-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User Impersonation Implementation #428
Conversation
b528b33
to
ded8da9
Compare
To Test
Will use the admin user for the user info. You will also need to specifically give asb access to create and delete. This will be added to the template in this PR. but example of the cluster role is kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: project-creator
rules:
- apiGroups: ["project.openshift.io"]
resources: ["projects"]
verbs: ["create", "delete"]
- apiGroups: ["authorization.openshift.io"]
resources: ["subjectrulesreview"]
verbs: ["create"]
and cluster role binding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: create-projects-asb
subjects:
- kind: ServiceAccount
name: asb
namespace: ansible-service-broker
roleRef:
kind: ClusterRole
name: project-creator
apiGroup: rbac.authorization.k8s.io |
This will need to be run with 3.7. It is the only way that this will work. |
@openshift/sig-security It might be a bit before I have a chance to look at this. |
@enj The reason for the v1 |
At the very least, use the grouped version of openshift APIs, e.g. |
4baea70
to
7028ad1
Compare
@liggitt @enj I have updated the template to use the grouped version of the openshift APIs. @jwmatthews this still works with the 3.6 version of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The github UI is unbearable for this review. I just cloned the repo and looked at it through tig instead. I didn't see anything glaring, the glide.yaml will be different than what I have for my work, but I can deal with that when the time comes. All in all, great work.
Added #429 to capture moving all of the template yaml to RBAC API versions when we make the cut to 3.7. |
7028ad1
to
2fcbbbd
Compare
bce5c9c
to
0cdfd17
Compare
pkg/clients/openshift.go
Outdated
func (o OpenshiftClient) SubjectRulesReview(user, namespace string, log *logging.Logger) (result *authorization.SubjectRulesReview, err error) { | ||
body := &SubjectRulesReview{ | ||
Spec: SubjectRulesReviewSpec{ | ||
User: "admin", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change to user
Service Catalog 0.0.21 will send the Originating User header to us. Full end to end testing of this PR is waiting for below to merge into origin: |
0cdfd17
to
eb0aa1f
Compare
pkg/apb/executor.go
Outdated
// Create namespace. | ||
namespace := v1.Namespace{ | ||
ObjectMeta: metav1.ObjectMeta{ | ||
Labels: map[string]string{transientNameSpaceKey: spec.FQName}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@enj creating namespaces and adding the metadata about which APB started the namespace.
pkg/app/app.go
Outdated
err = authorization.ConvertRBACClusterRoleToAuthorizationClusterRole(k8sRole, cRole, nil) | ||
if err != nil { | ||
rbacClusterRole := rbac.ClusterRole{} | ||
if v1beta1rbac.Convert_v1beta1_ClusterRole_To_rbac_ClusterRole(k8sRole, &rbacClusterRole, nil); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@enj Getting v1beta1 RBAC rules to RBAC rules.
pkg/clients/openshift.go
Outdated
result.Kind = r.Kind | ||
result.APIVersion = r.APIVersion | ||
return | ||
return authorization.ConvertAPIPolicyRulesToRBACPolicyRules(pr), nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@enj Converting API Policy Rules to RBAC Policy rules
pkg/handler/handler.go
Outdated
if err != nil { | ||
return false, http.StatusInternalServerError, fmt.Errorf("Unable to connect to the cluster") | ||
} | ||
if covered, _ := authorization.Covers(res.Status.Rules, h.clusterRoleRules); !covered { | ||
if covered, _ := validation.Covers(prs, h.clusterRoleRules); !covered { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@enj Using k8s RBAC validation
@@ -32,10 +32,10 @@ objects: | |||
apiVersion: authorization.openshift.io/v1 | |||
metadata: | |||
# "namespace" omitted since ClusterRoles are not namespaced | |||
name: project-creator | |||
name: asb-auth |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@enj Renamed role to something that makes a little more sense
62e80a8
to
c8be8d4
Compare
LGTM There are some followup items but this is in line with our discussions. |
* Using 1.7 request context to pass user info to handler func. * Caching retrieved Cluster Role Rules in the handler. * refactor the cover code to send back errors before async provision can occur * making tests work
Adding back tests by auto escalating user. Will validate the user info from context works. Updating configuration
adding apb check for each call that could launch an APB.
* We must give asb access to subjectrulesreview as well as create projects.
…ror. * can override by specifing auto_escalate to true.
…o true * adding ability for template to set the auto_escalate feature * setting to true so that 3.6 works out of the box.
* moving all policy rules and cover check to kubernetes rbac. * remove project creation and deletion * adding ability to create namespaces instead of projects. * adding labels for metadata
74fdcbf
to
84086d9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only a few small nits. Nice job!
@@ -27,7 +27,7 @@ objects: | |||
metadata: | |||
name: asb | |||
namespace: ansible-service-broker | |||
|
|||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we strip trailing whitespace in this file?
pkg/clients/openshift.go
Outdated
|
||
// Openshift - Create a new openshift client if needed, returns reference | ||
func Openshift(log *logging.Logger) (*OpenshiftClient, error) { | ||
errMsg := "Something went wrong while initializing kubernetes client!\n" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/kubernetes/openshift/
pkg/clients/openshift.go
Outdated
instances.Openshift = client | ||
}) | ||
if instances.Openshift == nil { | ||
return nil, errors.New("Kubernetes client instance is nil") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Kubernetes/Openshift
pkg/apb/svc_acct.go
Outdated
@@ -219,30 +222,24 @@ func (s *ServiceAccountManager) createFile(handle string) (string, error) { | |||
} | |||
|
|||
// DestroyApbSandbox - Destroys the apb sandbox | |||
func (s *ServiceAccountManager) DestroyApbSandbox(executionContext ExecutionContext) error { | |||
func (s *ServiceAccountManager) DestroyApbSandbox(executionContext ExecutionContext, clusterConfig ClusterConfig) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of passing in the ClusterConfig object just pass in the namespace.
} | ||
|
||
// SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace | ||
type SubjectRulesReview struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would prefer all the types in a types.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll move away from types.go. Ignore this comment
* adding ability for executor to create a project * adding openshift client * attempting to add neccessary orgin code to test users rules * working origin authorizer * adding ability to get user info from header. * Adding retrieval of Originating user from header * Using 1.7 request context to pass user info to handler func. * Caching retrieved Cluster Role Rules in the handler. * refactor the cover code to send back errors before async provision can occur * making tests work * Adding auto escalate configuration value. Adding back tests by auto escalating user. Will validate the user info from context works. Updating configuration * Moving handler code to it's own handler. * more refactoring to make it cleaner adding apb check for each call that could launch an APB. * fixing bugs * adding ability to delete project and clean up. * re-implement correct error handling for service instance not found * Updating handler log statements so they are not as bad * Updating deploy template to account for the new cluster role. * We must give asb access to subjectrulesreview as well as create projects. * Checking if cluster roles are retrievable otherwise throw 3.7 only error. * can override by specifing auto_escalate to true. * adding ability for old service catalog to work w/ auto_escalate set to true * adding ability for template to set the auto_escalate feature * setting to true so that 3.6 works out of the box. * Fixing golint errors for the openshift client * addressing PR Review from mo * moving all policy rules and cover check to kubernetes rbac. * remove project creation and deletion * adding ability to create namespaces instead of projects. * adding labels for metadata * fixing go lint issues * changing template to a temp lastest template * rebase and fixing build * update bassed on pr comments * updating based on review comments
Describe what this PR does and why we need it:
This PR will allow us to check for users ability to run the APB, will run APB in transient name space that will hide the escalated permissions.
Changes proposed in this pull request
Does this PR depend on another PR (Use this to track when PRs should be merged)
depends-on
kubernetes-retired/service-catalog#1162
Note:
This PR will depend on using openshift 3.7