Merge pull request #14583 from reasonerjt/authproxy-admin-username

Add attribute admin username for authproxy
This commit is contained in:
stonezdj(Daojun Zhang) 2021-04-08 16:56:47 +08:00 committed by GitHub
commit 8d6f4ddc38
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 32 additions and 15 deletions

View File

@ -130,6 +130,7 @@ var (
{Name: common.HTTPAuthProxyEndpoint, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
{Name: common.HTTPAuthProxyTokenReviewEndpoint, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
{Name: common.HTTPAuthProxyAdminGroups, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
{Name: common.HTTPAuthProxyAdminUsernames, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},
{Name: common.HTTPAuthProxyVerifyCert, Scope: UserScope, Group: HTTPAuthGroup, DefaultValue: "true", ItemType: &BoolType{}},
{Name: common.HTTPAuthProxySkipSearch, Scope: UserScope, Group: HTTPAuthGroup, DefaultValue: "false", ItemType: &BoolType{}},
{Name: common.HTTPAuthProxyServerCertificate, Scope: UserScope, Group: HTTPAuthGroup, ItemType: &StringType{}},

View File

@ -97,6 +97,7 @@ const (
HTTPAuthProxyEndpoint = "http_authproxy_endpoint"
HTTPAuthProxyTokenReviewEndpoint = "http_authproxy_tokenreview_endpoint"
HTTPAuthProxyAdminGroups = "http_authproxy_admin_groups"
HTTPAuthProxyAdminUsernames = "http_authproxy_admin_usernames"
HTTPAuthProxyVerifyCert = "http_authproxy_verify_cert"
HTTPAuthProxySkipSearch = "http_authproxy_skip_search"
HTTPAuthProxyServerCertificate = "http_authproxy_server_certificate"

View File

@ -72,6 +72,7 @@ type HTTPAuthProxy struct {
Endpoint string `json:"endpoint"`
TokenReviewEndpoint string `json:"tokenreivew_endpoint"`
AdminGroups []string `json:"admin_groups"`
AdminUsernames []string `json:"admin_usernames"`
VerifyCert bool `json:"verify_cert"`
SkipSearch bool `json:"skip_search"`
ServerCertificate string `json:"server_certificate"`

View File

@ -116,7 +116,7 @@ func (a *Auth) tokenReview(sessionID string) (*models.User, error) {
if err != nil {
return nil, err
}
u, err := authproxy.UserFromReviewStatus(reviewStatus, httpAuthProxySetting.AdminGroups)
u, err := authproxy.UserFromReviewStatus(reviewStatus, httpAuthProxySetting.AdminGroups, httpAuthProxySetting.AdminUsernames)
if err != nil {
return nil, err
}

View File

@ -393,6 +393,7 @@ func HTTPAuthProxySetting() (*models.HTTPAuthProxy, error) {
Endpoint: cfgMgr.Get(common.HTTPAuthProxyEndpoint).GetString(),
TokenReviewEndpoint: cfgMgr.Get(common.HTTPAuthProxyTokenReviewEndpoint).GetString(),
AdminGroups: splitAndTrim(cfgMgr.Get(common.HTTPAuthProxyAdminGroups).GetString(), ","),
AdminUsernames: splitAndTrim(cfgMgr.Get(common.HTTPAuthProxyAdminUsernames).GetString(), ","),
VerifyCert: cfgMgr.Get(common.HTTPAuthProxyVerifyCert).GetBool(),
SkipSearch: cfgMgr.Get(common.HTTPAuthProxySkipSearch).GetBool(),
ServerCertificate: cfgMgr.Get(common.HTTPAuthProxyServerCertificate).GetString(),

View File

@ -248,6 +248,7 @@ y1bQusZMygQezfCuEzsewF+OpANFovCTUEs6s5vyoVNP8lk=
assert.Equal(t, *v, models.HTTPAuthProxy{
Endpoint: "https://auth.proxy/suffix",
AdminGroups: []string{"group1", "group2"},
AdminUsernames: []string{},
SkipSearch: true,
VerifyCert: true,
ServerCertificate: certificate,

View File

@ -78,14 +78,21 @@ func getTLSConfig(config *models.HTTPAuthProxy) rest.TLSClientConfig {
// UserFromReviewStatus transform a review status to a user model.
// Group entries will be populated if needed.
func UserFromReviewStatus(status k8s_api_v1beta1.TokenReviewStatus, adminGroups []string) (*models.User, error) {
func UserFromReviewStatus(status k8s_api_v1beta1.TokenReviewStatus, adminGroups []string, adminUsernames []string) (*models.User, error) {
if !status.Authenticated {
return nil, fmt.Errorf("failed to authenticate the token, error in status: %s", status.Error)
}
user := &models.User{
Username: status.User.Username,
}
for _, au := range adminUsernames {
if status.User.Username == au {
log.Debugf("Username: %s in the adminusers list, assigning user admin permission", au)
user.AdminRoleInAuth = true
break
}
}
if len(status.User.Groups) > 0 {
userGroups := models.UserGroupsFromName(status.User.Groups, common.HTTPGroupType)
groupIDList, err := group.PopulateGroup(userGroups)
@ -94,7 +101,7 @@ func UserFromReviewStatus(status k8s_api_v1beta1.TokenReviewStatus, adminGroups
}
log.Debugf("current user's group ID list is %+v", groupIDList)
user.GroupIDs = groupIDList
if len(adminGroups) > 0 {
if len(adminGroups) > 0 && !user.AdminRoleInAuth { // skip checking admin group if user already has admin role
agm := make(map[string]struct{})
for _, ag := range adminGroups {
agm[ag] = struct{}{}
@ -108,5 +115,4 @@ func UserFromReviewStatus(status k8s_api_v1beta1.TokenReviewStatus, adminGroups
}
}
return user, nil
}

View File

@ -27,16 +27,18 @@ func TestUserFromReviewStatus(t *testing.T) {
adminInAuth bool
}
cases := []struct {
input v1beta1.TokenReviewStatus
adminGroups []string
expect result
input v1beta1.TokenReviewStatus
adminGroups []string
adminUsernames []string
expect result
}{
{
input: v1beta1.TokenReviewStatus{
Authenticated: false,
Error: "connection error",
},
adminGroups: []string{"admin"},
adminGroups: []string{"admin"},
adminUsernames: []string{},
expect: result{
hasErr: true,
},
@ -49,7 +51,8 @@ func TestUserFromReviewStatus(t *testing.T) {
UID: "u-1",
},
},
adminGroups: []string{"admin"},
adminGroups: []string{"admin"},
adminUsernames: []string{},
expect: result{
hasErr: false,
username: "jack",
@ -66,7 +69,8 @@ func TestUserFromReviewStatus(t *testing.T) {
},
Error: "",
},
adminGroups: []string{"group2", "admin"},
adminGroups: []string{"group2", "admin"},
adminUsernames: []string{},
expect: result{
hasErr: false,
username: "daniel",
@ -83,17 +87,18 @@ func TestUserFromReviewStatus(t *testing.T) {
},
Error: "",
},
adminGroups: []string{},
adminGroups: []string{},
adminUsernames: []string{"daniel", "admin"},
expect: result{
hasErr: false,
username: "daniel",
groupLen: 2,
adminInAuth: false,
adminInAuth: true,
},
},
}
for _, c := range cases {
u, err := UserFromReviewStatus(c.input, c.adminGroups)
u, err := UserFromReviewStatus(c.input, c.adminGroups, c.adminUsernames)
if c.expect.hasErr == true {
assert.NotNil(t, err)
} else {

View File

@ -86,7 +86,7 @@ func (a *authProxy) Generate(req *http.Request) security.Context {
return nil
}
}
u2, err := authproxy.UserFromReviewStatus(tokenReviewStatus, httpAuthProxyConf.AdminGroups)
u2, err := authproxy.UserFromReviewStatus(tokenReviewStatus, httpAuthProxyConf.AdminGroups, httpAuthProxyConf.AdminUsernames)
if err != nil {
log.Errorf("failed to get user information from token review status: %v", err)
return nil

View File

@ -58,6 +58,7 @@ func TestAuthProxy(t *testing.T) {
VerifyCert: false,
TokenReviewEndpoint: server.URL,
AdminGroups: []string{},
AdminUsernames: []string{},
})
// No onboard