✨ authz: add scopes to default rule resolver #157
Conversation
| if cluster := genericapirequest.ClusterFrom(ctx); cluster != nil { | ||
| clusterName = cluster.Name | ||
| } |
There was a problem hiding this comment.
Dont we need to check for cluster == "" here? else its "" and InSocpe function might get confusing? Mabe check inside InScope and if "" just return false?
There was a problem hiding this comment.
system:admin logical cluster is empty string.
| name: "scoped user to multiple clusters", | ||
| info: user.DefaultInfo{Extra: map[string][]string{"authentication.kcp.io/scopes": {"cluster:this", "cluster:another"}}}, | ||
| cluster: logicalcluster.Name("this"), | ||
| want: false, | ||
| }, |
There was a problem hiding this comment.
Should this be true? Multiple clusters, but one I need is included
There was a problem hiding this comment.
see above. Scoping is not additive.
pkg/registry/rbac/validation/kcp.go
Outdated
| scopes := attr.GetExtra()[ScopeExtraKey] | ||
| for _, scope := range scopes { | ||
| switch { | ||
| case strings.HasPrefix(scope, "cluster:"): | ||
| if scope != "cluster:"+string(cluster) { | ||
| return false | ||
| } | ||
| default: | ||
| // Unknown scope, ignore. | ||
| } | ||
| } |
There was a problem hiding this comment.
Now I think this is wrong. If I have 2 scopes to 2 separate clusters (Im still in scope for both), but as soon as I get evaluated to one of them which is not the one Im targeting now - I get false and deny.
There was a problem hiding this comment.
scopes:
cluster:foo
cluster:bar
InScope(user, bar) and I get false in first check as foo != bar
There was a problem hiding this comment.
that's intentional. You have a scoped user, and now you evaluate it inside another cluster. Then this user is equivalent to {Name: "system:anonymous", Groups: []string{"system:authenticated"}}.
sttts
force-pushed
the
sttts-scopes-1.31
branch
2 times, most recently
from
6e5c9a2 to
38bf113
Compare
Signed-off-by: Dr. Stefan Schimanski <[email protected]>
sttts
force-pushed
the
sttts-scopes-1.31
branch
from
38bf113 to
e7d2b2f
Compare
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR adds support for a user extra scope key
authentication.kcp.io/scopesholdingcluster:<name>values. The RBAC rule resolve is extended to handle a non-matching user as not anonymous, not applying to the rules.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: