Commit 88754978 authored by Darren Shepherd's avatar Darren Shepherd

Delete anonymous auth

parent 78016fa5
...@@ -64,7 +64,6 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel ...@@ -64,7 +64,6 @@ func BuildAuth(nodeName types.NodeName, client clientset.Interface, config kubel
// BuildAuthn creates an authenticator compatible with the kubelet's needs // BuildAuthn creates an authenticator compatible with the kubelet's needs
func BuildAuthn(client authenticationclient.TokenReviewInterface, authn kubeletconfig.KubeletAuthentication) (authenticator.Request, error) { func BuildAuthn(client authenticationclient.TokenReviewInterface, authn kubeletconfig.KubeletAuthentication) (authenticator.Request, error) {
authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{ authenticatorConfig := authenticatorfactory.DelegatingAuthenticatorConfig{
Anonymous: authn.Anonymous.Enabled,
CacheTTL: authn.Webhook.CacheTTL.Duration, CacheTTL: authn.Webhook.CacheTTL.Duration,
ClientCAFile: authn.X509.ClientCAFile, ClientCAFile: authn.X509.ClientCAFile,
} }
......
...@@ -22,7 +22,6 @@ import ( ...@@ -22,7 +22,6 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory" "k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/group" "k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/bearertoken" "k8s.io/apiserver/pkg/authentication/request/bearertoken"
"k8s.io/apiserver/pkg/authentication/request/headerrequest" "k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/authentication/request/union" "k8s.io/apiserver/pkg/authentication/request/union"
...@@ -42,7 +41,6 @@ import ( ...@@ -42,7 +41,6 @@ import (
) )
type AuthenticatorConfig struct { type AuthenticatorConfig struct {
Anonymous bool
BasicAuthFile string BasicAuthFile string
ClientCAFile string ClientCAFile string
ServiceAccountKeyFiles []string ServiceAccountKeyFiles []string
...@@ -134,9 +132,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) { ...@@ -134,9 +132,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
} }
if len(authenticators) == 0 { if len(authenticators) == 0 {
if config.Anonymous {
return anonymous.NewAuthenticator(), nil
}
return nil, nil return nil, nil
} }
...@@ -144,12 +139,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) { ...@@ -144,12 +139,6 @@ func (config AuthenticatorConfig) New() (authenticator.Request, error) {
authenticator = group.NewAuthenticatedGroupAdder(authenticator) authenticator = group.NewAuthenticatedGroupAdder(authenticator)
if config.Anonymous {
// If the authenticator chain returns an error, return an error (don't consider a bad bearer token
// or invalid username/password combination anonymous).
authenticator = union.NewFailOnError(authenticator, anonymous.NewAuthenticator())
}
return authenticator, nil return authenticator, nil
} }
......
...@@ -25,14 +25,11 @@ import ( ...@@ -25,14 +25,11 @@ import (
"github.com/golang/glog" "github.com/golang/glog"
"github.com/spf13/pflag" "github.com/spf13/pflag"
"k8s.io/apimachinery/pkg/util/sets"
genericapiserver "k8s.io/apiserver/pkg/server" genericapiserver "k8s.io/apiserver/pkg/server"
"k8s.io/kubernetes/pkg/kubeapiserver/authenticator" "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
) )
type BuiltInAuthenticationOptions struct { type BuiltInAuthenticationOptions struct {
Anonymous *AnonymousAuthenticationOptions
PasswordFile *PasswordFileAuthenticationOptions PasswordFile *PasswordFileAuthenticationOptions
ServiceAccounts *ServiceAccountAuthenticationOptions ServiceAccounts *ServiceAccountAuthenticationOptions
WebHook *WebHookAuthenticationOptions WebHook *WebHookAuthenticationOptions
...@@ -41,10 +38,6 @@ type BuiltInAuthenticationOptions struct { ...@@ -41,10 +38,6 @@ type BuiltInAuthenticationOptions struct {
TokenFailureCacheTTL time.Duration TokenFailureCacheTTL time.Duration
} }
type AnonymousAuthenticationOptions struct {
Allow bool
}
type PasswordFileAuthenticationOptions struct { type PasswordFileAuthenticationOptions struct {
BasicAuthFile string BasicAuthFile string
} }
...@@ -71,17 +64,11 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions { ...@@ -71,17 +64,11 @@ func NewBuiltInAuthenticationOptions() *BuiltInAuthenticationOptions {
func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions { func (s *BuiltInAuthenticationOptions) WithAll() *BuiltInAuthenticationOptions {
return s. return s.
WithAnonymous().
WithPasswordFile(). WithPasswordFile().
WithServiceAccounts(). WithServiceAccounts().
WithWebHook() WithWebHook()
} }
func (s *BuiltInAuthenticationOptions) WithAnonymous() *BuiltInAuthenticationOptions {
s.Anonymous = &AnonymousAuthenticationOptions{Allow: true}
return s
}
func (s *BuiltInAuthenticationOptions) WithPasswordFile() *BuiltInAuthenticationOptions { func (s *BuiltInAuthenticationOptions) WithPasswordFile() *BuiltInAuthenticationOptions {
s.PasswordFile = &PasswordFileAuthenticationOptions{} s.PasswordFile = &PasswordFileAuthenticationOptions{}
return s return s
...@@ -113,13 +100,6 @@ func (s *BuiltInAuthenticationOptions) Validate() []error { ...@@ -113,13 +100,6 @@ func (s *BuiltInAuthenticationOptions) Validate() []error {
} }
func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) { func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
if s.Anonymous != nil {
fs.BoolVar(&s.Anonymous.Allow, "anonymous-auth", s.Anonymous.Allow, ""+
"Enables anonymous requests to the secure port of the API server. "+
"Requests that are not rejected by another authentication method are treated as anonymous requests. "+
"Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.")
}
if s.PasswordFile != nil { if s.PasswordFile != nil {
fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+ fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
"If set, the file that will be used to admit requests to the secure port of the API server "+ "If set, the file that will be used to admit requests to the secure port of the API server "+
...@@ -166,10 +146,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au ...@@ -166,10 +146,6 @@ func (s *BuiltInAuthenticationOptions) ToAuthenticationConfig() authenticator.Au
TokenFailureCacheTTL: s.TokenFailureCacheTTL, TokenFailureCacheTTL: s.TokenFailureCacheTTL,
} }
if s.Anonymous != nil {
ret.Anonymous = s.Anonymous.Allow
}
if s.PasswordFile != nil { if s.PasswordFile != nil {
ret.BasicAuthFile = s.PasswordFile.BasicAuthFile ret.BasicAuthFile = s.PasswordFile.BasicAuthFile
} }
...@@ -210,14 +186,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error ...@@ -210,14 +186,7 @@ func (o *BuiltInAuthenticationOptions) ApplyTo(c *genericapiserver.Config) error
// ApplyAuthorization will conditionally modify the authentication options based on the authorization options // ApplyAuthorization will conditionally modify the authentication options based on the authorization options
func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) { func (o *BuiltInAuthenticationOptions) ApplyAuthorization(authorization *BuiltInAuthorizationOptions) {
if o == nil || authorization == nil || o.Anonymous == nil { if o == nil || authorization == nil {
return return
} }
// authorization ModeAlwaysAllow cannot be combined with AnonymousAuth.
// in such a case the AnonymousAuth is stomped to false and you get a message
if o.Anonymous.Allow && sets.NewString(authorization.Modes...).Has(authzmodes.ModeAlwaysAllow) {
glog.Warningf("AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer")
o.Anonymous.Allow = false
}
} }
...@@ -23,7 +23,6 @@ import ( ...@@ -23,7 +23,6 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/group" "k8s.io/apiserver/pkg/authentication/group"
"k8s.io/apiserver/pkg/authentication/request/anonymous"
"k8s.io/apiserver/pkg/authentication/request/headerrequest" "k8s.io/apiserver/pkg/authentication/request/headerrequest"
unionauth "k8s.io/apiserver/pkg/authentication/request/union" unionauth "k8s.io/apiserver/pkg/authentication/request/union"
"k8s.io/apiserver/pkg/authentication/request/x509" "k8s.io/apiserver/pkg/authentication/request/x509"
...@@ -34,8 +33,6 @@ import ( ...@@ -34,8 +33,6 @@ import (
// DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator // DelegatingAuthenticatorConfig is the minimal configuration needed to create an authenticator
// built to delegate authentication to a kube API server // built to delegate authentication to a kube API server
type DelegatingAuthenticatorConfig struct { type DelegatingAuthenticatorConfig struct {
Anonymous bool
// TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored. // TokenAccessReviewClient is a client to do token review. It can be nil. Then every token is ignored.
TokenAccessReviewClient authenticationclient.TokenReviewInterface TokenAccessReviewClient authenticationclient.TokenReviewInterface
...@@ -79,15 +76,9 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, error) { ...@@ -79,15 +76,9 @@ func (c DelegatingAuthenticatorConfig) New() (authenticator.Request, error) {
} }
if len(authenticators) == 0 { if len(authenticators) == 0 {
if c.Anonymous {
return anonymous.NewAuthenticator(), nil
}
return nil, errors.New("No authentication method configured") return nil, errors.New("No authentication method configured")
} }
authenticator := group.NewAuthenticatedGroupAdder(unionauth.New(authenticators...)) authenticator := group.NewAuthenticatedGroupAdder(unionauth.New(authenticators...))
if c.Anonymous {
authenticator = unionauth.NewFailOnError(authenticator, anonymous.NewAuthenticator())
}
return authenticator, nil return authenticator, nil
} }
package(default_visibility = ["//visibility:public"])
load(
"@io_bazel_rules_go//go:def.bzl",
"go_library",
"go_test",
)
go_test(
name = "go_default_test",
srcs = ["anonymous_test.go"],
embed = [":go_default_library"],
deps = [
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
go_library(
name = "go_default_library",
srcs = ["anonymous.go"],
importmap = "k8s.io/kubernetes/vendor/k8s.io/apiserver/pkg/authentication/request/anonymous",
importpath = "k8s.io/apiserver/pkg/authentication/request/anonymous",
deps = [
"//staging/src/k8s.io/apiserver/pkg/authentication/authenticator:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
],
)
filegroup(
name = "package-srcs",
srcs = glob(["**"]),
tags = ["automanaged"],
visibility = ["//visibility:private"],
)
filegroup(
name = "all-srcs",
srcs = [":package-srcs"],
tags = ["automanaged"],
)
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package anonymous
import (
"net/http"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
const (
anonymousUser = user.Anonymous
unauthenticatedGroup = user.AllUnauthenticated
)
func NewAuthenticator() authenticator.Request {
return authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) {
return &user.DefaultInfo{Name: anonymousUser, Groups: []string{unauthenticatedGroup}}, true, nil
})
}
/*
Copyright 2016 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package anonymous
import (
"testing"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/user"
)
func TestAnonymous(t *testing.T) {
var a authenticator.Request = NewAuthenticator()
u, ok, err := a.AuthenticateRequest(nil)
if err != nil {
t.Fatalf("Unexpected error %v", err)
}
if !ok {
t.Fatalf("Unexpectedly unauthenticated")
}
if u.GetName() != user.Anonymous {
t.Fatalf("Expected username %s, got %s", user.Anonymous, u.GetName())
}
if !sets.NewString(u.GetGroups()...).Equal(sets.NewString(user.AllUnauthenticated)) {
t.Fatalf("Expected group %s, got %v", user.AllUnauthenticated, u.GetGroups())
}
}
...@@ -89,7 +89,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo, ...@@ -89,7 +89,6 @@ func (s *DelegatingAuthenticationOptions) ApplyTo(c *server.AuthenticationInfo,
} }
cfg := authenticatorfactory.DelegatingAuthenticatorConfig{ cfg := authenticatorfactory.DelegatingAuthenticatorConfig{
Anonymous: true,
CacheTTL: s.CacheTTL, CacheTTL: s.CacheTTL,
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment