add rule to allow self-subject access reviews #1392
Conversation
There was a problem hiding this comment.
if we don't have attribute restrictions, we can return true
if we do have attribute restrictions, and they aren't a recognized type, we should return false (or an error)
There was a problem hiding this comment.
That was bad. Fixed and a test added.
deads2k
force-pushed
the
deads-create-fine-grained-subjectaccessreview
branch
from
fef5c79 to
f52461e
Compare
|
rebased. |
There was a problem hiding this comment.
I think IsPersonalSubjectAccessReview is a better name for the restriction marker type itself
|
nit about the marker type name and squash, then LGTM |
|
Reminder to myself to update the serialization to omitempty |
deads2k
force-pushed
the
deads-create-fine-grained-subjectaccessreview
branch
from
f52461e to
a7959e6
Compare
deads2k
force-pushed
the
deads-create-fine-grained-subjectaccessreview
branch
from
a7959e6 to
8e71ce9
Compare
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/1257/) (Image: devenv-fedora_1106) |
|
Evaluated for origin up to 8e71ce9 |
…ctaccessreview Merged by openshift-bot
|
@pravisankar This should fix your problem with personal subject access reviews from the docker registry. Remember you'll need to delete the contents of your etcd to get the new default policy. |
|
This doesn't work anymore. I'm going to have to rip this and replace it with standard objects. You can't put interfaces into our objects right now. |
|
That shouldn't be using anything unusual. What wasn't working? |
|
runtime.EmbeddedObject{} has a runtime.Object in its internal version, which means its an interface, which means gob.Encode/Decode (used by conversion.DeepCopy) can't round trip it. We didn't really need EmbeddedObject here - because we can just define things by type. |
|
Hmm, didn't that break other things that used runtime.EmbeddedObject? |
|
Nothing else uses EmbeddedObject ----- Original Message -----
|
|
@deads2k awesome… apparently we were the only ones using this. Trouble for config as well? |
|
We were using this in config??? ----- Original Message -----
|
|
EmbeddedObject, yes |
|
We should probably not.
|
What do you mean by, "define things by type"? There are other rules we want to write in code, things like kubelet rules. I'd rather not list every possibility as a pointer and name them all. You can also see the usage inside of the kubeconfig objects. That is the point where openshift can extend a kubeconfig file in an easy way. We also make use of these in the openshift start config objects for dealing with places where are there are many potentially valid types. Rather than trying to enforce "at most one" logic on a set of pointers. I'd rather not end up trying to enforce a type that looks like this: https://github.com/openshift/origin/blob/master/pkg/build/api/types.go#L107. Adding anything other than |
|
…service-catalog/' changes from 3aacfedec6..aa27078754 aa27078754 origin build: add origin tooling bcf37fd 0.1.0-rc2 chart updates (openshift#1410) 4ab0a0a add back 'Processing' message for instance deletion (openshift#1332) 0ecbcb1 Update logs for Cluster service plans. (openshift#1389) 8b491ef Fix a quoting nit (openshift#1400) 63685e4 add orphan mitigation-specific conditions for instances (openshift#1378) adee662 Updated missed fields in service and plan specs (openshift#1406) 2095919 Handle default plan setting when using k8s names (openshift#1405) 607ba66 Document rbacEnable. (openshift#1404) 268294e Adding rbac definition for v1 api endpoint. (openshift#1284) 103288d differentiate between failed updates and provisions during deletion (openshift#1383) eba8ba4 enable API aggregation and Service Catalog RBAC on Jenkins (openshift#1333) 5a93315 Validate relistDuration is non-negative (openshift#1395) e279d21 Fix log messages for secrets (openshift#1385) 87fa8c9 fix status update when starting orphan mitigation (openshift#1372) 11f18f3 Switch to wget for integration apiserver checks (openshift#1384) 8c44a7d update OSB client to 2.13 (openshift#1392) e64bbd1 default plan admission controller: filter list of service plans/service classes by the class name (openshift#1351) 6648c0e Check field names. Fix issue 1291 (openshift#1379) 5319841 update comment for instance generation check (openshift#1382) 7d5823f remove internal poll method (openshift#1381) 07d3068 Rework the logging for controller_instance. (openshift#1371) 5f4ca01 address PR comment as a followup (openshift#1380) 485d5e6 Add support for specifying plan using K8S names. (openshift#1377) 662bba8 Log number of secret keys created for binding credential (openshift#1375) 8ad6a31 Move controller constants into correct files (openshift#1373) 7bd66dd Adding type to log. (openshift#1339) 1ce5c4d Remove k8s/k8s dependency (openshift#1355) b458323 Adding log formatting for BindingController. (openshift#1352) 275eb11 rename test variables to be consistent (openshift#1315) ffd6b8b travis: skip cleanup before deploy (openshift#1368) d5ecc04 fix travis tag checker (openshift#1365) 2cae0ee Minor updates to README (openshift#1360) REVERT: 3aacfedec6 carry: Set external plan name for service-catalog walkthrough REVERT: 3ec9e5b07a origin build: add origin tooling git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog git-subtree-split: aa2707875461dd51be3731b1d94b5cfc3b9a3976
* change alpha resources to non-alpha versions * update OSB client to 2.13
Restore OCP branding to error, login, and selectprovider pages
4 participants
This adds a fine-grained policy rule that checks to see if a subject access review request is for "self". If it is, then the additional check allows it.
@liggitt It fell out pretty clean. Almost exactly as planned, except for needing to parse the content.