Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NETOBSERV-972 Make DISABLED auth mode not restricted to admins #320

Merged
merged 1 commit into from
Apr 17, 2023
Merged

NETOBSERV-972 Make DISABLED auth mode not restricted to admins #320

merged 1 commit into from
Apr 17, 2023

Conversation

jotak
Copy link
Member

@jotak jotak commented Apr 4, 2023

No description provided.

@codecov
Copy link

codecov bot commented Apr 4, 2023
edited
Loading

Codecov Report

Merging #320 (d367aa1) into main (5155dc3) will decrease coverage by 0.05%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main     #320      +/-   ##
==========================================
- Coverage   58.41%   58.36%   -0.05%     
==========================================
  Files         148      148              
  Lines        6581     6586       +5     
  Branches      786      786              
==========================================
  Hits         3844     3844              
- Misses       2520     2525       +5     
  Partials      217      217
Flag Coverage Δ
uitests 59.04% <ø> (ø)
unittests 56.42% <0.00%> (-0.17%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
cmd/plugin-backend.go 0.00% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@jotak
Copy link
Member Author

jotak commented Apr 4, 2023

@jpinsonneau @OlivierCazade - this might not be a definitive answer to the problem. The "CheckAdmin" mode is too strict as it checks for belonging to system:cluster-admins group, which is NOT the same thing as checking if a user is a cluster admin.
Ideally, we would like to check if the user has a binding to the "cluster-admin" role, but afaik this isn't trivial to do.

@jotak
Copy link
Member Author

jotak commented Apr 4, 2023

an alternative could be to reintroduce my previous "hack", that was checking if the user can list namespaces

jpinsonneau
jpinsonneau approved these changes Apr 17, 2023
View reviewed changes
Copy link
Contributor

@jpinsonneau jpinsonneau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as quick fix. Thanks @jotak

Let's unlock @memodi testing ! 🔓

@openshift-ci openshift-ci bot added the lgtm label Apr 17, 2023
@jpinsonneau
Copy link
Contributor

/approve

@openshift-ci
Copy link

openshift-ci bot commented Apr 17, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jpinsonneau

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit d1d36c2 into netobserv:main Apr 17, 2023
jotak added a commit to jotak/network-observability-console-plugin that referenced this pull request May 9, 2023
@jotak
NETOBSERV-972 check if cluster admin via namespaces
afa8caf 
Follow-up on netobserv#320, which relaxed the permission checks performed when
lokiAuth is DISABLED: after discussion, we roll back to a more strict
approach; however to mitigate the limitation of TokenReview (it doesn't
provide a reliable way to check for cluster admins right), we verify
that the user can list namespaces, assuming this is a cluster admin
capability.
@jotak jotak mentioned this pull request May 9, 2023
Merged
jotak added a commit to jotak/network-observability-console-plugin that referenced this pull request May 9, 2023
@jotak
NETOBSERV-972 check if cluster admin via namespaces
c6b0e74 
Follow-up on netobserv#320, which relaxed the permission checks performed when
lokiAuth is DISABLED: after discussion, we roll back to a more strict
approach; however to mitigate the limitation of TokenReview (it doesn't
provide a reliable way to check for cluster admins right), we verify
that the user can list namespaces, assuming this is a cluster admin
capability.
jotak added a commit to jotak/network-observability-console-plugin that referenced this pull request May 9, 2023
@jotak
NETOBSERV-972 check if cluster admin via namespaces
f22634c 
Follow-up on netobserv#320, which relaxed the permission checks performed when
lokiAuth is DISABLED: after discussion, we roll back to a more strict
approach; however to mitigate the limitation of TokenReview (it doesn't
provide a reliable way to check for cluster admins right), we verify
that the user can list namespaces, assuming this is a cluster admin
capability.
jotak added a commit to jotak/network-observability-console-plugin that referenced this pull request May 22, 2023
@jotak
NETOBSERV-972 check if cluster admin via namespaces
512759c 
Follow-up on netobserv#320, which relaxed the permission checks performed when
lokiAuth is DISABLED: after discussion, we roll back to a more strict
approach; however to mitigate the limitation of TokenReview (it doesn't
provide a reliable way to check for cluster admins right), we verify
that the user can list namespaces, assuming this is a cluster admin
capability.
jotak added a commit that referenced this pull request May 23, 2023
@jotak
NETOBSERV-972 check if cluster admin via namespaces (#326)
2190369 
Follow-up on #320, which relaxed the permission checks performed when
lokiAuth is DISABLED: after discussion, we roll back to a more strict
approach; however to mitigate the limitation of TokenReview (it doesn't
provide a reliable way to check for cluster admins right), we verify
that the user can list namespaces, assuming this is a cluster admin
capability.
@jotak jotak deleted the relax-disabled-auth branch November 7, 2024 10:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jpinsonneau jpinsonneau jpinsonneau approved these changes

@OlivierCazade OlivierCazade Awaiting requested review from OlivierCazade

Assignees

@jpinsonneau jpinsonneau

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jotak @jpinsonneau @openshift-merge-robot