Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
fb56512e
Commit
fb56512e
authored
Aug 17, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
allow group impersonation
parent
a594dcb1
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
404 additions
and
71 deletions
+404
-71
types.go
pkg/apis/authentication/types.go
+9
-0
handler_impersonation.go
pkg/apiserver/handler_impersonation.go
+139
-0
handler_impersonation_test.go
pkg/apiserver/handler_impersonation_test.go
+256
-0
handlers.go
pkg/apiserver/handlers.go
+0
-71
No files found.
pkg/apis/authentication/types.go
View file @
fb56512e
...
@@ -21,6 +21,15 @@ import (
...
@@ -21,6 +21,15 @@ import (
"k8s.io/kubernetes/pkg/api/unversioned"
"k8s.io/kubernetes/pkg/api/unversioned"
)
)
const
(
// ImpersonateUserHeader is used to impersonate a particular user during an API server request
ImpersonateUserHeader
=
"Impersonate-User"
// ImpersonateGroupHeader is used to impersonate a particular group during an API server request.
// It can be repeated multipled times for multiple groups.
ImpersonateGroupHeader
=
"Impersonate-Group"
)
// +genclient=true
// +genclient=true
// +nonNamespaced=true
// +nonNamespaced=true
// +noMethods=true
// +noMethods=true
...
...
pkg/apiserver/handler_impersonation.go
0 → 100644
View file @
fb56512e
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
apiserver
import
(
"net/http"
"github.com/golang/glog"
"k8s.io/kubernetes/pkg/api"
authenticationapi
"k8s.io/kubernetes/pkg/apis/authentication"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/httplog"
"k8s.io/kubernetes/pkg/serviceaccount"
)
// WithImpersonation is a filter that will inspect and check requests that attempt to change the user.Info for their requests
func
WithImpersonation
(
handler
http
.
Handler
,
requestContextMapper
api
.
RequestContextMapper
,
a
authorizer
.
Authorizer
)
http
.
Handler
{
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
requestedUser
:=
req
.
Header
.
Get
(
authenticationapi
.
ImpersonateUserHeader
)
if
len
(
requestedUser
)
==
0
{
if
len
(
req
.
Header
[
authenticationapi
.
ImpersonateGroupHeader
])
>
0
{
glog
.
V
(
4
)
.
Infof
(
"attempt to impersonate groups without impersonating a user: %v"
,
req
.
Header
[
authenticationapi
.
ImpersonateGroupHeader
])
forbidden
(
w
,
req
)
return
}
handler
.
ServeHTTP
(
w
,
req
)
return
}
impersonationRequests
:=
buildImpersonationRequests
(
requestedUser
,
req
.
Header
[
authenticationapi
.
ImpersonateGroupHeader
])
ctx
,
exists
:=
requestContextMapper
.
Get
(
req
)
if
!
exists
{
forbidden
(
w
,
req
)
return
}
requestor
,
exists
:=
api
.
UserFrom
(
ctx
)
if
!
exists
{
forbidden
(
w
,
req
)
return
}
// if groups are not specified, then we need to look them up differently depending on the type of user
// if they are specified, then they are the authority
groupsSpecified
:=
len
(
req
.
Header
[
authenticationapi
.
ImpersonateGroupHeader
])
>
0
// make sure we're allowed to impersonate each thing we're requesting. While we're iterating through, start building username
// and group information
username
:=
""
groups
:=
[]
string
{}
for
_
,
impersonationRequest
:=
range
impersonationRequests
{
actingAsAttributes
:=
&
authorizer
.
AttributesRecord
{
User
:
requestor
,
Verb
:
"impersonate"
,
APIGroup
:
impersonationRequest
.
GetObjectKind
()
.
GroupVersionKind
()
.
Group
,
Namespace
:
impersonationRequest
.
Namespace
,
Name
:
impersonationRequest
.
Name
,
ResourceRequest
:
true
,
}
switch
impersonationRequest
.
GetObjectKind
()
.
GroupVersionKind
()
.
GroupKind
()
{
case
api
.
Kind
(
"ServiceAccount"
)
:
actingAsAttributes
.
Resource
=
"serviceaccounts"
username
=
serviceaccount
.
MakeUsername
(
impersonationRequest
.
Namespace
,
impersonationRequest
.
Name
)
if
!
groupsSpecified
{
// if groups aren't specified for a service account, we know the groups because its a fixed mapping. Add them
groups
=
serviceaccount
.
MakeGroupNames
(
impersonationRequest
.
Namespace
,
impersonationRequest
.
Name
)
}
case
api
.
Kind
(
"User"
)
:
actingAsAttributes
.
Resource
=
"users"
username
=
impersonationRequest
.
Name
case
api
.
Kind
(
"Group"
)
:
actingAsAttributes
.
Resource
=
"groups"
groups
=
append
(
groups
,
impersonationRequest
.
Name
)
default
:
glog
.
V
(
4
)
.
Infof
(
"unknown impersonation request type: %v"
,
impersonationRequest
)
forbidden
(
w
,
req
)
return
}
allowed
,
reason
,
err
:=
a
.
Authorize
(
actingAsAttributes
)
if
err
!=
nil
||
!
allowed
{
glog
.
V
(
4
)
.
Infof
(
"Forbidden: %#v, Reason: %s, Error: %v"
,
req
.
RequestURI
,
reason
,
err
)
forbidden
(
w
,
req
)
return
}
}
newUser
:=
&
user
.
DefaultInfo
{
Name
:
username
,
Groups
:
groups
,
Extra
:
map
[
string
][]
string
{},
}
requestContextMapper
.
Update
(
req
,
api
.
WithUser
(
ctx
,
newUser
))
oldUser
,
_
:=
api
.
UserFrom
(
ctx
)
httplog
.
LogOf
(
req
,
w
)
.
Addf
(
"%v is acting as %v"
,
oldUser
,
newUser
)
handler
.
ServeHTTP
(
w
,
req
)
})
}
// buildImpersonationRequests returns a list of objectreferences that represent the different things we're requesting to impersonate.
// Each request must be authorized against the current user before switching contexts
func
buildImpersonationRequests
(
requestedUser
string
,
requestedGroups
[]
string
)
[]
api
.
ObjectReference
{
impersonationRequests
:=
[]
api
.
ObjectReference
{}
if
namespace
,
name
,
err
:=
serviceaccount
.
SplitUsername
(
requestedUser
);
err
==
nil
{
impersonationRequests
=
append
(
impersonationRequests
,
api
.
ObjectReference
{
Kind
:
"ServiceAccount"
,
Namespace
:
namespace
,
Name
:
name
})
}
else
{
impersonationRequests
=
append
(
impersonationRequests
,
api
.
ObjectReference
{
Kind
:
"User"
,
Name
:
requestedUser
})
}
for
_
,
group
:=
range
requestedGroups
{
impersonationRequests
=
append
(
impersonationRequests
,
api
.
ObjectReference
{
Kind
:
"Group"
,
Name
:
group
})
}
return
impersonationRequests
}
pkg/apiserver/handler_impersonation_test.go
0 → 100644
View file @
fb56512e
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package
apiserver
import
(
"fmt"
"net/http"
"net/http/httptest"
"reflect"
"sync"
"testing"
"k8s.io/kubernetes/pkg/api"
authenticationapi
"k8s.io/kubernetes/pkg/apis/authentication"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
)
type
impersonateAuthorizer
struct
{}
func
(
impersonateAuthorizer
)
Authorize
(
a
authorizer
.
Attributes
)
(
authorized
bool
,
reason
string
,
err
error
)
{
user
:=
a
.
GetUser
()
switch
{
case
user
.
GetName
()
==
"system:admin"
:
return
true
,
""
,
nil
case
user
.
GetName
()
==
"tester"
:
return
false
,
""
,
fmt
.
Errorf
(
"works on my machine"
)
case
user
.
GetName
()
==
"deny-me"
:
return
false
,
"denied"
,
nil
}
if
len
(
user
.
GetGroups
())
>
0
&&
user
.
GetGroups
()[
0
]
==
"wheel"
&&
a
.
GetVerb
()
==
"impersonate"
&&
a
.
GetResource
()
==
"users"
{
return
true
,
""
,
nil
}
if
len
(
user
.
GetGroups
())
>
0
&&
user
.
GetGroups
()[
0
]
==
"sa-impersonater"
&&
a
.
GetVerb
()
==
"impersonate"
&&
a
.
GetResource
()
==
"serviceaccounts"
{
return
true
,
""
,
nil
}
if
len
(
user
.
GetGroups
())
>
0
&&
user
.
GetGroups
()[
0
]
==
"regular-impersonater"
&&
a
.
GetVerb
()
==
"impersonate"
&&
a
.
GetResource
()
==
"users"
{
return
true
,
""
,
nil
}
if
len
(
user
.
GetGroups
())
>
1
&&
user
.
GetGroups
()[
1
]
==
"group-impersonater"
&&
a
.
GetVerb
()
==
"impersonate"
&&
a
.
GetResource
()
==
"groups"
{
return
true
,
""
,
nil
}
return
false
,
"deny by default"
,
nil
}
func
TestImpersonationFilter
(
t
*
testing
.
T
)
{
testCases
:=
[]
struct
{
name
string
user
user
.
Info
impersonationUser
string
impersonationGroups
[]
string
expectedUser
user
.
Info
expectedCode
int
}{
{
name
:
"not-impersonating"
,
user
:
&
user
.
DefaultInfo
{
Name
:
"tester"
,
},
expectedUser
:
&
user
.
DefaultInfo
{
Name
:
"tester"
,
},
expectedCode
:
http
.
StatusOK
,
},
{
name
:
"impersonating-error"
,
user
:
&
user
.
DefaultInfo
{
Name
:
"tester"
,
},
impersonationUser
:
"anyone"
,
expectedUser
:
&
user
.
DefaultInfo
{
Name
:
"tester"
,
},
expectedCode
:
http
.
StatusForbidden
,
},
{
name
:
"impersonating-group-without-user"
,
user
:
&
user
.
DefaultInfo
{
Name
:
"tester"
,
},
impersonationGroups
:
[]
string
{
"some-group"
},
expectedUser
:
&
user
.
DefaultInfo
{
Name
:
"tester"
,
},
expectedCode
:
http
.
StatusForbidden
,
},
{
name
:
"disallowed-group"
,
user
:
&
user
.
DefaultInfo
{
Name
:
"dev"
,
Groups
:
[]
string
{
"wheel"
},
},
impersonationUser
:
"system:admin"
,
impersonationGroups
:
[]
string
{
"some-group"
},
expectedUser
:
&
user
.
DefaultInfo
{
Name
:
"dev"
,
Groups
:
[]
string
{
"wheel"
},
},
expectedCode
:
http
.
StatusForbidden
,
},
{
name
:
"allowed-group"
,
user
:
&
user
.
DefaultInfo
{
Name
:
"dev"
,
Groups
:
[]
string
{
"wheel"
,
"group-impersonater"
},
},
impersonationUser
:
"system:admin"
,
impersonationGroups
:
[]
string
{
"some-group"
},
expectedUser
:
&
user
.
DefaultInfo
{
Name
:
"system:admin"
,
Groups
:
[]
string
{
"some-group"
},
Extra
:
map
[
string
][]
string
{},
},
expectedCode
:
http
.
StatusOK
,
},
{
name
:
"allowed-users-impersonation"
,
user
:
&
user
.
DefaultInfo
{
Name
:
"dev"
,
Groups
:
[]
string
{
"regular-impersonater"
},
},
impersonationUser
:
"tester"
,
expectedUser
:
&
user
.
DefaultInfo
{
Name
:
"tester"
,
Groups
:
[]
string
{},
Extra
:
map
[
string
][]
string
{},
},
expectedCode
:
http
.
StatusOK
,
},
{
name
:
"disallowed-impersonating"
,
user
:
&
user
.
DefaultInfo
{
Name
:
"dev"
,
Groups
:
[]
string
{
"sa-impersonater"
},
},
impersonationUser
:
"tester"
,
expectedUser
:
&
user
.
DefaultInfo
{
Name
:
"dev"
,
Groups
:
[]
string
{
"sa-impersonater"
},
},
expectedCode
:
http
.
StatusForbidden
,
},
{
name
:
"allowed-sa-impersonating"
,
user
:
&
user
.
DefaultInfo
{
Name
:
"dev"
,
Groups
:
[]
string
{
"sa-impersonater"
},
Extra
:
map
[
string
][]
string
{},
},
impersonationUser
:
"system:serviceaccount:foo:default"
,
expectedUser
:
&
user
.
DefaultInfo
{
Name
:
"system:serviceaccount:foo:default"
,
Groups
:
[]
string
{
"system:serviceaccounts"
,
"system:serviceaccounts:foo"
},
Extra
:
map
[
string
][]
string
{},
},
expectedCode
:
http
.
StatusOK
,
},
}
requestContextMapper
=
api
.
NewRequestContextMapper
()
var
ctx
api
.
Context
var
actualUser
user
.
Info
var
lock
sync
.
Mutex
doNothingHandler
:=
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
currentCtx
,
_
:=
requestContextMapper
.
Get
(
req
)
user
,
exists
:=
api
.
UserFrom
(
currentCtx
)
if
!
exists
{
actualUser
=
nil
return
}
actualUser
=
user
})
handler
:=
func
(
delegate
http
.
Handler
)
http
.
Handler
{
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
defer
func
()
{
if
r
:=
recover
();
r
!=
nil
{
t
.
Errorf
(
"Recovered %v"
,
r
)
}
}()
lock
.
Lock
()
defer
lock
.
Unlock
()
requestContextMapper
.
Update
(
req
,
ctx
)
currentCtx
,
_
:=
requestContextMapper
.
Get
(
req
)
user
,
exists
:=
api
.
UserFrom
(
currentCtx
)
if
!
exists
{
actualUser
=
nil
return
}
else
{
actualUser
=
user
}
delegate
.
ServeHTTP
(
w
,
req
)
})
}(
WithImpersonation
(
doNothingHandler
,
requestContextMapper
,
impersonateAuthorizer
{}))
handler
,
_
=
api
.
NewRequestContextFilter
(
requestContextMapper
,
handler
)
server
:=
httptest
.
NewServer
(
handler
)
defer
server
.
Close
()
for
_
,
tc
:=
range
testCases
{
func
()
{
lock
.
Lock
()
defer
lock
.
Unlock
()
ctx
=
api
.
WithUser
(
api
.
NewContext
(),
tc
.
user
)
}()
req
,
err
:=
http
.
NewRequest
(
"GET"
,
server
.
URL
,
nil
)
if
err
!=
nil
{
t
.
Errorf
(
"%s: unexpected error: %v"
,
tc
.
name
,
err
)
continue
}
req
.
Header
.
Add
(
authenticationapi
.
ImpersonateUserHeader
,
tc
.
impersonationUser
)
for
_
,
group
:=
range
tc
.
impersonationGroups
{
req
.
Header
.
Add
(
authenticationapi
.
ImpersonateGroupHeader
,
group
)
}
resp
,
err
:=
http
.
DefaultClient
.
Do
(
req
)
if
err
!=
nil
{
t
.
Errorf
(
"%s: unexpected error: %v"
,
tc
.
name
,
err
)
continue
}
if
resp
.
StatusCode
!=
tc
.
expectedCode
{
t
.
Errorf
(
"%s: expected %v, actual %v"
,
tc
.
name
,
tc
.
expectedCode
,
resp
.
StatusCode
)
continue
}
if
!
reflect
.
DeepEqual
(
actualUser
,
tc
.
expectedUser
)
{
t
.
Errorf
(
"%s: expected %#v, actual %#v"
,
tc
.
name
,
tc
.
expectedUser
,
actualUser
)
continue
}
}
}
pkg/apiserver/handlers.go
View file @
fb56512e
...
@@ -32,9 +32,7 @@ import (
...
@@ -32,9 +32,7 @@ import (
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/errors"
"k8s.io/kubernetes/pkg/api/errors"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/httplog"
"k8s.io/kubernetes/pkg/httplog"
"k8s.io/kubernetes/pkg/serviceaccount"
"k8s.io/kubernetes/pkg/util/runtime"
"k8s.io/kubernetes/pkg/util/runtime"
"k8s.io/kubernetes/pkg/util/sets"
"k8s.io/kubernetes/pkg/util/sets"
)
)
...
@@ -462,75 +460,6 @@ func (r *requestAttributeGetter) GetAttribs(req *http.Request) authorizer.Attrib
...
@@ -462,75 +460,6 @@ func (r *requestAttributeGetter) GetAttribs(req *http.Request) authorizer.Attrib
return
&
attribs
return
&
attribs
}
}
func
WithImpersonation
(
handler
http
.
Handler
,
requestContextMapper
api
.
RequestContextMapper
,
a
authorizer
.
Authorizer
)
http
.
Handler
{
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
requestedSubject
:=
req
.
Header
.
Get
(
"Impersonate-User"
)
if
len
(
requestedSubject
)
==
0
{
handler
.
ServeHTTP
(
w
,
req
)
return
}
ctx
,
exists
:=
requestContextMapper
.
Get
(
req
)
if
!
exists
{
forbidden
(
w
,
req
)
return
}
requestor
,
exists
:=
api
.
UserFrom
(
ctx
)
if
!
exists
{
forbidden
(
w
,
req
)
return
}
actingAsAttributes
:=
&
authorizer
.
AttributesRecord
{
User
:
requestor
,
Verb
:
"impersonate"
,
APIGroup
:
api
.
GroupName
,
Resource
:
"users"
,
Name
:
requestedSubject
,
ResourceRequest
:
true
,
}
if
namespace
,
name
,
err
:=
serviceaccount
.
SplitUsername
(
requestedSubject
);
err
==
nil
{
actingAsAttributes
.
Resource
=
"serviceaccounts"
actingAsAttributes
.
Namespace
=
namespace
actingAsAttributes
.
Name
=
name
}
authorized
,
reason
,
err
:=
a
.
Authorize
(
actingAsAttributes
)
if
err
!=
nil
{
internalError
(
w
,
req
,
err
)
return
}
if
!
authorized
{
glog
.
V
(
4
)
.
Infof
(
"Forbidden: %#v, Reason: %s"
,
req
.
RequestURI
,
reason
)
forbidden
(
w
,
req
)
return
}
switch
{
case
strings
.
HasPrefix
(
requestedSubject
,
serviceaccount
.
ServiceAccountUsernamePrefix
)
:
namespace
,
name
,
err
:=
serviceaccount
.
SplitUsername
(
requestedSubject
)
if
err
!=
nil
{
forbidden
(
w
,
req
)
return
}
requestContextMapper
.
Update
(
req
,
api
.
WithUser
(
ctx
,
serviceaccount
.
UserInfo
(
namespace
,
name
,
""
)))
default
:
newUser
:=
&
user
.
DefaultInfo
{
Name
:
requestedSubject
,
}
requestContextMapper
.
Update
(
req
,
api
.
WithUser
(
ctx
,
newUser
))
}
newCtx
,
_
:=
requestContextMapper
.
Get
(
req
)
oldUser
,
_
:=
api
.
UserFrom
(
ctx
)
newUser
,
_
:=
api
.
UserFrom
(
newCtx
)
httplog
.
LogOf
(
req
,
w
)
.
Addf
(
"%v is acting as %v"
,
oldUser
,
newUser
)
handler
.
ServeHTTP
(
w
,
req
)
})
}
// WithAuthorizationCheck passes all authorized requests on to handler, and returns a forbidden error otherwise.
// WithAuthorizationCheck passes all authorized requests on to handler, and returns a forbidden error otherwise.
func
WithAuthorizationCheck
(
handler
http
.
Handler
,
getAttribs
RequestAttributeGetter
,
a
authorizer
.
Authorizer
)
http
.
Handler
{
func
WithAuthorizationCheck
(
handler
http
.
Handler
,
getAttribs
RequestAttributeGetter
,
a
authorizer
.
Authorizer
)
http
.
Handler
{
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
)
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment