github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

make RBAC escalation error message more useful

pull/8/head
Jordan Liggitt 2018-07-06 11:42:01 -04:00
parent 91b729342d
commit 3710ce3561
No known key found for this signature in database
GPG Key ID: 39928704103C7229
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/registry/rbac/validation/BUILD
View File

@ -36,8 +36,8 @@ go_library(
"//pkg/apis/rbac:go_default_library", "//pkg/apis/rbac:go_default_library",
"//pkg/apis/rbac/v1:go_default_library", "//pkg/apis/rbac/v1:go_default_library",
"//staging/src/k8s.io/api/rbac/v1:go_default_library", "//staging/src/k8s.io/api/rbac/v1:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/serviceaccount:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library", "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",

21
pkg/registry/rbac/validation/rule.go
View File

@ -20,15 +20,17 @@ import (
"context" "context"
"errors" "errors"
"fmt" "fmt"
"strings"
"github.com/golang/glog" "github.com/golang/glog"
rbacv1 "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
utilerrors "k8s.io/apimachinery/pkg/util/errors" utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/serviceaccount" "k8s.io/apiserver/pkg/authentication/serviceaccount"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request" genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
rbacv1helpers "k8s.io/kubernetes/pkg/apis/rbac/v1"
) )
type AuthorizationRuleResolver interface { type AuthorizationRuleResolver interface {
@ -65,7 +67,22 @@ func ConfirmNoEscalation(ctx context.Context, ruleResolver AuthorizationRuleReso
ownerRightsCover, missingRights := Covers(ownerRules, rules) ownerRightsCover, missingRights := Covers(ownerRules, rules)
if !ownerRightsCover { if !ownerRightsCover {
return apierrors.NewUnauthorized(fmt.Sprintf("attempt to grant extra privileges: %v user=%v ownerrules=%v ruleResolutionErrors=%v", missingRights, user, ownerRules, ruleResolutionErrors)) compactMissingRights := missingRights
if compact, err := CompactRules(missingRights); err == nil {
compactMissingRights = compact
}
missingDescriptions := sets.NewString()
for _, missing := range compactMissingRights {
missingDescriptions.Insert(rbacv1helpers.CompactString(missing))
}
msg := fmt.Sprintf("user %q (groups=%q) is attempting to grant RBAC permissions not currently held:\n%s", user.GetName(), user.GetGroups(), strings.Join(missingDescriptions.List(), "\n"))
if len(ruleResolutionErrors) > 0 {
msg = msg + fmt.Sprintf("; resolution errors: %v", ruleResolutionErrors)
}
return errors.New(msg)
} }
return nil return nil
} }