Commit c9f4d8e5 authored by Brendan Burns's avatar Brendan Burns

Merge pull request #7425 from roberthbailey/basic-auth-headers

Set the 'WWW-Authenticate' header on 401 responses when basic auth is enabled
parents 19ae113f 4304b1d2
...@@ -307,6 +307,7 @@ func (s *APIServer) Run(_ []string) error { ...@@ -307,6 +307,7 @@ func (s *APIServer) Run(_ []string) error {
ReadWritePort: s.SecurePort, ReadWritePort: s.SecurePort,
PublicAddress: net.IP(s.BindAddress), PublicAddress: net.IP(s.BindAddress),
Authenticator: authenticator, Authenticator: authenticator,
SupportsBasicAuth: len(s.BasicAuthFile) > 0,
Authorizer: authorizer, Authorizer: authorizer,
AdmissionControl: admissionController, AdmissionControl: admissionController,
DisableV1Beta3: disableV1beta3, DisableV1Beta3: disableV1beta3,
......
...@@ -49,7 +49,18 @@ func NewRequestAuthenticator(mapper api.RequestContextMapper, auth authenticator ...@@ -49,7 +49,18 @@ func NewRequestAuthenticator(mapper api.RequestContextMapper, auth authenticator
) )
} }
var Unauthorized http.HandlerFunc = unauthorized func Unauthorized(supportsBasicAuth bool) http.HandlerFunc {
if supportsBasicAuth {
return unauthorizedBasicAuth
}
return unauthorized
}
// unauthorizedBasicAuth serves an unauthorized message to clients.
func unauthorizedBasicAuth(w http.ResponseWriter, req *http.Request) {
w.Header().Set("WWW-Authenticate", `Basic realm="kubernetes-master"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
}
// unauthorized serves an unauthorized message to clients. // unauthorized serves an unauthorized message to clients.
func unauthorized(w http.ResponseWriter, req *http.Request) { func unauthorized(w http.ResponseWriter, req *http.Request) {
......
...@@ -94,6 +94,8 @@ type Config struct { ...@@ -94,6 +94,8 @@ type Config struct {
APIPrefix string APIPrefix string
CorsAllowedOriginList util.StringList CorsAllowedOriginList util.StringList
Authenticator authenticator.Request Authenticator authenticator.Request
// TODO(roberthbailey): Remove once the server no longer supports http basic auth.
SupportsBasicAuth bool
Authorizer authorizer.Authorizer Authorizer authorizer.Authorizer
AdmissionControl admission.Interface AdmissionControl admission.Interface
MasterServiceNamespace string MasterServiceNamespace string
...@@ -500,7 +502,7 @@ func (m *Master) init(c *Config) { ...@@ -500,7 +502,7 @@ func (m *Master) init(c *Config) {
// Install Authenticator // Install Authenticator
if c.Authenticator != nil { if c.Authenticator != nil {
authenticatedHandler, err := handlers.NewRequestAuthenticator(m.requestContextMapper, c.Authenticator, handlers.Unauthorized, handler) authenticatedHandler, err := handlers.NewRequestAuthenticator(m.requestContextMapper, c.Authenticator, handlers.Unauthorized(c.SupportsBasicAuth), handler)
if err != nil { if err != nil {
glog.Fatalf("Could not initialize authenticator: %v", err) glog.Fatalf("Could not initialize authenticator: %v", err)
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment