Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage #48184

Merged
merged 1 commit into from Sep 3, 2017
Merged

audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage #48184

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion staging/src/k8s.io/apiserver/pkg/audit/BUILD
View file
Open in desktop
Expand Up @@ -20,7 +20,6 @@ go_library(
"//vendor/github.com/golang/glog:go_default_library",
"//vendor/github.com/pborman/uuid:go_default_library",
"//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
"//vendor/k8s.io/api/authentication/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
Expand All @@ -31,6 +30,7 @@ go_library(
"//vendor/k8s.io/apiserver/pkg/apis/audit:go_default_library",
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1alpha1:go_default_library",
"//vendor/k8s.io/apiserver/pkg/apis/audit/v1beta1:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
],
)
Expand Down
37 changes: 17 additions & 20 deletions staging/src/k8s.io/apiserver/pkg/audit/request.go
View file
Open in desktop
Expand Up @@ -20,22 +20,21 @@ import (
"bytes"
"fmt"
"net/http"
"strings"
"time"

"github.com/golang/glog"
"github.com/pborman/uuid"

"reflect"

authenticationv1 "k8s.io/api/authentication/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apiserver/pkg/apis/audit"
auditinternal "k8s.io/apiserver/pkg/apis/audit"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
)

Expand Down Expand Up @@ -73,24 +72,6 @@ func NewEventFromRequest(req *http.Request, level auditinternal.Level, attribs a
ev.User.UID = user.GetUID()
}

if asuser := req.Header.Get(authenticationv1.ImpersonateUserHeader); len(asuser) > 0 {
ev.ImpersonatedUser = &auditinternal.UserInfo{
Username: asuser,
}
if requestedGroups := req.Header[authenticationv1.ImpersonateGroupHeader]; len(requestedGroups) > 0 {
ev.ImpersonatedUser.Groups = requestedGroups
}

ev.ImpersonatedUser.Extra = map[string]auditinternal.ExtraValue{}
for k, v := range req.Header {
if !strings.HasPrefix(k, authenticationv1.ImpersonateUserExtraHeaderPrefix) {
continue
}
k = k[len(authenticationv1.ImpersonateUserExtraHeaderPrefix):]
ev.ImpersonatedUser.Extra[k] = auditinternal.ExtraValue(v)
}
}

if attribs.IsResourceRequest() {
ev.ObjectRef = &auditinternal.ObjectReference{
Namespace: attribs.GetNamespace(),
Expand All @@ -104,6 +85,22 @@ func NewEventFromRequest(req *http.Request, level auditinternal.Level, attribs a
return ev, nil
}

// LogImpersonatedUser fills in the impersonated user attributes into an audit event.
func LogImpersonatedUser(ae *auditinternal.Event, user user.Info) {
if ae == nil || ae.Level.Less(audit.LevelMetadata) {
return
}
ae.ImpersonatedUser = &auditinternal.UserInfo{
Username: user.GetName(),
}
ae.ImpersonatedUser.Groups = user.GetGroups()
ae.ImpersonatedUser.UID = user.GetUID()
ae.ImpersonatedUser.Extra = map[string]auditinternal.ExtraValue{}
for k, v := range user.GetExtra() {
ae.ImpersonatedUser.Extra[k] = auditinternal.ExtraValue(v)
}
}

// LogRequestObject fills in the request object into an audit event. The passed runtime.Object
// will be converted to the given gv.
func LogRequestObject(ae *audit.Event, obj runtime.Object, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) {
Expand Down
4 changes: 4 additions & 0 deletions staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go
View file
Open in desktop
Expand Up @@ -27,6 +27,7 @@ import (
authenticationv1 "k8s.io/api/authentication/v1"
"k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/audit"
"k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
Expand Down Expand Up @@ -133,6 +134,9 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques
oldUser, _ := request.UserFrom(ctx)
httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser)

ae := request.AuditEventFrom(ctx)
audit.LogImpersonatedUser(ae, newUser)

// clear all the impersonation headers from the request
req.Header.Del(authenticationv1.ImpersonateUserHeader)
req.Header.Del(authenticationv1.ImpersonateGroupHeader)
Expand Down