Commit Graph

24 Commits

Author SHA1 Message Date
k8s-merge-robot
8d46d9b0c7 Merge pull request #28281 from nhlfr/authorize-return-bool
Automatic merge from submit-queue

Return (bool, error) in Authorizer.Authorize()

Before this change, Authorize() method was just returning an error, regardless of whether the user is unauthorized or whether there is some other unrelated error. Returning boolean with information about user authorization and error (which should be unrelated to the authorization) separately will make it easier to debug.

Fixes #27974
2016-07-18 21:40:26 -07:00
k8s-merge-robot
fa174bcdaf Merge pull request #29042 from dims/fixup-imports
Automatic merge from submit-queue

Use Go canonical import paths

Add canonical imports only in existing doc.go files.
https://golang.org/doc/go1.4#canonicalimports

Fixes #29014
2016-07-18 07:23:38 -07:00
Michal Rostecki
fa0dd46ab7 Return (bool, error) in Authorizer.Authorize()
Before this change, Authorize() method was just returning an error,
regardless of whether the user is unauthorized or whether there
is some other unrelated error. Returning boolean with information
about user authorization and error (which should be unrelated to
the authorization) separately will make it easier to debug.

Fixes #27974
2016-07-18 12:06:54 +02:00
Davanum Srinivas
2b0ed014b7 Use Go canonical import paths
Add canonical imports only in existing doc.go files.
https://golang.org/doc/go1.4#canonicalimports

Fixes #29014
2016-07-16 13:48:21 -04:00
deads2k
f6f1ab34aa authorize based on user.Info 2016-07-14 07:48:42 -04:00
Eric Chiang
addc4b166c rbac authorizer: support non-resource urls with stars ("/apis/*") 2016-07-12 10:01:53 -07:00
Eric Chiang
411922f66c rbac authorizer: include verb in non-resource url requests 2016-07-12 10:01:53 -07:00
David McMahon
ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
k8s-merge-robot
19650207a2 Merge pull request #24678 from ericchiang/log_webhook_error
Automatic merge from submit-queue

plugin/pkg/auth/authorizer/webhook: log request errors

Currently the API server only checks the errors returned by an
authorizer plugin, it doesn't return or log them[0]. This makes
incorrectly configuring the wehbook authorizer plugin extremely
difficult to debug.

Add a logging statement if the request to the remove service fails
as this indicates misconfiguration.

[0] https://goo.gl/9zZFv4

<!-- Reviewable:start -->
---
This change is [<img src="http://reviewable.k8s.io/review_button.svg" height="35" align="absmiddle" alt="Reviewable"/>](http://reviewable.k8s.io/reviews/kubernetes/kubernetes/24678)
<!-- Reviewable:end -->
2016-06-24 21:43:36 -07:00
CJ Cullen
38a1042199 Add a 5x exponential backoff on 429s & 5xxs to the webhook Authenticator/Authorizer. 2016-06-23 18:15:39 -07:00
CJ Cullen
ae67a4e209 Check HTTP Status code in webhook authorizer/authenticator. 2016-06-22 11:15:33 -07:00
Eric Chiang
d13e351028 add unit and integration tests for rbac authorizer 2016-06-14 11:07:48 -07:00
Eric Chiang
c8ca49ec88 plugin/pkg/auth/authorizer/webhook: log request errors
Currently the API server only checks the errors returned by an
authorizer plugin, it doesn't return or log them[0]. This makes
incorrectly configuring the wehbook authorizer plugin extremely
difficult to debug.

Add a logging statement if the request to the remove service fails
as this indicates misconfiguration.

[0] https://goo.gl/9zZFv4
2016-06-08 13:19:23 -07:00
Eric Chiang
ef40aa9572 pkg/master: enable certificates API and add rbac authorizer 2016-05-25 14:24:47 -07:00
CJ Cullen
d03dbbcc14 Add LRU Expire cache to webhook authorizer. 2016-05-21 14:50:50 -07:00
CJ Cullen
1d096d29cb Pull common webhook code into generic webhook plugin. 2016-05-10 14:41:14 -07:00
Clayton Coleman
e0ebcf4216
Split the storage and negotiation parts of Codecs
The codec factory should support two distinct interfaces - negotiating
for a serializer with a client, vs reading or writing data to a storage
form (etcd, disk, etc). Make the EncodeForVersion and DecodeToVersion
methods only take Encoder and Decoder, and slight refactoring elsewhere.

In the storage factory, use a content type to control what serializer to
pick, and use the universal deserializer. This ensures that storage can
read JSON (which might be from older objects) while only writing
protobuf. Add exceptions for those resources that may not be able to
write to protobuf (specifically third party resources, but potentially
others in the future).
2016-05-05 12:08:23 -04:00
Wojciech Tyczynski
3aadafd411 Use NegotiatedSerializer in client 2016-05-04 10:57:36 +02:00
CJ Cullen
e53aa93836 Add Subresource & Name to webhook authorizer. 2016-04-19 21:43:40 -07:00
k8s-merge-robot
1ad3049ed6 Merge pull request #23288 from smarterclayton/refactor_codec
Auto commit by PR queue bot
2016-03-26 10:47:58 -07:00
Clayton Coleman
54eaa56b92 Add a streaming and "raw" abstraction to codec factory 2016-03-23 17:25:20 -04:00
harry
b0900bf0d4 Refactor diff into sub pkg 2016-03-21 20:21:39 +08:00
Kris
e664ef922f Move restclient to its own package 2016-02-29 12:05:13 -08:00
Eric Chiang
3116346161 *: add webhook implementation of authorizer.Authorizer plugin 2016-02-22 11:39:07 -08:00