handle non resource urls #998
Conversation
deads2k
force-pushed
the
deads-handle-non-resource-urls
branch
2 times, most recently
from
e4a9829 to
7f1b442
Compare
deads2k
force-pushed
the
deads-handle-non-resource-urls
branch
from
7f1b442 to
7268f27
Compare
|
calling |
There was a problem hiding this comment.
Need a clear description of how this is used in combination with the Resources/ResourceNames restrictions. Is this required to match requests in addition to Resources/ResourceNames, or instead of?
There was a problem hiding this comment.
Also, URL rather than Url (everywhere)
There was a problem hiding this comment.
Need to fix the godoc
Yeah. Looking at kubernetes, I think that's a feature not a bug: https://github.com/GoogleCloudPlatform/kubernetes/blob/master/pkg/apiserver/handlers.go#L225. The comment predated me, but from what I can gather they don't want to rely upon an api/version url shape. The tests and comments make it clear that it was an explicit choice. That means that looking a URL, you cannot logically determine whether it is a non-resource url or not. The list bit is a little weird, but it doesn't bother me too much. If you'd prefer, we can add our own detection based on a list of known resource URL prefixes. I don't feel strongly. |
|
Let's talk about this tomorrow |
@liggitt and I secretly agreed that this implementation was bad and we should update it actually be an either/or with any resource API. That detection is possible now that we've had the rebase and one upstream patch. I should be in the office around 10-10:30 (thank god). |
deads2k
force-pushed
the
deads-handle-non-resource-urls
branch
2 times, most recently
from
fa5e86d to
5398a50
Compare
|
Don't leave too early. But I will be in as well (thank god). |
"You're not under arrest, but don't leave town...." |
|
@liggitt Updates complete To grant non-resource permissions to role looks like this: /healthz, /version, /osapi, and /api are allowed to authenticated and unauthenticated by default. |
deads2k
force-pushed
the
deads-handle-non-resource-urls
branch
from
5398a50 to
d2ec071
Compare
|
[test] |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_openshift3/1110/) |
|
Should we require leading slashes to avoid the appearance of relative or remainder path matching? |
pkg/authorization/api/types.go
Outdated
There was a problem hiding this comment.
ok... I guess I'm forgetting what we talked about... did we end up at remainder URL matching?
There was a problem hiding this comment.
Bad comment. Updated .
Doing |
There was a problem hiding this comment.
also note in the doc for namespace/resource/resourcename that they will be "" when IsNonResourceURL is true
deads2k
force-pushed
the
deads-handle-non-resource-urls
branch
from
96a63fc to
14ff408
Compare
There was a problem hiding this comment.
Special case needed forever? Add todo
|
I think I'm caught up with comments. |
There was a problem hiding this comment.
Much clearer, thanks
|
LGTM [merge] |
deads2k
force-pushed
the
deads-handle-non-resource-urls
branch
from
ad0b626 to
4baffdd
Compare
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_openshift3/972/) (Image: devenv-fedora_841) |
|
Evaluated for origin up to 4baffdd |
Merged by openshift-bot
…service-catalog/' changes from 568a7b9..8f07b7b 8f07b7b origin: add required patches ee57bfb Cleanup of ups broker example + making controller follow the OSB API (openshift#807) 45a11ed Revert "Rename our resources to have ServiceCatalog prefix (openshift#1054)" (openshift#1061) 4e47ec1 Rename our resources to have ServiceCatalog prefix (openshift#1054) 2bb334a Rebase on 1.7 API machinery (openshift#944) 5780b59 Run broker reconciler when spec is changed. (openshift#1026) 9c22d04 Merge branch 'pr/1006' d077915 check number of expected events before dereferencing to avoid panic (openshift#1052) 90d615f Merge branch 'pr/1055' bb6d6d8 fix log output to use formatted output (openshift#1056) c7abc81 Adding examples to the README ccc93c9 Remove different-org rule for LGTM (openshift#1050) be04cd5 Allow for a period in the GUID of the External ID (openshift#1034) 8c246df Make it so that binding.spec.secretName defaults to binding name (openshift#851) 6745418 Bump OSB Client (openshift#1049) 8346a0d apiserver etcd healthcheck as suggested to address k/k#48215 (openshift#1039) 11d0d4a use GKE's latest 1.6.X cluster version for Jenkins (openshift#1036) 7d71b5b Cross-build all the things! 8ec0874 RBAC setup behind the aggregator. (openshift#936) 0864a2e Upsert retry loop for Secret, set/check ownerReference for Secret owned by Binding (openshift#979) 6be9886 add info about weekly calls (openshift#1027) a242b26 add OSB API Header version flag (openshift#1014) 66e2ce6 Update REVIEWING doc with changes to LGTM process (openshift#1016) 699e016 Writing the returned progress description from the broker (openshift#998) 02642f4 Adding target to test on the host (openshift#1020) 78ca572 v0.0.13 (openshift#1024) 9e79ec2 use GKE's default K8S version for Jenkins (openshift#1023) d3c915a Fix curl on API server start error (openshift#1015) b50be75 Merge branch 'pr/1013' 2c98ba1 Using tag URLs 687f091 Parameterizing the priority fields 34ed5cd update apiregistration yaml to v1.7 final (openshift#1011) 91fa1ad make e2e look for pods' existence before checking status (openshift#1012) 0f90705 explicitly disable leader election if it is not enabled (openshift#965) f5761e7 controller-manager health checks (openshift#694) da260f2 Add logging for normal Unbind errors (openshift#992) 4c916a5 make the apiserver test use tls (openshift#991) 1a62ecc refactor reconcileBroker (openshift#986) cc179bc Add logging for normal Bind errors (openshift#993) a1458dd add parameterization for user-broker image to e2e tests (openshift#995) fb15891 Bump OSB client (openshift#1000) 79d5206 v0.0.12 (openshift#996) 39c7407 Merge branch 'pr/975' a553b2d Merge branch 'pr/974' d573339 reconcileBinding error checking (openshift#973) 39a1061 Making events and actions checks generic (openshift#960) 73136a4 Bump osb client (openshift#971) 878a987 reconcileInstance error checking in unit-tests 4991d57 reconcileBroker error checking in unit-tests 9ed6812 Extract methods for binding test setup (openshift#961) b69a1ee Make ups-broker return valid unbind response (openshift#964) 8b37d2f Releasing 0.0.11 (openshift#962) 52fec8b Merge branch 'pr/954' d49cdeb Swap client 445fa71 Add dependency on pmorie/go-open-service-broker-client 9f743b2 Instructions for enabling API Aggregation (openshift#895) 512508d Use correct infof calls in controller_manager (openshift#950) 77943ba fix regex that determines if a tag is deployable (openshift#947) 8a226b8 Updates for v0.0.10 release (openshift#943) REVERT: 568a7b9 origin build: add origin tooling git-subtree-dir: cmd/service-catalog/go/src/github.com/kubernetes-incubator/service-catalog git-subtree-split: 8f07b7bbf3acb2b557f23596a92b5e775ae9321c
UPSTREAM: 55826: Return nil error if checkpoint returns with KeyNotFound error
) * Writing the returned progress description from the broker * Only updating the status if the description was present * Updating tests to account for the description update action * Being clearer about setting message and reason Including protection against nil descriptions * Adding test for updating action
5 participants
Depends on #991
Adds the ability to describe non-resources for policy matching. This can be used to allow access to one off endpoints like
healthzandversion.You can now specify a path with an ending wildcard that will be evaluated against the remainder of a request path to determine a match or not. The evaluation takes the remainder of a URL and attempts to match it against a series of explicitly allowed steps that can end in a wildcard.
@liggitt last two commits?