github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #39193 from xilabao/add-rules-failed-message 

Automatic merge from submit-queue

add rules not allow message when authorize failed

old result:
```
# ./cluster/kubectl.sh --token=/test get po
Error from server (Forbidden): User "" cannot list pods in the namespace "default".: "<nil>" (get pods)
```
new result:
```
# ./cluster/kubectl.sh --token=/test get po
Error from server (Forbidden): User "" cannot list pods in the namespace "default".: "rules not allow" (get pods)
```

test.yaml
```
kind: Role
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: test
rules:
- apiGroups: ["*"]
  verbs: ["create"]
  resources: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: admin-resource-binding
subjects:
  - kind: Group
    name: test
roleRef:
  kind: Role
  name: test
```
pull/6/head
Kubernetes Submit Queue 2017-01-03 22:07:01 -08:00 committed by GitHub
parent f95362f953 9b38eaf98e
commit dedec2d16d
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/genericapiserver/api/handlers/responsewriters/errors.go
View File

@ -38,7 +38,12 @@ func Forbidden(attributes authorizer.Attributes, w http.ResponseWriter, req *htt
w.Header().Set("Content-Type", "text/plain")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.WriteHeader(http.StatusForbidden)
fmt.Fprintf(w, "%s: %q", msg, reason)
if len(reason) == 0 {
fmt.Fprintf(w, "%s", msg)
} else {
fmt.Fprintf(w, "%s: %q", msg, reason)
}
}
func forbiddenMessage(attributes authorizer.Attributes) string {

6
plugin/pkg/auth/authorizer/rbac/rbac.go
View File

@ -48,7 +48,11 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(),
requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource())
return false, fmt.Sprintf("%v", ruleResolutionError), nil
reason := ""
if ruleResolutionError != nil {
reason = fmt.Sprintf("%v", ruleResolutionError)
}
return false, reason, nil
}
func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister) *RBACAuthorizer {