switch to upstream impersonation #16155
Conversation
openshift-ci-robot
added
the
size/L
openshift-merge-robot
added
the
approved
|
Is this going to cause upgrade issues on existing clusters ? |
I liked having the distinction, but it is probably is not worth the cost to maintain / be different than kube.
This is a breaking change, so I assume we need to have something to reconcile this?
This is probably going to annoy / break people in general. Some specific issues I can see are the differences between With all of that said, impersonation is a very powerful and rarely used (by normal users) feature. So we may be able to get away with this. But I feel like we did not have release notes around this in 3.6, so it seems out of place to have such drastic changes. |
This pull adds the permission for the stock roles (only one). I suspect it's extremely uncommon. If you wanted to make a migration tool it would be possible.
It's possible, though fairly unlikely. It's an advanced use-case, it's not recommended for normal operation other than sudoer (which will still work), and no users can do it by default.
We will do it at some point, it's just a question of when you pull off the bandaid. Now seems as good a time as any. The CLI already has the updates required to describe what needs changing. |
|
The release where we switch to upstream RBAC objects is a sensible time to make this change as well, given that upstream bindings don't have system users and system groups. I think the benefit of consistency with upstream and the limited impact make this a reasonable time to make the switch. We should still document it well in the release notes. |
|
@smarterclayton @pweil- @eparis any comments? |
deads2k
force-pushed
the
server-41-impersonation
branch
from
8840aee
to
7dda320
Compare
openshift-ci-robot
added
size/XL
| @@ -13,7 +13,7 @@ os::test::junit::declare_suite_start "cmd/quota" | |||
|
|
|||
| os::test::junit::declare_suite_start "cmd/quota/clusterquota" | |||
|
|
|||
| os::cmd::expect_success 'oc new-project quota-foo --as=deads' | |||
| os::cmd::expect_success 'oc new-project quota-foo --as=deads --as-group=system:authenticated --as-group=system:authenticated:oauth' | |||
There was a problem hiding this comment.
this is probably the most painful part of the switch. We have a non-standard group applied to our oauth users and we use it only for project requests.
deads2k
force-pushed
the
server-41-impersonation
branch
from
7dda320
to
1d10b78
Compare
|
I added the translation for the existing scope headers and opened #16175 to fix our hardcoded clients to work against both openshift and kube. |
| @@ -924,6 +932,11 @@ func GetOpenshiftBootstrapClusterRoleBindings() []rbac.ClusterRoleBinding { | |||
| newOriginClusterBinding(MasterRoleBindingName, MasterRoleName). | |||
| Groups(MastersGroup). | |||
| BindingOrDie(), | |||
| // Everyone should be able to add a scope to their impersonation request. It is purely tightening. | |||
| // This does not grant access to impersonate in general, only tighten if you already have permission. | |||
| newOriginClusterBinding(ScopeImpersonationRoleName, ScopeImpersonationRoleName). | |||
There was a problem hiding this comment.
Just use rbac.NewClusterBinding directly since do not need the origin wrapper.
There was a problem hiding this comment.
Just use rbac.NewClusterBinding directly since do not need the origin wrapper.
This just matches the others around it
There was a problem hiding this comment.
We already use rbac.NewClusterBinding in the places where the role and binding have the same name (there is at least one like that near the bottom).
| // TranslateLegacyScopeImpersonation is a filter that will translates user scope impersonation for openshift into the equivalent kube headers. | ||
| func TranslateLegacyScopeImpersonation(handler http.Handler) http.Handler { | ||
| return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { | ||
| for _, scope := range req.Header[authenticationapi.ImpersonateUserScopeHeader] { |
There was a problem hiding this comment.
Delete the original headers when you are done?
There was a problem hiding this comment.
Delete the original headers when you are done?
I was going for as little mutation as possible. I could if you really want though.
There was a problem hiding this comment.
as little mutation as possible
Sounds reasonable enough to me.
|
I think in regards to dropping groups in impersonation, there is not much we can do to make the transition better. Since it will be annoying no matter when we do it, 3.7 seems a reasonable time as any (with the appropriate release notes). In regards to the In 3.7:
In 3.8:
|
Why wouldn't we pull the bandaid off all at once. Doing it like this is likely to break people once for the "no auto groups" change in 3.7 and again for the "you forgot to change your role" in 3.8. I wouldn't recommend doing the ansible pre-upgrade check since tightening rules hasn't been done in the field yet. |
If we want to break people as little as possible, then a new permanent
We could make the check smarter by only failing if |
But that's not what you'll be doing. Say a year from now we're running on top of kube. You'll break them all again right there. This change isn't about us tweaking things for our special snowflake to make it prettier. It's about getting rid of the snowflake entirely. |
deads2k
force-pushed
the
server-41-impersonation
branch
from
1d10b78
to
a826468
Compare
What would this do anyway? The old rules are going to grant powers to systemusers, so this would be stomping the wrong direction. Doing it in the reverse direction would break every existing users rule. It doesn't seem like it works. |
My head hurts. @deads2k has convinced me on IRC that this is the way to go. /lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, enj The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
deads2k
force-pushed
the
server-41-impersonation
branch
from
a826468
to
60b5fc9
Compare
deads2k
added
lgtm
|
/retest Please review the full test history for this PR and help us cut down flakes. |
|
Automatic merge from submit-queue (batch tested with PRs 16098, 16155) |
Automatic merge from submit-queue (batch tested with PRs 16098, 16155) switch to upstream impersonation This switches us onto the upstream impersonation filter. That means a couple noteworthy things: 1. we no longer have separate permissions for impersonating system users (just like upstream) 2. if you granted powers for particular systemusers, you need to add to your role. 3. we no longer auto-add known openshift groups. You can specify --as-groups if you need the power. Our examples are users granted powers as users. @openshift/sig-security @liggitt as we discussed. ```release-note impersonation no longer applies group information automatically, so you may need to use `--as-groups` and now all users and groups are authorized against "users" or "groups", not "systemusers" or "systemgroups", so you may need to update roles ```
This switches us onto the upstream impersonation filter. That means a couple noteworthy things:
@openshift/sig-security
@liggitt as we discussed.