Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: CloudShell read-only authorization is not automatically revoked #4495

Merged
merged 3 commits into from Jul 29, 2022
Merged

Fix: CloudShell read-only authorization is not automatically revoked #4495

merged 3 commits into from Jul 29, 2022

Conversation

barnettZQG
Copy link
Collaborator

Signed-off-by: barnettZQG barnett.zqg@gmail.com

Description of your changes

The role is only bound to the group, the user is bound to the group and gets permissions. the relationship between the user and the group save to the cert in the Kube config, which will be updated before the cloud shell environment is created.

Fixes #4489

I have:

  • Read and followed KubeVela's contribution process.
  • Related Docs updated properly. In a new feature or configuration option, an update to the documentation is necessary.
  • Run make reviewable to ensure this PR is ready for review.
  • Added backport release-x.y labels to auto-backport this PR if necessary.

Special notes for your reviewer

/cc @wonderflow

@barnettZQG
Fix: CloudShell read-only authorization is not automatically revoked
9e91330 
Signed-off-by: barnettZQG <barnett.zqg@gmail.com>
@barnettZQG barnettZQG added the backport release-1.5 add this label will automatically backport this PR to release-1.5 branch label Jul 28, 2022
@codecov
Copy link

codecov bot commented Jul 28, 2022
edited

Codecov Report

Merging #4495 (79bd974) into master (b95980a) will decrease coverage by 0.00%.
The diff coverage is 48.14%.

@@            Coverage Diff             @@
##           master    #4495      +/-   ##
==========================================
- Coverage   61.50%   61.50%   -0.01%     
==========================================
  Files         348      348              
  Lines       34510    34554      +44     
==========================================
+ Hits        21227    21253      +26     
- Misses      10520    10543      +23     
+ Partials     2763     2758       -5
Flag Coverage Δ
apiserver-e2etests 27.47% <20.37%> (+0.03%) ⬆️
apiserver-unittests 40.23% <39.02%> (-0.05%) ⬇️
core-unittests 56.45% <0.00%> (-0.10%) ⬇️
e2e-multicluster-test 19.69% <2.50%> (-0.07%) ⬇️
e2e-rollout-tests 22.85% <0.00%> (-0.08%) ⬇️
e2etests 29.49% <0.00%> (+0.13%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/apiserver/utils/auth.go 47.05% <ø> (ø)
pkg/auth/privileges.go 66.92% <23.07%> (-2.13%) ⬇️
pkg/apiserver/interfaces/api/cloudshell.go 50.00% <50.00%> (ø)
pkg/apiserver/domain/service/cloudshell.go 60.71% <57.69%> (+0.37%) ⬆️
pkg/apiserver/domain/service/rbac.go 69.95% <100.00%> (ø)
pkg/addon/registry.go 37.34% <0.00%> (-15.67%) ⬇️
...aits/traitdefinition/traitdefinition_controller.go 70.52% <0.00%> (-7.37%) ⬇️
pkg/workflow/providers/multicluster/deploy.go 78.02% <0.00%> (-2.20%) ⬇️
pkg/apiserver/event/sync/convert/convert.go 81.02% <0.00%> (-2.19%) ⬇️
...kg/workflow/providers/multicluster/multicluster.go 81.25% <0.00%> (-2.09%) ⬇️
... and 15 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b95980a...79bd974. Read the comment docs.

@barnettZQG
Fix: code style
bb64b33 
Signed-off-by: barnettZQG <barnett.zqg@gmail.com>
wonderflow
wonderflow reviewed Jul 28, 2022
View reviewed changes
pkg/apiserver/interfaces/api/cloudshell.go
@@ -61,6 +61,14 @@ func (c *CloudShellAPIInterface) GetWebServiceRoute() *restful.WebService {
Returns(400, "Bad Request", bcode.Bcode{}).
Writes(apis.CloudShellPrepareResponse{}).Do(returns200, returns500))

ws.Route(ws.DELETE("/").To(c.destroyCloudShell).
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

who will invoke this API to detroy?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Users could destroy the cloud shell environment and recreate it, this could get the new permissions.

@barnettZQG
Fix: rename the prefix
79bd974 
Signed-off-by: barnettZQG <barnett.zqg@gmail.com>
@yangsoon yangsoon merged commit c6ae772 into kubevela:master Jul 29, 2022
@github-actions github-actions bot mentioned this pull request Jul 29, 2022
Merged
@github-actions
Copy link

Successfully created backport PR #4503 for release-1.5.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wonderflow wonderflow wonderflow approved these changes

@yangsoon yangsoon yangsoon approved these changes

@FogDong FogDong Awaiting requested review from FogDong FogDong is a code owner

@leejanee leejanee Awaiting requested review from leejanee leejanee is a code owner

@Somefive Somefive Awaiting requested review from Somefive Somefive is a code owner

@jefree-cat jefree-cat Awaiting requested review from jefree-cat jefree-cat is a code owner

Assignees
No one assigned
Labels
backport release-1.5 add this label will automatically backport this PR to release-1.5 branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CloudShell read-only authorization is not automatically revoked.
3 participants
@barnettZQG @wonderflow @yangsoon