diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt index 3e4f162b3d..aac6a1f005 100644 --- a/hack/verify-flags/known-flags.txt +++ b/hack/verify-flags/known-flags.txt @@ -484,6 +484,8 @@ report-dir report-prefix requestheader-allowed-names requestheader-client-ca-file +requestheader-extra-headers-prefix +requestheader-group-headers requestheader-username-headers require-kubeconfig required-contexts diff --git a/pkg/apiserver/authenticator/builtin.go b/pkg/apiserver/authenticator/builtin.go index 8f383c5cc3..f4e8810105 100644 --- a/pkg/apiserver/authenticator/builtin.go +++ b/pkg/apiserver/authenticator/builtin.go @@ -43,6 +43,11 @@ import ( type RequestHeaderConfig struct { // UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins. UsernameHeaders []string + // GroupHeaders are the headers to check (case-insensitively) for a group names. All values will be used. + GroupHeaders []string + // ExtraHeaderPrefixes are the head prefixes to check (case-insentively) for filling in + // the user.Info.Extra. All values of all matching headers will be added. + ExtraHeaderPrefixes []string // ClientCA points to CA bundle file which is used verify the identity of the front proxy ClientCA string // AllowedClientNames is a list of common names that may be presented by the authenticating front proxy. Empty means: accept any. @@ -88,9 +93,8 @@ func New(config AuthenticatorConfig) (authenticator.Request, *spec.SecurityDefin config.RequestHeaderConfig.ClientCA, config.RequestHeaderConfig.AllowedClientNames, config.RequestHeaderConfig.UsernameHeaders, - // TODO add wiring after options are refactored in 1.6 - []string{}, - []string{}, + config.RequestHeaderConfig.GroupHeaders, + config.RequestHeaderConfig.ExtraHeaderPrefixes, ) if err != nil { return nil, nil, err diff --git a/pkg/genericapiserver/options/authentication.go b/pkg/genericapiserver/options/authentication.go index ecf0988762..fd76c1a328 100644 --- a/pkg/genericapiserver/options/authentication.go +++ b/pkg/genericapiserver/options/authentication.go @@ -63,12 +63,6 @@ type PasswordFileAuthenticationOptions struct { BasicAuthFile string } -type RequestHeaderAuthenticationOptions struct { - UsernameHeaders []string - ClientCAFile string - AllowedNames []string -} - type ServiceAccountAuthenticationOptions struct { KeyFiles []string Lookup bool @@ -206,17 +200,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { } if s.RequestHeader != nil { - fs.StringSliceVar(&s.RequestHeader.UsernameHeaders, "requestheader-username-headers", s.RequestHeader.UsernameHeaders, ""+ - "List of request headers to inspect for usernames. X-Remote-User is common.") - - fs.StringVar(&s.RequestHeader.ClientCAFile, "requestheader-client-ca-file", s.RequestHeader.ClientCAFile, ""+ - "Root certificate bundle to use to verify client certificates on incoming requests "+ - "before trusting usernames in headers specified by --requestheader-username-headers") - - fs.StringSliceVar(&s.RequestHeader.AllowedNames, "requestheader-allowed-names", s.RequestHeader.AllowedNames, ""+ - "List of client certificate common names to allow to provide usernames in headers "+ - "specified by --requestheader-username-headers. If empty, any client certificate validated "+ - "by the authorities in --requestheader-client-ca-file is allowed.") + s.RequestHeader.AddFlags(fs) } if s.ServiceAccounts != nil { @@ -275,7 +259,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin } if s.RequestHeader != nil { - ret.RequestHeaderConfig = s.RequestHeader.AuthenticationRequestHeaderConfig() + ret.RequestHeaderConfig = s.RequestHeader.ToAuthenticationRequestHeaderConfig() } if s.ServiceAccounts != nil { @@ -295,17 +279,47 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin return ret } -// AuthenticationRequestHeaderConfig returns an authenticator config object for these options -// if necessary. nil otherwise. -func (s *RequestHeaderAuthenticationOptions) AuthenticationRequestHeaderConfig() *authenticator.RequestHeaderConfig { +type RequestHeaderAuthenticationOptions struct { + UsernameHeaders []string + GroupHeaders []string + ExtraHeaderPrefixes []string + ClientCAFile string + AllowedNames []string +} + +func (s *RequestHeaderAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { + fs.StringSliceVar(&s.UsernameHeaders, "requestheader-username-headers", s.UsernameHeaders, ""+ + "List of request headers to inspect for usernames. X-Remote-User is common.") + + fs.StringSliceVar(&s.GroupHeaders, "requestheader-group-headers", s.GroupHeaders, ""+ + "List of request headers to inspect for groups. X-Remote-Group is suggested.") + + fs.StringSliceVar(&s.ExtraHeaderPrefixes, "requestheader-extra-headers-prefix", s.ExtraHeaderPrefixes, ""+ + "List of request header prefixes to inspect. X-Remote-Extra- is suggested.") + + fs.StringVar(&s.ClientCAFile, "requestheader-client-ca-file", s.ClientCAFile, ""+ + "Root certificate bundle to use to verify client certificates on incoming requests "+ + "before trusting usernames in headers specified by --requestheader-username-headers") + + fs.StringSliceVar(&s.AllowedNames, "requestheader-allowed-names", s.AllowedNames, ""+ + "List of client certificate common names to allow to provide usernames in headers "+ + "specified by --requestheader-username-headers. If empty, any client certificate validated "+ + "by the authorities in --requestheader-client-ca-file is allowed.") +} + +// ToAuthenticationRequestHeaderConfig returns a RequestHeaderConfig config object for these options +// if necessary, nil otherwise. +func (s *RequestHeaderAuthenticationOptions) ToAuthenticationRequestHeaderConfig() *authenticator.RequestHeaderConfig { if len(s.UsernameHeaders) == 0 { return nil } return &authenticator.RequestHeaderConfig{ - UsernameHeaders: s.UsernameHeaders, - ClientCA: s.ClientCAFile, - AllowedClientNames: s.AllowedNames, + UsernameHeaders: s.UsernameHeaders, + GroupHeaders: s.GroupHeaders, + ExtraHeaderPrefixes: s.ExtraHeaderPrefixes, + ClientCA: s.ClientCAFile, + AllowedClientNames: s.AllowedNames, } }