Skip to content

bootstrapping policy bugs #1375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-bot merged 2 commits into from
Mar 19, 2015
Merged

bootstrapping policy bugs #1375

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
db78909
properly handle missing policy document
deads2k Mar 19, 2015
7e9e081
auto-provision policy bindings for bootstrapping
deads2k Mar 19, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 11 additions & 10 deletions pkg/authorization/registry/rolebinding/virtual_registry.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ func (m *VirtualRegistry) CreateRoleBinding(ctx kapi.Context, roleBinding *autho
}
}

policyBinding, err := m.getPolicyBindingForPolicy(ctx, roleBinding.RoleRef.Namespace)
policyBinding, err := m.getPolicyBindingForPolicy(ctx, roleBinding.RoleRef.Namespace, allowEscalation)
if err != nil {
return err
}
Expand Down Expand Up @@ -133,7 +133,7 @@ func (m *VirtualRegistry) UpdateRoleBinding(ctx kapi.Context, roleBinding *autho
return fmt.Errorf("cannot change roleBinding.RoleRef.Namespace from %v to %v", existingRoleBinding.RoleRef.Namespace, roleBinding.RoleRef.Namespace)
}

policyBinding, err := m.getPolicyBindingForPolicy(ctx, roleBinding.RoleRef.Namespace)
policyBinding, err := m.getPolicyBindingForPolicy(ctx, roleBinding.RoleRef.Namespace, allowEscalation)
if err != nil {
return err
}
Expand Down Expand Up @@ -210,20 +210,20 @@ func (m *VirtualRegistry) confirmNoEscalation(ctx kapi.Context, roleBinding *aut
}

// ensurePolicyBindingToMaster returns a PolicyBinding object that has a PolicyRef pointing to the Policy in the passed namespace.
func (m *VirtualRegistry) ensurePolicyBindingToMaster(ctx kapi.Context) (*authorizationapi.PolicyBinding, error) {
policyBinding, err := m.bindingRegistry.GetPolicyBinding(ctx, m.masterAuthorizationNamespace)
func (m *VirtualRegistry) ensurePolicyBindingToMaster(ctx kapi.Context, policyNamespace string) (*authorizationapi.PolicyBinding, error) {
policyBinding, err := m.bindingRegistry.GetPolicyBinding(ctx, policyNamespace)
if err != nil {
if !kapierrors.IsNotFound(err) {
return nil, err
}

// if we have no policyBinding, go ahead and make one. creating one here collapses code paths below. We only take this hit once
policyBinding = policybindingregistry.NewEmptyPolicyBinding(kapi.NamespaceValue(ctx), m.masterAuthorizationNamespace)
policyBinding = policybindingregistry.NewEmptyPolicyBinding(kapi.NamespaceValue(ctx), policyNamespace)
if err := m.bindingRegistry.CreatePolicyBinding(ctx, policyBinding); err != nil {
return nil, err
}

policyBinding, err = m.bindingRegistry.GetPolicyBinding(ctx, m.masterAuthorizationNamespace)
policyBinding, err = m.bindingRegistry.GetPolicyBinding(ctx, policyNamespace)
if err != nil {
return nil, err
}
Expand All @@ -237,10 +237,11 @@ func (m *VirtualRegistry) ensurePolicyBindingToMaster(ctx kapi.Context) (*author
}

// Returns a PolicyBinding that points to the specified policyNamespace. It will autocreate ONLY if policyNamespace equals the master namespace
func (m *VirtualRegistry) getPolicyBindingForPolicy(ctx kapi.Context, policyNamespace string) (*authorizationapi.PolicyBinding, error) {
// we can autocreate a PolicyBinding object if the RoleBinding is for the master namespace
if policyNamespace == m.masterAuthorizationNamespace {
return m.ensurePolicyBindingToMaster(ctx)
func (m *VirtualRegistry) getPolicyBindingForPolicy(ctx kapi.Context, policyNamespace string, allowAutoProvision bool) (*authorizationapi.PolicyBinding, error) {
// we can autocreate a PolicyBinding object if the RoleBinding is for the master namespace OR if we've been explicity told to create the policying binding.
// the latter happens during priming
if (policyNamespace == m.masterAuthorizationNamespace) || allowAutoProvision {
return m.ensurePolicyBindingToMaster(ctx, policyNamespace)
}

policyBinding, err := m.bindingRegistry.GetPolicyBinding(ctx, policyNamespace)
Expand Down
7 changes: 5 additions & 2 deletions pkg/authorization/rulevalidation/find_rules.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ package rulevalidation
import (
"errors"
"fmt"
"strings"

kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
kapierror "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"
"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/user"
klabels "github.com/GoogleCloudPlatform/kubernetes/pkg/labels"
"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
Expand Down Expand Up @@ -44,7 +44,7 @@ type BindingLister interface {

func (a *DefaultRuleResolver) getPolicy(ctx kapi.Context) (*authorizationapi.Policy, error) {
policy, err := a.policyGetter.GetPolicy(ctx, authorizationapi.PolicyName)
if err != nil && !strings.Contains(err.Error(), "not found") {
if err != nil {
return nil, err
}

Expand Down Expand Up @@ -82,6 +82,9 @@ func (a *DefaultRuleResolver) GetRole(roleBinding authorizationapi.RoleBinding)

ctx := kapi.WithNamespace(kapi.NewContext(), namespace)
policy, err := a.getPolicy(ctx)
if kapierror.IsNotFound(err) {
return nil, kapierror.NewNotFound("role", roleBinding.RoleRef.Name)
}
if err != nil {
return nil, err
}
Expand Down