-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
prevent privilege escalation #1051
prevent privilege escalation #1051
Conversation
2ade5dd
to
756c84c
Compare
@smarterclayton comments up to "prevent escalation" addressed. |
c91da28
to
dfedde7
Compare
@smarterclayton created a rolebinding.Registry to abstract out the ugly from rolebinding/rest.go. It felt more registry-like. If you agree with the approach, I'll fill in unit tests. |
Plumbed kapi.Context through the authorizer. I think it really hurts readability, especially in places where there is logically more than one context in play and in places where only part of the context is used. It ends up reading like a magic container. @liggitt Your thoughts on the "plumb context through authorizer" commit? |
@smarterclayton I think I made it through all the comments. The only one I don't feel good about is plumbing context through the authorizer. It feels like I've gone from a way of passing arguments that allows the compiler to ensure that I'm passing the correct data where its required and I've replaced with with a way of passing through a data object that is mostly blackblox, that sometimes needs certain fields and sometimes needs others, and destroys the compiler's ability to help me write valid code without having runtime failures. |
d7f6dd4
to
2fa2e4d
Compare
[test] |
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_openshift3/1122/) |
If the authorizer is making nested calls it needs to be using the context of the person who called it. A context is the thread that ties an incoming request from the client across all the backend systems that fulfill it. See https://godoc.org/golang.org/x/net/context and http://research.google.com/pubs/pub36356.html for why we use contexts. ----- Original Message -----
|
You can hide the context underneath your getters if necessary - it doesn't have to be a field on the object. It just has to be preserved. ----- Original Message -----
|
2fa2e4d
to
b14ac2a
Compare
jenkins failed in test-integration on |
b14ac2a
to
0598b13
Compare
Squash and you'll get a merge. |
0598b13
to
e72c121
Compare
squashed. |
Hope I don't regret this... LGTM [merge] |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/987/) (Image: devenv-fedora_852) |
Evaluated for origin up to e72c121 |
Merged by openshift-bot
Prevent a user who has rights to modify role bindings from binding a user to a role that has more power than the granting user has.
/cc @liggitt