New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Admin role is not allowing the head verb #5973

Closed
simon3z opened this Issue Nov 19, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@simon3z

simon3z commented Nov 19, 2015

The admin role (and probably other), cannot use the head verb:

curl -v -k -H 'Authorization: Bearer <token>' -X HEAD \
  https://<apiserver>:8443/api/v1/namespaces/<namespace>/pods/<pod>
< HTTP/1.1 403 Forbidden
< Cache-Control: no-store
< Content-Type: application/json
< Date: Thu, 19 Nov 2015 22:39:59 GMT
< Content-Length: 384

This may not be particularly interesting for the kubernetes/openshift api but it applies also to the proxy, effectively preventing admins from using head on any rest-api served by pods and services.

cc @deads2k @liggitt

@deads2k

This comment has been minimized.

Show comment
Hide comment
@deads2k
Contributor

deads2k commented Nov 20, 2015

@deads2k

This comment has been minimized.

Show comment
Hide comment
@deads2k

deads2k Nov 20, 2015

Contributor

@liggitt You want to explicitly list the head verb or assume that our API works correctly and power to get implies power to head?

Contributor

deads2k commented Nov 20, 2015

@liggitt You want to explicitly list the head verb or assume that our API works correctly and power to get implies power to head?

@simon3z

This comment has been minimized.

Show comment
Hide comment
@simon3z

simon3z Nov 20, 2015

I'm assuming this permission is leading to the ClusterRole here:

@deads2k correct (there should be a note in that doc to this Issue).

@liggitt You want to explicitly list the head verb or assume that our API works correctly and power to get implies power to head

Adding head didn't work for me. Maybe I overlooked something (or maybe head is not expected as verb).

simon3z commented Nov 20, 2015

I'm assuming this permission is leading to the ClusterRole here:

@deads2k correct (there should be a note in that doc to this Issue).

@liggitt You want to explicitly list the head verb or assume that our API works correctly and power to get implies power to head

Adding head didn't work for me. Maybe I overlooked something (or maybe head is not expected as verb).

@liggitt

This comment has been minimized.

Show comment
Hide comment
@liggitt

liggitt Nov 20, 2015

Contributor

@simon3z head method wasn't handled at all. https://github.com/openshift/origin/pull/5985/files#diff-d8a717a6f0dc0916348eea8de58caac5R505 maps it to "get" for API requests

Contributor

liggitt commented Nov 20, 2015

@simon3z head method wasn't handled at all. https://github.com/openshift/origin/pull/5985/files#diff-d8a717a6f0dc0916348eea8de58caac5R505 maps it to "get" for API requests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment