github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

prevent illegal verb/name combinations in default policy rules

Browse Source
This commit is contained in:
deads2k 2017-05-24 14:59:01 -04:00
parent 6f7eac63c2
commit 5539a6721d
3 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
pkg/apis/rbac/helpers.go
View File

@ -190,6 +190,22 @@ func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) {
// this a common bug // this a common bug
return PolicyRule{}, fmt.Errorf("resource rule must have apiGroups: %#v", r.PolicyRule) return PolicyRule{}, fmt.Errorf("resource rule must have apiGroups: %#v", r.PolicyRule)
} }
// if resource names are set, then the verb must not be list, watch, create, or deletecollection
// since verbs are largely opaque, we don't want to accidentally prevent things like "impersonate", so
// we will backlist common mistakes, not whitelist acceptable options.
if len(r.PolicyRule.ResourceNames) != 0 {
illegalVerbs := []string{}
for _, verb := range r.PolicyRule.Verbs {
switch verb {
case "list", "watch", "create", "deletecollection":
illegalVerbs = append(illegalVerbs, verb)
}
}
if len(illegalVerbs) > 0 {
return PolicyRule{}, fmt.Errorf("verbs %v do not have names available: %#v", illegalVerbs, r.PolicyRule)
}
}
default: default:
return PolicyRule{}, fmt.Errorf("a rule must have either nonResourceURLs or resources: %#v", r.PolicyRule) return PolicyRule{}, fmt.Errorf("a rule must have either nonResourceURLs or resources: %#v", r.PolicyRule)
} }

2
staging/src/k8s.io/client-go/Godeps/Godeps.json generated
View File

@ -1,6 +1,6 @@
{ {
"ImportPath": "k8s.io/client-go", "ImportPath": "k8s.io/client-go",
"GoVersion": "go1.7", "GoVersion": "go1.8",
"GodepVersion": "v79", "GodepVersion": "v79",
"Packages": [ "Packages": [
"./..." "./..."

16
staging/src/k8s.io/client-go/pkg/apis/rbac/helpers.go
View File

@ -189,6 +189,22 @@ func (r *PolicyRuleBuilder) Rule() (PolicyRule, error) {
// this a common bug // this a common bug
return PolicyRule{}, fmt.Errorf("resource rule must have apiGroups: %#v", r.PolicyRule) return PolicyRule{}, fmt.Errorf("resource rule must have apiGroups: %#v", r.PolicyRule)
} }
// if resource names are set, then the verb must not be list, watch, create, or deletecollection
// since verbs are largely opaque, we don't want to accidentally prevent things like "impersonate", so
// we will backlist common mistakes, not whitelist acceptable options.
if len(r.PolicyRule.ResourceNames) != 0 {
illegalVerbs := []string{}
for _, verb := range r.PolicyRule.Verbs {
switch verb {
case "list", "watch", "create", "deletecollection":
illegalVerbs = append(illegalVerbs, verb)
}
}
if len(illegalVerbs) > 0 {
return PolicyRule{}, fmt.Errorf("verbs %v do not have names available: %#v", illegalVerbs, r.PolicyRule)
}
}
default: default:
return PolicyRule{}, fmt.Errorf("a rule must have either nonResourceURLs or resources: %#v", r.PolicyRule) return PolicyRule{}, fmt.Errorf("a rule must have either nonResourceURLs or resources: %#v", r.PolicyRule)
} }