diff --git a/pkg/authorization/authorizer/authorizer.go b/pkg/authorization/authorizer/authorizer.go index 2a3a11947dae..2f58bc1dc044 100644 --- a/pkg/authorization/authorizer/authorizer.go +++ b/pkg/authorization/authorizer/authorizer.go @@ -52,7 +52,24 @@ func (a *openshiftAuthorizer) Authorize(ctx kapi.Context, passedAttributes Autho return false, "", kerrors.NewAggregate(errs) } - return false, "denied by default", nil + username := "MISSING" + if user, userExists := kapi.UserFrom(ctx); userExists { + username = user.GetName() + } + + denyReason := "denied by default" + if passedAttributes.IsNonResourceURL() { + denyReason = fmt.Sprintf("%v cannot %v on %v", username, attributes.GetVerb(), attributes.GetURL()) + + } else { + resourceNamePart := "" + if len(attributes.GetResourceName()) > 0 { + resourceNamePart = fmt.Sprintf(" with name \"%v\"", attributes.GetResourceName()) + } + denyReason = fmt.Sprintf("%v cannot %v on %v%v in %v", username, attributes.GetVerb(), attributes.GetResource(), resourceNamePart, namespace) + } + + return false, denyReason, nil } func (a *openshiftAuthorizer) GetAllowedSubjects(ctx kapi.Context, attributes AuthorizationAttributes) (util.StringSet, util.StringSet, error) { diff --git a/pkg/authorization/authorizer/authorizer_test.go b/pkg/authorization/authorizer/authorizer_test.go index 2b5a9e5e650b..228b8b25ebbf 100644 --- a/pkg/authorization/authorizer/authorizer_test.go +++ b/pkg/authorization/authorizer/authorizer_test.go @@ -41,7 +41,7 @@ func TestResourceNameDeny(t *testing.T) { ResourceName: "just-a-user", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: `just-a-user cannot get on users with name "just-a-user"`, } test.policies = newDefaultGlobalPolicies() test.bindings = newDefaultGlobalBinding() @@ -166,7 +166,7 @@ func TestNonResourceDeny(t *testing.T) { URL: "not-allowed", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: `no-one cannot get on not-allowed`, } test.policies = newDefaultGlobalPolicies() test.bindings = newDefaultGlobalBinding() @@ -183,7 +183,7 @@ func TestHealthDeny(t *testing.T) { URL: "/healthz", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: `no-one cannot get on /healthz`, } test.policies = newDefaultGlobalPolicies() test.bindings = newDefaultGlobalBinding() @@ -215,7 +215,7 @@ func TestDisallowedViewingGlobalPods(t *testing.T) { Resource: "pods", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: `SomeYahoo cannot get on pods`, } test.policies = newDefaultGlobalPolicies() test.bindings = newDefaultGlobalBinding() @@ -282,7 +282,7 @@ func TestResourceRestrictionsWork(t *testing.T) { Resource: "pods", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: `Rachel cannot get on pods in adze`, } test2.policies = newDefaultGlobalPolicies() test2.policies = append(test2.policies, newAdzePolicies()...) @@ -331,7 +331,7 @@ func TestLocalRightsDoNotGrantGlobalRights(t *testing.T) { Resource: "buildConfigs", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: `Rachel cannot get on buildConfigs in backsaw`, } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -364,7 +364,7 @@ func TestVerbRestrictionsWork(t *testing.T) { Resource: "buildConfigs", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: `Valerie cannot create on buildConfigs in adze`, } test2.policies = newDefaultGlobalPolicies() test2.policies = append(test2.policies, newAdzePolicies()...) diff --git a/pkg/authorization/authorizer/bootstrap_policy_test.go b/pkg/authorization/authorizer/bootstrap_policy_test.go index 520b17cc011a..f2d294309beb 100644 --- a/pkg/authorization/authorizer/bootstrap_policy_test.go +++ b/pkg/authorization/authorizer/bootstrap_policy_test.go @@ -37,7 +37,7 @@ func TestViewerGetAllowedKindInAdze(t *testing.T) { Resource: "pods", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Victor cannot get on pods in adze", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -57,7 +57,7 @@ func TestViewerGetDisallowedKindInMallet(t *testing.T) { Resource: "policies", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Victor cannot get on policies in mallet", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -76,7 +76,7 @@ func TestViewerGetDisallowedKindInAdze(t *testing.T) { Resource: "policies", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Victor cannot get on policies in adze", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -96,7 +96,7 @@ func TestViewerCreateAllowedKindInMallet(t *testing.T) { Resource: "pods", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Victor cannot create on pods in mallet", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -115,7 +115,7 @@ func TestViewerCreateAllowedKindInAdze(t *testing.T) { Resource: "pods", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Victor cannot create on pods in adze", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -154,7 +154,7 @@ func TestEditorUpdateAllowedKindInAdze(t *testing.T) { Resource: "pods", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Edgar cannot update on pods in adze", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -174,7 +174,7 @@ func TestEditorUpdateDisallowedKindInMallet(t *testing.T) { Resource: "roleBindings", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Edgar cannot update on roleBindings in mallet", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -193,7 +193,7 @@ func TestEditorUpdateDisallowedKindInAdze(t *testing.T) { Resource: "roleBindings", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Edgar cannot update on roleBindings in adze", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -232,7 +232,7 @@ func TestEditorGetAllowedKindInAdze(t *testing.T) { Resource: "pods", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Edgar cannot get on pods in adze", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -271,7 +271,7 @@ func TestAdminUpdateAllowedKindInAdze(t *testing.T) { Resource: "roleBindings", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Matthew cannot update on roleBindings in adze", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -291,7 +291,7 @@ func TestAdminUpdateDisallowedKindInMallet(t *testing.T) { Resource: "policies", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Matthew cannot update on policies in mallet", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -310,7 +310,7 @@ func TestAdminUpdateDisallowedKindInAdze(t *testing.T) { Resource: "roles", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Matthew cannot update on roles in adze", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...) @@ -349,7 +349,7 @@ func TestAdminGetAllowedKindInAdze(t *testing.T) { Resource: "policies", }, expectedAllowed: false, - expectedReason: "denied by default", + expectedReason: "Matthew cannot get on policies in adze", } test.policies = newDefaultGlobalPolicies() test.policies = append(test.policies, newAdzePolicies()...)