Commit a5bf0a21 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #33946 from deads2k/auth-01-fix-loopback

Automatic merge from submit-queue fix loopback authorizer Fixes the loopback authorizer to properly inspect groups. P0 for security problem. @liggitt @dims let's get this fixed.
parents 81f5c3ca 8c20af79
...@@ -37,17 +37,17 @@ func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (bool, ...@@ -37,17 +37,17 @@ func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (bool,
errlist []error errlist []error
reasonlist []string reasonlist []string
) )
for _, currAuthzHandler := range authzHandler { for _, currAuthzHandler := range authzHandler {
authorized, reason, err := currAuthzHandler.Authorize(a) authorized, reason, err := currAuthzHandler.Authorize(a)
if err != nil { if err != nil {
errlist = append(errlist, err) errlist = append(errlist, err)
continue }
if len(reason) != 0 {
reasonlist = append(reasonlist, reason)
} }
if !authorized { if !authorized {
if reason != "" {
reasonlist = append(reasonlist, reason)
}
continue continue
} }
return true, reason, nil return true, reason, nil
......
...@@ -77,8 +77,11 @@ type privilegedGroupAuthorizer struct { ...@@ -77,8 +77,11 @@ type privilegedGroupAuthorizer struct {
} }
func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (bool, string, error) { func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (bool, string, error) {
for attr_group := range attr.GetUser().GetGroups() { if attr.GetUser() == nil {
for priv_group := range r.groups { return false, "Error", errors.New("no user on request.")
}
for _, attr_group := range attr.GetUser().GetGroups() {
for _, priv_group := range r.groups {
if priv_group == attr_group { if priv_group == attr_group {
return true, "", nil return true, "", nil
} }
......
...@@ -20,6 +20,9 @@ import ( ...@@ -20,6 +20,9 @@ import (
"testing" "testing"
"k8s.io/kubernetes/pkg/genericapiserver/options" "k8s.io/kubernetes/pkg/genericapiserver/options"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
) )
// NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer // NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer
...@@ -115,3 +118,17 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) { ...@@ -115,3 +118,17 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
} }
} }
} }
func TestPrivilegedGroupAuthorizer(t *testing.T) {
auth := NewPrivilegedGroups("allow-01", "allow-01")
yes := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "allow-01"}}}
no := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "deny-01"}}}
if authorized, _, _ := auth.Authorize(yes); !authorized {
t.Errorf("failed")
}
if authorized, _, _ := auth.Authorize(no); authorized {
t.Errorf("failed")
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment