7d63818fab7aeb3d356b46d3b0dddfd524b9c3/test/integration/master/master_test.go#L114-L114. |
@sttts testcase added, I also add another filter cases, but seems one unit test failed due to here 0025b07#diff-6445bd63d178373b50fc083b9a043d0bR72 |
return | ||
} | ||
|
||
gv := schema.GroupVersion{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would move this below the if
glog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason) | ||
responsewriters.Forbidden(attributes, w, req, reason) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would it be feasible to modify responsewriters.Forbidden
with the Status
code? There might be more places where we call it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @sttts I try to modify responsewriters.Forbidden
, but I think that would make it almost like responsewriters.ErrorNegotiated
, so do you think we can keep it ? I checked, and there's no other places invoke responsewriters.Forbidden
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is this msg := sanitizer.Replace(forbiddenMessage(attributes))
line. We should preserve that. How do the error messages differ now from the old message?
@@ -76,24 +98,6 @@ func WithAuthentication(handler http.Handler, mapper genericapirequest.RequestCo | |||
) | |||
} | |||
|
|||
func Unauthorized(supportsBasicAuth bool) http.HandlerFunc { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about adding the mapper and serializer to this function? Then we can keep the (now failing) unit tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated, how do you think about now ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good
1dd2069
to
dc0fef5
Compare
t.Errorf("unexpected status %q, expected %q", got, expected) | ||
} | ||
if got, expected := decodedData["code"], float64(tc.statusCode); got != expected { | ||
t.Errorf("unexpected code %v, expected %v", got, expected) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we also test reason
and message
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
0abef4a
to
d319f7a
Compare
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
@@ -64,18 +67,20 @@ func TestForbidden(t *testing.T) { | |||
attributes authorizer.Attributes | |||
reason string | |||
}{ | |||
{`User "NAME" cannot GET path "/whatever".`, | |||
{"{\"metadata\":{},\"status\":\"Failure\",\"message\":\" \\\"\\\" is forbidden: User \\\"NAME\\\" cannot GET path \\\"/whatever\\\".\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With backticks you can make this more readible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
statusCode: http.StatusForbidden, | ||
reqPath: "/apis", | ||
reason: "Forbidden", | ||
message: " \"\" is forbidden: User \"\" cannot get path \"/apis\".: \"Everything is forbidden.\"", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
backticks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Looks good overall. /cc @k8s-mirror-api-machinery-api-reviews please take a look that this is what we want. @smarterclayton @liggitt do you see any issues with existing clients? This changes how errors are returned. Also: do we disclose anything with these more verbose 403 errors that we don't want to? |
/test pull-kubernetes-unit |
I think that because we are returning more structured errors, and there was no guarantee that another proxy couldn't be introduced (such as api aggregation), anyone expecting a generic error was already broken. In practice, most people are either gracefully handling our structured error (but would be surprised if we returned a generic error), can handle both, or check status code first and everything else is gravy. So I don't think this has an issue from API compat that (for instance) changing 200 -> 201 did. |
It looks like this handles negotiation properly, which was my primary concern (took a while in 1.5 to get that sorted). So at first glance I don't see anything concerning. |
@shiywang please squash |
/approve |
/test pull-kubernetes-federation-e2e-gce |
@sttts ok to merge ? |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: shiywang, sttts Associated issue: 45970 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test pull-kubernetes-unit |
Automatic merge from submit-queue (batch tested with PRs 48383, 47384) |
kubernetes#47384 makes 403 errors return Status Object. How the Content-Type is still "text/plain" This change fix it.
Automatic merge from submit-queue Fix invalid Content-Type for 403 error #47384 makes 403 errors return Status Object. However the Content-Type is still "text/plain" This change fixes it. Before this change: kubectl get pods --as=tom Error from server (Forbidden): {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"\" is forbidden: User \"tom\" cannot list pods in the namespace \"default\".","reason":"Forbidden","details":{"kind":"pods"},"code":403} (get pods) After this change: $ kubectl get pods --as=tom Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default". **What this PR does / why we need it**: **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ``` NONE ```
kubernetes/kubernetes#47384 makes 403 errors return Status Object. How the Content-Type is still "text/plain" This change fix it. Kubernetes-commit: 36e0a5ed14ae0fb9fd88980f0fce57d076216e2e
kubernetes/kubernetes#47384 makes 403 errors return Status Object. How the Content-Type is still "text/plain" This change fix it. Kubernetes-commit: 36e0a5ed14ae0fb9fd88980f0fce57d076216e2e
kubernetes#47384 makes 403 errors return Status Object. How the Content-Type is still "text/plain" This change fix it.
fixes #45970