Commit dedec2d1 authored by Kubernetes Submit Queue's avatar Kubernetes Submit Queue Committed by GitHub

Merge pull request #39193 from xilabao/add-rules-failed-message

Automatic merge from submit-queue add rules not allow message when authorize failed old result: ``` # ./cluster/kubectl.sh --token=/test get po Error from server (Forbidden): User "" cannot list pods in the namespace "default".: "<nil>" (get pods) ``` new result: ``` # ./cluster/kubectl.sh --token=/test get po Error from server (Forbidden): User "" cannot list pods in the namespace "default".: "rules not allow" (get pods) ``` test.yaml ``` kind: Role apiVersion: rbac.authorization.k8s.io/v1alpha1 metadata: name: test rules: - apiGroups: ["*"] verbs: ["create"] resources: ["*"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1alpha1 metadata: name: admin-resource-binding subjects: - kind: Group name: test roleRef: kind: Role name: test ```
parents f95362f9 9b38eaf9
...@@ -38,7 +38,12 @@ func Forbidden(attributes authorizer.Attributes, w http.ResponseWriter, req *htt ...@@ -38,7 +38,12 @@ func Forbidden(attributes authorizer.Attributes, w http.ResponseWriter, req *htt
w.Header().Set("Content-Type", "text/plain") w.Header().Set("Content-Type", "text/plain")
w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("X-Content-Type-Options", "nosniff")
w.WriteHeader(http.StatusForbidden) w.WriteHeader(http.StatusForbidden)
fmt.Fprintf(w, "%s: %q", msg, reason)
if len(reason) == 0 {
fmt.Fprintf(w, "%s", msg)
} else {
fmt.Fprintf(w, "%s: %q", msg, reason)
}
} }
func forbiddenMessage(attributes authorizer.Attributes) string { func forbiddenMessage(attributes authorizer.Attributes) string {
......
...@@ -48,7 +48,11 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo ...@@ -48,7 +48,11 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo
glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(),
requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource()) requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource())
return false, fmt.Sprintf("%v", ruleResolutionError), nil reason := ""
if ruleResolutionError != nil {
reason = fmt.Sprintf("%v", ruleResolutionError)
}
return false, reason, nil
} }
func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister) *RBACAuthorizer { func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister) *RBACAuthorizer {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment