Fix 401/403 apiserver errors do not return 'Status' objects #47384
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/S
shiywang
changed the title
k8s-github-robot
added
size/M
shiywang
force-pushed
the
api403
branch
2 times, most recently
from
6a6b608
to
7e12adc
Compare
|
@shiywang looks good. Can you add tests for both filter cases? Just add them below https://github.com/kubernetes/kubernetes/blob/ef7d63818fab7aeb3d356b46d3b0dddfd524b9c3/test/integration/master/master_test.go#L114-L114. |
k8s-github-robot
added
size/L
shiywang
changed the title
|
@sttts testcase added, I also add another filter cases, but seems one unit test failed due to here 0025b07#diff-6445bd63d178373b50fc083b9a043d0bR72 |
| return | ||
| } | ||
|
|
||
| gv := schema.GroupVersion{Group: requestInfo.APIGroup, Version: requestInfo.APIVersion} |
There was a problem hiding this comment.
would move this below the if
| glog.V(4).Infof("Forbidden: %#v, Reason: %q", req.RequestURI, reason) | ||
| responsewriters.Forbidden(attributes, w, req, reason) |
There was a problem hiding this comment.
would it be feasible to modify responsewriters.Forbidden with the Status code? There might be more places where we call it.
There was a problem hiding this comment.
hi @sttts I try to modify responsewriters.Forbidden, but I think that would make it almost like responsewriters.ErrorNegotiated, so do you think we can keep it ? I checked, and there's no other places invoke responsewriters.Forbidden
There was a problem hiding this comment.
There is this msg := sanitizer.Replace(forbiddenMessage(attributes)) line. We should preserve that. How do the error messages differ now from the old message?
| @@ -76,24 +98,6 @@ func WithAuthentication(handler http.Handler, mapper genericapirequest.RequestCo | |||
| ) | |||
| } | |||
|
|
|||
| func Unauthorized(supportsBasicAuth bool) http.HandlerFunc { | |||
There was a problem hiding this comment.
what about adding the mapper and serializer to this function? Then we can keep the (now failing) unit tests.
There was a problem hiding this comment.
updated, how do you think about now ?
shiywang
force-pushed
the
api403
branch
3 times, most recently
from
1dd2069
to
dc0fef5
Compare
| t.Errorf("unexpected status %q, expected %q", got, expected) | ||
| } | ||
| if got, expected := decodedData["code"], float64(tc.statusCode); got != expected { | ||
| t.Errorf("unexpected code %v, expected %v", got, expected) |
There was a problem hiding this comment.
can we also test reason and message?
shiywang
force-pushed
the
api403
branch
4 times, most recently
from
0abef4a
to
d319f7a
Compare
|
@k8s-bot pull-kubernetes-federation-e2e-gce test this |
| @@ -64,18 +67,20 @@ func TestForbidden(t *testing.T) { | |||
| attributes authorizer.Attributes | |||
| reason string | |||
| }{ | |||
| {`User "NAME" cannot GET path "/whatever".`, | |||
| {"{\"metadata\":{},\"status\":\"Failure\",\"message\":\" \\\"\\\" is forbidden: User \\\"NAME\\\" cannot GET path \\\"/whatever\\\".\",\"reason\":\"Forbidden\",\"details\":{},\"code\":403}\n", | |||
There was a problem hiding this comment.
With backticks you can make this more readible.
| statusCode: http.StatusForbidden, | ||
| reqPath: "/apis", | ||
| reason: "Forbidden", | ||
| message: " \"\" is forbidden: User \"\" cannot get path \"/apis\".: \"Everything is forbidden.\"", |
|
Looks good overall. /cc @k8s-mirror-api-machinery-api-reviews please take a look that this is what we want. @smarterclayton @liggitt do you see any issues with existing clients? This changes how errors are returned. Also: do we disclose anything with these more verbose 403 errors that we don't want to? |
|
/test pull-kubernetes-unit |
|
I think that because we are returning more structured errors, and there was no guarantee that another proxy couldn't be introduced (such as api aggregation), anyone expecting a generic error was already broken. In practice, most people are either gracefully handling our structured error (but would be surprised if we returned a generic error), can handle both, or check status code first and everything else is gravy. So I don't think this has an issue from API compat that (for instance) changing 200 -> 201 did. |
|
It looks like this handles negotiation properly, which was my primary concern (took a while in 1.5 to get that sorted). So at first glance I don't see anything concerning. |
sttts
added
release-note-none
|
@shiywang please squash |
|
/approve |
k8s-github-robot
added
the
approved
|
/test pull-kubernetes-federation-e2e-gce |
|
@sttts ok to merge ? |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: shiywang, sttts Associated issue: 45970 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/test pull-kubernetes-unit |
|
Automatic merge from submit-queue (batch tested with PRs 48383, 47384) |
kubernetes#47384 makes 403 errors return Status Object. How the Content-Type is still "text/plain" This change fix it.
Automatic merge from submit-queue Fix invalid Content-Type for 403 error #47384 makes 403 errors return Status Object. However the Content-Type is still "text/plain" This change fixes it. Before this change: kubectl get pods --as=tom Error from server (Forbidden): {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"\" is forbidden: User \"tom\" cannot list pods in the namespace \"default\".","reason":"Forbidden","details":{"kind":"pods"},"code":403} (get pods) After this change: $ kubectl get pods --as=tom Error from server (Forbidden): pods "" is forbidden: User "tom" cannot list pods in the namespace "default". **What this PR does / why we need it**: **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ``` NONE ```
kubernetes/kubernetes#47384 makes 403 errors return Status Object. How the Content-Type is still "text/plain" This change fix it. Kubernetes-commit: 36e0a5ed14ae0fb9fd88980f0fce57d076216e2e
kubernetes/kubernetes#47384 makes 403 errors return Status Object. How the Content-Type is still "text/plain" This change fix it. Kubernetes-commit: 36e0a5ed14ae0fb9fd88980f0fce57d076216e2e
kubernetes#47384 makes 403 errors return Status Object. How the Content-Type is still "text/plain" This change fix it.
fixes #45970