User Impersonation Implementation #428
Conversation
shawn-hurley
force-pushed
the
sec-user-imprs
branch
2 times, most recently
from
b528b33
to
ded8da9
Compare
shawn-hurley
changed the title
shawn-hurley
changed the title
To Test
Will use the admin user for the user info. You will also need to specifically give asb access to create and delete. This will be added to the template in this PR. but example of the cluster role is kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: project-creator
rules:
- apiGroups: ["project.openshift.io"]
resources: ["projects"]
verbs: ["create", "delete"]
- apiGroups: ["authorization.openshift.io"]
resources: ["subjectrulesreview"]
verbs: ["create"]
and cluster role binding kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: create-projects-asb
subjects:
- kind: ServiceAccount
name: asb
namespace: ansible-service-broker
roleRef:
kind: ClusterRole
name: project-creator
apiGroup: rbac.authorization.k8s.io |
|
This will need to be run with 3.7. It is the only way that this will work. |
shawn-hurley
changed the title
|
@openshift/sig-security It might be a bit before I have a chance to look at this. |
|
@enj The reason for the v1 |
At the very least, use the grouped version of openshift APIs, e.g. |
shawn-hurley
force-pushed
the
sec-user-imprs
branch
from
4baea70
to
7028ad1
Compare
|
@liggitt @enj I have updated the template to use the grouped version of the openshift APIs. @jwmatthews this still works with the 3.6 version of |
There was a problem hiding this comment.
The github UI is unbearable for this review. I just cloned the repo and looked at it through tig instead. I didn't see anything glaring, the glide.yaml will be different than what I have for my work, but I can deal with that when the time comes. All in all, great work.
|
Added #429 to capture moving all of the template yaml to RBAC API versions when we make the cut to 3.7. |
shawn-hurley
force-pushed
the
sec-user-imprs
branch
from
7028ad1
to
2fcbbbd
Compare
shawn-hurley
force-pushed
the
sec-user-imprs
branch
from
bce5c9c
to
0cdfd17
Compare
pkg/clients/openshift.go
Outdated
| func (o OpenshiftClient) SubjectRulesReview(user, namespace string, log *logging.Logger) (result *authorization.SubjectRulesReview, err error) { | ||
| body := &SubjectRulesReview{ | ||
| Spec: SubjectRulesReviewSpec{ | ||
| User: "admin", |
There was a problem hiding this comment.
change to user
|
Service Catalog 0.0.21 will send the Originating User header to us. Full end to end testing of this PR is waiting for below to merge into origin: |
shawn-hurley
force-pushed
the
sec-user-imprs
branch
from
0cdfd17
to
eb0aa1f
Compare
pkg/apb/executor.go
Outdated
| // Create namespace. | ||
| namespace := v1.Namespace{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Labels: map[string]string{transientNameSpaceKey: spec.FQName}, |
There was a problem hiding this comment.
@enj creating namespaces and adding the metadata about which APB started the namespace.
pkg/app/app.go
Outdated
| err = authorization.ConvertRBACClusterRoleToAuthorizationClusterRole(k8sRole, cRole, nil) | ||
| if err != nil { | ||
| rbacClusterRole := rbac.ClusterRole{} | ||
| if v1beta1rbac.Convert_v1beta1_ClusterRole_To_rbac_ClusterRole(k8sRole, &rbacClusterRole, nil); err != nil { |
There was a problem hiding this comment.
@enj Getting v1beta1 RBAC rules to RBAC rules.
pkg/clients/openshift.go
Outdated
| result.Kind = r.Kind | ||
| result.APIVersion = r.APIVersion | ||
| return | ||
| return authorization.ConvertAPIPolicyRulesToRBACPolicyRules(pr), nil |
There was a problem hiding this comment.
@enj Converting API Policy Rules to RBAC Policy rules
pkg/handler/handler.go
Outdated
| if err != nil { | ||
| return false, http.StatusInternalServerError, fmt.Errorf("Unable to connect to the cluster") | ||
| } | ||
| if covered, _ := authorization.Covers(res.Status.Rules, h.clusterRoleRules); !covered { | ||
| if covered, _ := validation.Covers(prs, h.clusterRoleRules); !covered { |
There was a problem hiding this comment.
@enj Using k8s RBAC validation
| @@ -32,10 +32,10 @@ objects: | |||
| apiVersion: authorization.openshift.io/v1 | |||
| metadata: | |||
| # "namespace" omitted since ClusterRoles are not namespaced | |||
| name: project-creator | |||
| name: asb-auth | |||
There was a problem hiding this comment.
@enj Renamed role to something that makes a little more sense
shawn-hurley
force-pushed
the
sec-user-imprs
branch
from
62e80a8
to
c8be8d4
Compare
|
LGTM There are some followup items but this is in line with our discussions. |
* Using 1.7 request context to pass user info to handler func. * Caching retrieved Cluster Role Rules in the handler. * refactor the cover code to send back errors before async provision can occur * making tests work
Adding back tests by auto escalating user. Will validate the user info from context works. Updating configuration
adding apb check for each call that could launch an APB.
* We must give asb access to subjectrulesreview as well as create projects.
…ror. * can override by specifing auto_escalate to true.
…o true * adding ability for template to set the auto_escalate feature * setting to true so that 3.6 works out of the box.
* moving all policy rules and cover check to kubernetes rbac. * remove project creation and deletion * adding ability to create namespaces instead of projects. * adding labels for metadata
shawn-hurley
force-pushed
the
sec-user-imprs
branch
from
74fdcbf
to
84086d9
Compare
| @@ -27,7 +27,7 @@ objects: | |||
| metadata: | |||
| name: asb | |||
| namespace: ansible-service-broker | |||
|
|
|||
There was a problem hiding this comment.
Can we strip trailing whitespace in this file?
pkg/clients/openshift.go
Outdated
|
|
||
| // Openshift - Create a new openshift client if needed, returns reference | ||
| func Openshift(log *logging.Logger) (*OpenshiftClient, error) { | ||
| errMsg := "Something went wrong while initializing kubernetes client!\n" |
There was a problem hiding this comment.
s/kubernetes/openshift/
pkg/clients/openshift.go
Outdated
| instances.Openshift = client | ||
| }) | ||
| if instances.Openshift == nil { | ||
| return nil, errors.New("Kubernetes client instance is nil") |
pkg/apb/svc_acct.go
Outdated
| @@ -219,30 +222,24 @@ func (s *ServiceAccountManager) createFile(handle string) (string, error) { | |||
| } | |||
|
|
|||
| // DestroyApbSandbox - Destroys the apb sandbox | |||
| func (s *ServiceAccountManager) DestroyApbSandbox(executionContext ExecutionContext) error { | |||
| func (s *ServiceAccountManager) DestroyApbSandbox(executionContext ExecutionContext, clusterConfig ClusterConfig) error { | |||
There was a problem hiding this comment.
Instead of passing in the ClusterConfig object just pass in the namespace.
| } | ||
|
|
||
| // SubjectRulesReview is a resource you can create to determine which actions another user can perform in a namespace | ||
| type SubjectRulesReview struct { |
There was a problem hiding this comment.
Would prefer all the types in a types.go
There was a problem hiding this comment.
We'll move away from types.go. Ignore this comment
* adding ability for executor to create a project * adding openshift client * attempting to add neccessary orgin code to test users rules * working origin authorizer * adding ability to get user info from header. * Adding retrieval of Originating user from header * Using 1.7 request context to pass user info to handler func. * Caching retrieved Cluster Role Rules in the handler. * refactor the cover code to send back errors before async provision can occur * making tests work * Adding auto escalate configuration value. Adding back tests by auto escalating user. Will validate the user info from context works. Updating configuration * Moving handler code to it's own handler. * more refactoring to make it cleaner adding apb check for each call that could launch an APB. * fixing bugs * adding ability to delete project and clean up. * re-implement correct error handling for service instance not found * Updating handler log statements so they are not as bad * Updating deploy template to account for the new cluster role. * We must give asb access to subjectrulesreview as well as create projects. * Checking if cluster roles are retrievable otherwise throw 3.7 only error. * can override by specifing auto_escalate to true. * adding ability for old service catalog to work w/ auto_escalate set to true * adding ability for template to set the auto_escalate feature * setting to true so that 3.6 works out of the box. * Fixing golint errors for the openshift client * addressing PR Review from mo * moving all policy rules and cover check to kubernetes rbac. * remove project creation and deletion * adding ability to create namespaces instead of projects. * adding labels for metadata * fixing go lint issues * changing template to a temp lastest template * rebase and fixing build * update bassed on pr comments * updating based on review comments
Describe what this PR does and why we need it:
This PR will allow us to check for users ability to run the APB, will run APB in transient name space that will hide the escalated permissions.
Changes proposed in this pull request
Does this PR depend on another PR (Use this to track when PRs should be merged)
depends-on
kubernetes-retired/service-catalog#1162
Note:
This PR will depend on using openshift 3.7