Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
78f2958c
Commit
78f2958c
authored
Nov 15, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add request header options for groups
parent
c4e2e19e
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
47 additions
and
27 deletions
+47
-27
known-flags.txt
hack/verify-flags/known-flags.txt
+2
-0
builtin.go
pkg/apiserver/authenticator/builtin.go
+7
-3
authentication.go
pkg/genericapiserver/options/authentication.go
+38
-24
No files found.
hack/verify-flags/known-flags.txt
View file @
78f2958c
...
@@ -484,6 +484,8 @@ report-dir
...
@@ -484,6 +484,8 @@ report-dir
report-prefix
report-prefix
requestheader-allowed-names
requestheader-allowed-names
requestheader-client-ca-file
requestheader-client-ca-file
requestheader-extra-headers-prefix
requestheader-group-headers
requestheader-username-headers
requestheader-username-headers
require-kubeconfig
require-kubeconfig
required-contexts
required-contexts
...
...
pkg/apiserver/authenticator/builtin.go
View file @
78f2958c
...
@@ -43,6 +43,11 @@ import (
...
@@ -43,6 +43,11 @@ import (
type
RequestHeaderConfig
struct
{
type
RequestHeaderConfig
struct
{
// UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
// UsernameHeaders are the headers to check (in order, case-insensitively) for an identity. The first header with a value wins.
UsernameHeaders
[]
string
UsernameHeaders
[]
string
// GroupHeaders are the headers to check (case-insensitively) for a group names. All values will be used.
GroupHeaders
[]
string
// ExtraHeaderPrefixes are the head prefixes to check (case-insentively) for filling in
// the user.Info.Extra. All values of all matching headers will be added.
ExtraHeaderPrefixes
[]
string
// ClientCA points to CA bundle file which is used verify the identity of the front proxy
// ClientCA points to CA bundle file which is used verify the identity of the front proxy
ClientCA
string
ClientCA
string
// AllowedClientNames is a list of common names that may be presented by the authenticating front proxy. Empty means: accept any.
// AllowedClientNames is a list of common names that may be presented by the authenticating front proxy. Empty means: accept any.
...
@@ -88,9 +93,8 @@ func New(config AuthenticatorConfig) (authenticator.Request, *spec.SecurityDefin
...
@@ -88,9 +93,8 @@ func New(config AuthenticatorConfig) (authenticator.Request, *spec.SecurityDefin
config
.
RequestHeaderConfig
.
ClientCA
,
config
.
RequestHeaderConfig
.
ClientCA
,
config
.
RequestHeaderConfig
.
AllowedClientNames
,
config
.
RequestHeaderConfig
.
AllowedClientNames
,
config
.
RequestHeaderConfig
.
UsernameHeaders
,
config
.
RequestHeaderConfig
.
UsernameHeaders
,
// TODO add wiring after options are refactored in 1.6
config
.
RequestHeaderConfig
.
GroupHeaders
,
[]
string
{},
config
.
RequestHeaderConfig
.
ExtraHeaderPrefixes
,
[]
string
{},
)
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
nil
,
err
return
nil
,
nil
,
err
...
...
pkg/genericapiserver/options/authentication.go
View file @
78f2958c
...
@@ -63,12 +63,6 @@ type PasswordFileAuthenticationOptions struct {
...
@@ -63,12 +63,6 @@ type PasswordFileAuthenticationOptions struct {
BasicAuthFile
string
BasicAuthFile
string
}
}
type
RequestHeaderAuthenticationOptions
struct
{
UsernameHeaders
[]
string
ClientCAFile
string
AllowedNames
[]
string
}
type
ServiceAccountAuthenticationOptions
struct
{
type
ServiceAccountAuthenticationOptions
struct
{
KeyFiles
[]
string
KeyFiles
[]
string
Lookup
bool
Lookup
bool
...
@@ -206,17 +200,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
...
@@ -206,17 +200,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
}
}
if
s
.
RequestHeader
!=
nil
{
if
s
.
RequestHeader
!=
nil
{
fs
.
StringSliceVar
(
&
s
.
RequestHeader
.
UsernameHeaders
,
"requestheader-username-headers"
,
s
.
RequestHeader
.
UsernameHeaders
,
""
+
s
.
RequestHeader
.
AddFlags
(
fs
)
"List of request headers to inspect for usernames. X-Remote-User is common."
)
fs
.
StringVar
(
&
s
.
RequestHeader
.
ClientCAFile
,
"requestheader-client-ca-file"
,
s
.
RequestHeader
.
ClientCAFile
,
""
+
"Root certificate bundle to use to verify client certificates on incoming requests "
+
"before trusting usernames in headers specified by --requestheader-username-headers"
)
fs
.
StringSliceVar
(
&
s
.
RequestHeader
.
AllowedNames
,
"requestheader-allowed-names"
,
s
.
RequestHeader
.
AllowedNames
,
""
+
"List of client certificate common names to allow to provide usernames in headers "
+
"specified by --requestheader-username-headers. If empty, any client certificate validated "
+
"by the authorities in --requestheader-client-ca-file is allowed."
)
}
}
if
s
.
ServiceAccounts
!=
nil
{
if
s
.
ServiceAccounts
!=
nil
{
...
@@ -275,7 +259,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin
...
@@ -275,7 +259,7 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin
}
}
if
s
.
RequestHeader
!=
nil
{
if
s
.
RequestHeader
!=
nil
{
ret
.
RequestHeaderConfig
=
s
.
RequestHeader
.
AuthenticationRequestHeaderConfig
()
ret
.
RequestHeaderConfig
=
s
.
RequestHeader
.
To
AuthenticationRequestHeaderConfig
()
}
}
if
s
.
ServiceAccounts
!=
nil
{
if
s
.
ServiceAccounts
!=
nil
{
...
@@ -295,17 +279,47 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin
...
@@ -295,17 +279,47 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig(clientCAFile strin
return
ret
return
ret
}
}
// AuthenticationRequestHeaderConfig returns an authenticator config object for these options
type
RequestHeaderAuthenticationOptions
struct
{
// if necessary. nil otherwise.
UsernameHeaders
[]
string
func
(
s
*
RequestHeaderAuthenticationOptions
)
AuthenticationRequestHeaderConfig
()
*
authenticator
.
RequestHeaderConfig
{
GroupHeaders
[]
string
ExtraHeaderPrefixes
[]
string
ClientCAFile
string
AllowedNames
[]
string
}
func
(
s
*
RequestHeaderAuthenticationOptions
)
AddFlags
(
fs
*
pflag
.
FlagSet
)
{
fs
.
StringSliceVar
(
&
s
.
UsernameHeaders
,
"requestheader-username-headers"
,
s
.
UsernameHeaders
,
""
+
"List of request headers to inspect for usernames. X-Remote-User is common."
)
fs
.
StringSliceVar
(
&
s
.
GroupHeaders
,
"requestheader-group-headers"
,
s
.
GroupHeaders
,
""
+
"List of request headers to inspect for groups. X-Remote-Group is suggested."
)
fs
.
StringSliceVar
(
&
s
.
ExtraHeaderPrefixes
,
"requestheader-extra-headers-prefix"
,
s
.
ExtraHeaderPrefixes
,
""
+
"List of request header prefixes to inspect. X-Remote-Extra- is suggested."
)
fs
.
StringVar
(
&
s
.
ClientCAFile
,
"requestheader-client-ca-file"
,
s
.
ClientCAFile
,
""
+
"Root certificate bundle to use to verify client certificates on incoming requests "
+
"before trusting usernames in headers specified by --requestheader-username-headers"
)
fs
.
StringSliceVar
(
&
s
.
AllowedNames
,
"requestheader-allowed-names"
,
s
.
AllowedNames
,
""
+
"List of client certificate common names to allow to provide usernames in headers "
+
"specified by --requestheader-username-headers. If empty, any client certificate validated "
+
"by the authorities in --requestheader-client-ca-file is allowed."
)
}
// ToAuthenticationRequestHeaderConfig returns a RequestHeaderConfig config object for these options
// if necessary, nil otherwise.
func
(
s
*
RequestHeaderAuthenticationOptions
)
ToAuthenticationRequestHeaderConfig
()
*
authenticator
.
RequestHeaderConfig
{
if
len
(
s
.
UsernameHeaders
)
==
0
{
if
len
(
s
.
UsernameHeaders
)
==
0
{
return
nil
return
nil
}
}
return
&
authenticator
.
RequestHeaderConfig
{
return
&
authenticator
.
RequestHeaderConfig
{
UsernameHeaders
:
s
.
UsernameHeaders
,
UsernameHeaders
:
s
.
UsernameHeaders
,
ClientCA
:
s
.
ClientCAFile
,
GroupHeaders
:
s
.
GroupHeaders
,
AllowedClientNames
:
s
.
AllowedNames
,
ExtraHeaderPrefixes
:
s
.
ExtraHeaderPrefixes
,
ClientCA
:
s
.
ClientCAFile
,
AllowedClientNames
:
s
.
AllowedNames
,
}
}
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment