Skip to content

Issue-356: Drop unnecessary Authorizer #364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: sig-auth-acceptance
Choose a base branch
from
Open

Issue-356: Drop unnecessary Authorizer #364

wants to merge 3 commits into from

Conversation

ibihim
Copy link
Collaborator

@ibihim ibihim commented Mar 13, 2025
edited
Loading

What

  • Remove non resource attributes generator.

Why

  • We might not need it. Normal requests already have the given form of only "path", "verb" and "user".
  • It might be more secure, as we don't mask other attributes.

Notes

@ibihim ibihim changed the title [wip] issue 356 drop or not to drop attrs issue 356 drop or not to drop attrs Mar 20, 2025
@ibihim ibihim force-pushed the ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs branch 2 times, most recently from 0da710f to 640a6f0 Compare March 20, 2025 11:09
@ibihim
Copy link
Collaborator Author

ibihim commented Apr 4, 2025
edited
Loading

@ibihim add log output before change, to show an exemplary resource attribute for that case.

Make a (manual) test for what would happen, if you have a resource request.

@stlaz stlaz added the sig-auth-acceptance issues created during review for sig-auth-acceptance label Apr 8, 2025
@ibihim ibihim changed the title issue 356 drop or not to drop attrs Issue-356: Drop unnecessary Authorizer Apr 23, 2025
stlaz
stlaz requested changes Apr 29, 2025
View reviewed changes
cmd/kube-rbac-proxy/app/kube-rbac-proxy.go Outdated
}

delegated = append(delegated, staticAuthorizer)
authz = union.New(staticAuthorizer, authz)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an odd change. Can you please write full unit test coverage of the original code (so a unit tests commit comes first) and then start moving authorizers around?

@ibihim ibihim force-pushed the ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs branch 4 times, most recently from 6aa5827 to 6e27005 Compare May 6, 2025 10:07
ibihim added 3 commits May 6, 2025 12:08
@ibihim
app: mv authzer into its own file and add tests
c8e97e5
@ibihim
app: reorder authorizers
b5b16f4
@ibihim
app,rewrite: remove non-resource attrs
075d874 
Masking the resource attributes value to "just" path, verb and user is
potentially suboptimal, as it ignores other fields that would be of
interest for a SAR request.
This use-case makes sense for regular HTTP request (non kubernetes
resource request), but those kind of requests, don't populate the other
fields in the resource attributes anyway.
Is theoretically a regression, which we should keep in mind.
@ibihim ibihim force-pushed the ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs branch from 6e27005 to 075d874 Compare May 6, 2025 10:08
@stlaz stlaz mentioned this pull request Sep 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stlaz stlaz stlaz requested changes

Assignees
No one assigned
Labels
sig-auth-acceptance issues created during review for sig-auth-acceptance
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ibihim @stlaz