/origin

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Admin role is not allowing the head verb #5973

Closed
simon3z opened this Issue Nov 19, 2015 · 4 comments

Comments

Assignees

@deads2k deads2k

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@simon3z @deads2k @liggitt
@simon3z

simon3z commented Nov 19, 2015

The admin role (and probably other), cannot use the head verb:

curl -v -k -H 'Authorization: Bearer <token>' -X HEAD \
  https://<apiserver>:8443/api/v1/namespaces/<namespace>/pods/<pod>
< HTTP/1.1 403 Forbidden
< Cache-Control: no-store
< Content-Type: application/json
< Date: Thu, 19 Nov 2015 22:39:59 GMT
< Content-Length: 384

This may not be particularly interesting for the kubernetes/openshift api but it applies also to the proxy, effectively preventing admins from using head on any rest-api served by pods and services.

cc @deads2k @liggitt
@deads2k

This comment has been minimized.

Show comment
Hide comment
@deads2k

deads2k Nov 20, 2015

Contributor

I'm assuming this permission is leading to the ClusterRole here: https://github.com/simon3z/manageiq.org/blob/containers-docs/source/documentation/getting-started.html.md#service-accounts ?
Contributor

deads2k commented Nov 20, 2015

I'm assuming this permission is leading to the ClusterRole here: https://github.com/simon3z/manageiq.org/blob/containers-docs/source/documentation/getting-started.html.md#service-accounts ?
@deads2k

This comment has been minimized.

Show comment
Hide comment
@deads2k

deads2k Nov 20, 2015

Contributor

@liggitt You want to explicitly list the head verb or assume that our API works correctly and power to get implies power to head?
Contributor

deads2k commented Nov 20, 2015

@liggitt You want to explicitly list the head verb or assume that our API works correctly and power to get implies power to head?
@simon3z

This comment has been minimized.

Show comment
Hide comment
@simon3z

simon3z Nov 20, 2015

I'm assuming this permission is leading to the ClusterRole here:

@deads2k correct (there should be a note in that doc to this Issue).

@liggitt You want to explicitly list the head verb or assume that our API works correctly and power to get implies power to head

Adding head didn't work for me. Maybe I overlooked something (or maybe head is not expected as verb).

simon3z commented Nov 20, 2015

I'm assuming this permission is leading to the ClusterRole here:

@deads2k correct (there should be a note in that doc to this Issue).

@liggitt You want to explicitly list the head verb or assume that our API works correctly and power to get implies power to head

Adding head didn't work for me. Maybe I overlooked something (or maybe head is not expected as verb).

@deads2k deads2k referenced this issue Nov 20, 2015

Merged

UPSTREAM: 17567: handle the HEAD verb correctly for authorization #5985

@deads2k deads2k self-assigned this Nov 20, 2015

@deads2k deads2k referenced this issue Nov 20, 2015

Closed

containers: add initial documentation #249

@liggitt

This comment has been minimized.

Show comment
Hide comment
@liggitt

liggitt Nov 20, 2015

Contributor

@simon3z head method wasn't handled at all. https://github.com/openshift/origin/pull/5985/files#diff-d8a717a6f0dc0916348eea8de58caac5R505 maps it to "get" for API requests
Contributor

liggitt commented Nov 20, 2015

@simon3z head method wasn't handled at all. https://github.com/openshift/origin/pull/5985/files#diff-d8a717a6f0dc0916348eea8de58caac5R505 maps it to "get" for API requests

@openshift-bot openshift-bot closed this in #5985 Nov 21, 2015

@moortimis moortimis referenced this issue Feb 9, 2016

Closed

Cannot list all componentstatuses in the cluster #7140

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment