Commit Graph

77 Commits

Author SHA1 Message Date
Wojciech Tyczynski
4d0d115690 Revert "add tokenreviews endpoint to implement webhook" 2016-07-21 09:40:35 +02:00
deads2k
2c4a9f2e8d interesting changes to add tokenreviews endpoint to implement webhook 2016-07-20 15:11:56 -04:00
k8s-merge-robot
8d46d9b0c7 Merge pull request #28281 from nhlfr/authorize-return-bool
Automatic merge from submit-queue

Return (bool, error) in Authorizer.Authorize()

Before this change, Authorize() method was just returning an error, regardless of whether the user is unauthorized or whether there is some other unrelated error. Returning boolean with information about user authorization and error (which should be unrelated to the authorization) separately will make it easier to debug.

Fixes #27974
2016-07-18 21:40:26 -07:00
k8s-merge-robot
fa174bcdaf Merge pull request #29042 from dims/fixup-imports
Automatic merge from submit-queue

Use Go canonical import paths

Add canonical imports only in existing doc.go files.
https://golang.org/doc/go1.4#canonicalimports

Fixes #29014
2016-07-18 07:23:38 -07:00
Michal Rostecki
fa0dd46ab7 Return (bool, error) in Authorizer.Authorize()
Before this change, Authorize() method was just returning an error,
regardless of whether the user is unauthorized or whether there
is some other unrelated error. Returning boolean with information
about user authorization and error (which should be unrelated to
the authorization) separately will make it easier to debug.

Fixes #27974
2016-07-18 12:06:54 +02:00
Davanum Srinivas
2b0ed014b7 Use Go canonical import paths
Add canonical imports only in existing doc.go files.
https://golang.org/doc/go1.4#canonicalimports

Fixes #29014
2016-07-16 13:48:21 -04:00
deads2k
f6f1ab34aa authorize based on user.Info 2016-07-14 07:48:42 -04:00
Eric Chiang
addc4b166c rbac authorizer: support non-resource urls with stars ("/apis/*") 2016-07-12 10:01:53 -07:00
Eric Chiang
411922f66c rbac authorizer: include verb in non-resource url requests 2016-07-12 10:01:53 -07:00
k8s-merge-robot
0c696dc95b Merge pull request #27848 from liubin/fix-typos
Automatic merge from submit-queue

fix some typos

Just a minor typos fix.


Signed-off-by: bin liu <liubin0329@gmail.com>
2016-07-06 23:36:49 -07:00
k8s-merge-robot
4d91f0f763 Merge pull request #25137 from huang195/tls_user_emailaddress
Automatic merge from submit-queue

getting emailAddress from TLS cert

Kubernetes if using TLS cert to perform authentication will use the CommonName field of the cert as the authenticating user. In https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authenticator/request/x509/x509.go#L106, alternative methods are defined to use emailAddress or DNSName as the authenticating user. The method that uses the emailAddress is not comprehensive as this information can be encoded in different places of the certificate. This PR fixes this.
2016-07-06 19:45:01 -07:00
bin liu
426fdc431a Merge branch 'master' into fix-typos 2016-07-04 11:20:47 +08:00
k8s-merge-robot
038ac428f4 Merge pull request #28036 from ericchiang/oidc-auth-plugin-dont-error-if-provider-is-unavailable
Automatic merge from submit-queue

oidc auth plugin: don't hard fail if provider is unavailable

When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.

cc @sym3tri @erictune @aaronlevy @kubernetes/sig-auth
2016-06-30 13:02:16 -07:00
Eric Chiang
2f6db37ff5 oidc auth plugin: don't hard fail if provider is unavailable
When using OpenID Connect authentication, don't cause the API
server to fail if the provider is unavailable. This allows
installations to run OpenID Connect providers after starting the
API server, a common case when the provider is running on the
cluster itself.

Errors are now deferred to the authenticate method.
2016-06-29 23:20:26 -07:00
David McMahon
ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
k8s-merge-robot
19650207a2 Merge pull request #24678 from ericchiang/log_webhook_error
Automatic merge from submit-queue

plugin/pkg/auth/authorizer/webhook: log request errors

Currently the API server only checks the errors returned by an
authorizer plugin, it doesn't return or log them[0]. This makes
incorrectly configuring the wehbook authorizer plugin extremely
difficult to debug.

Add a logging statement if the request to the remove service fails
as this indicates misconfiguration.

[0] https://goo.gl/9zZFv4

<!-- Reviewable:start -->
---
This change is [<img src="http://reviewable.k8s.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](http://reviewable.k8s.io/reviews/kubernetes/kubernetes/24678)
<!-- Reviewable:end -->
2016-06-24 21:43:36 -07:00
CJ Cullen
38a1042199 Add a 5x exponential backoff on 429s & 5xxs to the webhook Authenticator/Authorizer. 2016-06-23 18:15:39 -07:00
CJ Cullen
ae67a4e209 Check HTTP Status code in webhook authorizer/authenticator. 2016-06-22 11:15:33 -07:00
bin liu
fd27cd47f7 fix some typos
Signed-off-by: bin liu <liubin0329@gmail.com>
2016-06-22 18:14:26 +08:00
Eric Chiang
d13e351028 add unit and integration tests for rbac authorizer 2016-06-14 11:07:48 -07:00
Eric Chiang
c8ca49ec88 plugin/pkg/auth/authorizer/webhook: log request errors
Currently the API server only checks the errors returned by an
authorizer plugin, it doesn't return or log them[0]. This makes
incorrectly configuring the wehbook authorizer plugin extremely
difficult to debug.

Add a logging statement if the request to the remove service fails
as this indicates misconfiguration.

[0] https://goo.gl/9zZFv4
2016-06-08 13:19:23 -07:00
Eric Chiang
ef40aa9572 pkg/master: enable certificates API and add rbac authorizer 2016-05-25 14:24:47 -07:00
Hai Huang
235020ad64 getting emailAddress from TLS cert 2016-05-23 18:36:14 -04:00
CJ Cullen
d03dbbcc14 Add LRU Expire cache to webhook authorizer. 2016-05-21 14:50:50 -07:00
k8s-merge-robot
346f965871 Merge pull request #25694 from cjcullen/authncache
Automatic merge from submit-queue

Cache Webhook Authentication responses

Add a simple LRU cache w/ 2 minute TTL to the webhook authenticator.

Kubectl is a little spammy, w/ >= 4 API requests per command. This also prevents a single unauthenticated user from being able to DOS the remote authenticator.
2016-05-21 10:48:38 -07:00
Bobby Rullo
e85940ed17 add tests for newOIDCAuthProvider 2016-05-18 17:03:11 -07:00
Bobby Rullo
c990462d0f Refactor test oidc provider into its own package
This makes it easier to test other OIDC code.
2016-05-18 17:03:11 -07:00
CJ Cullen
57f96a932f Add expiration LRU cache for webhook token authenticator. 2016-05-18 11:58:11 -07:00
CJ Cullen
eb3b0e78b4 Add a webhook token authenticator plugin. 2016-05-10 14:54:35 -07:00
CJ Cullen
1d096d29cb Pull common webhook code into generic webhook plugin. 2016-05-10 14:41:14 -07:00
Clayton Coleman
e0ebcf4216
Split the storage and negotiation parts of Codecs
The codec factory should support two distinct interfaces - negotiating
for a serializer with a client, vs reading or writing data to a storage
form (etcd, disk, etc). Make the EncodeForVersion and DecodeToVersion
methods only take Encoder and Decoder, and slight refactoring elsewhere.

In the storage factory, use a content type to control what serializer to
pick, and use the universal deserializer. This ensures that storage can
read JSON (which might be from older objects) while only writing
protobuf. Add exceptions for those resources that may not be able to
write to protobuf (specifically third party resources, but potentially
others in the future).
2016-05-05 12:08:23 -04:00
Wojciech Tyczynski
3aadafd411 Use NegotiatedSerializer in client 2016-05-04 10:57:36 +02:00
zhouhaibing089
bf1a3f99c0 Uncomment the code that cause by #19254 2016-04-25 23:21:31 +08:00
CJ Cullen
e53aa93836 Add Subresource & Name to webhook authorizer. 2016-04-19 21:43:40 -07:00
Joe Finney
ae79677fd0
Remove global var for OIDC retry/backoff, and remove retries from unit tests. 2016-04-07 14:18:29 -07:00
k8s-merge-robot
1ad3049ed6 Merge pull request #23288 from smarterclayton/refactor_codec
Auto commit by PR queue bot
2016-03-26 10:47:58 -07:00
Clayton Coleman
54eaa56b92 Add a streaming and "raw" abstraction to codec factory 2016-03-23 17:25:20 -04:00
zhouhaibing089
83248a9783 move keystone package to password since it is a password authenticator 2016-03-22 23:27:28 +08:00
harry
b0900bf0d4 Refactor diff into sub pkg 2016-03-21 20:21:39 +08:00
Harry Zhang
a4d04095d0 Refactor crlf & crypto 2016-03-21 20:20:05 +08:00
k8s-merge-robot
5d58c74398 Merge pull request #22304 from ericchiang/bump_go_oidc
Auto commit by PR queue bot
2016-03-11 02:57:09 -08:00
k8s-merge-robot
d81d823ca5 Merge pull request #22393 from eparis/blunderbuss
Auto commit by PR queue bot
2016-03-02 18:51:56 -08:00
Eric Paris
5e5a823294 Move blunderbuss assignees into tree 2016-03-02 20:46:32 -05:00
Eric Chiang
8df55ddbe5 plugin/pkg/auth/authenticator/token/oidc: update test to new go-oidc types
The provider config has changed a little bit in go-oidc. It is more
complete and now throws errors when unmarshaling provider configs
that are missing required fields (as defined by the OpenID Connect
Discovery spec).

Update the oidc plugin to use the new type.
2016-03-01 11:39:18 -08:00
Kris
e664ef922f Move restclient to its own package 2016-02-29 12:05:13 -08:00
k8s-merge-robot
00d99ac261 Merge pull request #20347 from ericchiang/authz_grpc
Auto commit by PR queue bot
2016-02-26 22:00:42 -08:00
k8s-merge-robot
7f1b699880 Merge pull request #21071 from soltysh/server_close
Auto commit by PR queue bot
2016-02-23 06:34:27 -08:00
Eric Chiang
3116346161 *: add webhook implementation of authorizer.Authorizer plugin 2016-02-22 11:39:07 -08:00
k8s-merge-robot
f366baeaeb Merge pull request #21128 from yifan-gu/fix_oidc_tailing_slash_issuer
Auto commit by PR queue bot
2016-02-15 17:46:49 -08:00
k8s-merge-robot
43fb544a4a Merge pull request #21001 from ericchiang/oidc_groups
Auto commit by PR queue bot
2016-02-14 05:24:43 -08:00