Add conversions from RBAC resources to origin resources

[enj]

Trello ref: https://trello.com/c/viECLnNa

@deads2k It would probably take ~3 conversions to build a semantic compare function - assuming unsetUnpreservedFields and sortAndDeduplicateRulesFields do not invalidate the tests.

cc @liggitt

Signed-off-by: Monis Khan [email protected]

[enj]

[test]

[deads2k]

Make the names look like the generated ones: Convert_rbac_ClusterRole_To_api_ClusterRole and actually register these with other pkg/authorization/api conversions.

[deads2k]

you need a comment about AttributeRestrictions

[deads2k]

I guess that comment goes here.

[deads2k]

origin kinds collapse down to just User and Group from SystemUser and SystemGroup.

[deads2k]

This is fixed in kube to rbac.authorization.k8s.io.

[deads2k]

I didn't think we filled in a Kind. I thought we triggered on empty namespace or not.

[deads2k]

If we reference a role (not clusterrole) from a different namespace this needs to return an error so we can catch it.

Also, we'll want an upgrade preflight check or at least warning about the condition. We may have to provide a script for a cluster-admin to denormalize automatically. @liggitt necessary to make the script?

[liggitt]

I think detection is fine

[deads2k]

@liggitt want to specify our group here? It's what its for and it should work... Alternatively, we could avoid rocking the boat.

[liggitt]

if we want to use the upstream authorizer eventually, I don't want want to have to rewrite these into subjects it recognizes

[liggitt]

are we still working with v1alpha1 RBAC here?

[deads2k]

are we still working with v1alpha1 RBAC here?

Internal to internal.

[liggitt]

ah, but before kubernetes/kubernetes#41184

[deads2k]

This shouldn't carry through.

[deads2k]

You'll need to use the subject determination code. Take a look at the conversions we have from Users and Groups to Subjects and you'll find the helpers to determine SystemUser and SystemGroup

[deads2k]

This won't match up.

[deads2k]

You'll need to fill in a namespace for the local role reference

[enj]

@deads2k PTAL

Fuzzing tests are failing right now because they do not follow the kind requirements - I will update those soon.

[deads2k]

When the origin roleref namespace is empty, the rbacRoleRef kind should be "ClusterRole". Otherwise, it should be "Role"

[deads2k]

I'm expecting the APIGroup to pinned to the correct rbac value.

[deads2k]

When the origin roleref namespace equals the current namespace, then the Kind should be "Role"

[deads2k]

It's pinned. Look it up in the rbac code.

[deads2k]

This is empty. You really should read the existing code that builds origin subject references.

[deads2k]

No. Inline into callers.

[deads2k]

Fix the fuzz functions instead to create values that could actually exist.

[enj]

@deads2k PTAL

[deads2k]

originRoleRefKind? Something to demonstrate how specific it is.

[deads2k]

I didn't think that origin rolerefs respected kind.

[deads2k]

Can you name these functions as Convert_foo_to_bar? Obviously the signature won't match, but it will help remind me as I read it. Also, godoc on for the args. namespace isn't obvious.

[deads2k]

we want some user names that are SystemUsers too.

[deads2k]

RBAC service account references aren't required to have namespaces. Some shouldn't have them.

[deads2k]

some SA subject namespaces should be empty.

[enj]

@liggitt Any comments?

[liggitt]

it ignores it, but only after converting subjectaccessreviews with an IsSelfSubjectAccessReview restriction to selfsubjectaccessreviews.authorization.k8s.io... just dropping it escalates that permission

[liggitt]

if we see a rule with that restriction, we need to limit the rule to the things that restriction would allow, and convert subjectaccessreviews resources to selfsubjectaccessreviews.authorization.k8s.io resources

[deads2k]

Ah, that would have been unfortunate. Annotation to roundtrip through the rbac role maybe?

[liggitt]

if we round-trip and end up with a rule that allows selfsubjectaccessreviews.authorization.k8s.io, that's sufficient

[liggitt]

do we allow mixing resource and non-resource bits in the same rule? upstream does not, so we potentially need to split rules

[enj]

We do not allow mixing.

[liggitt]

awesome

[liggitt]

@deads2k did we fix up mixed-case resources in conversion or in the authorizer? do we need to downcase on our way out to kube?

[enj]

did we fix up mixed-case resources in conversion or in the authorizer?

No such luck.

oc create

apiVersion: v1
kind: ClusterRole
metadata:
  name: foobar
rules:
- apiGroups:
  - ""
  resources:
  - configmapS
  - Endpoints
  - persistentvolumeclAIms
  - PODS
  verbs:
  - GET
  - lIst
  - wAtch

oc get clusterrole foobar -o yaml

apiVersion: v1
kind: ClusterRole
metadata:
  creationTimestamp: 2017-03-15T22:09:25Z
  name: foobar
  resourceVersion: "986"
  selfLink: /oapi/v1/clusterrolesfoobar
  uid: 0cc20af8-09cc-11e7-8ccc-507b9dac97ff
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - Endpoints
  - PODS
  - configmapS
  - persistentvolumeclAIms
  verbs:
  - GET
  - lIst
  - wAtch

[enj]

So in the authorizer we normalize APIGroups, Verbs, and Resources. We do not normalize ResourceNames, NonResourceURLs, or Subresources. The Subresources part might have been an oversight during #13286.

[deads2k]

Shouldn't this function be using a two way covers check? Also, that probably needs checking come to think of it.

[deads2k]

@liggitt as I recall, we did the tolower thing because in 3.0, we had mixed case paths. I think we're far enough out that I'd be willing to say, "those clients need to be fixed" at this point. I'm thinking we tolower everything as a migration step (oc migrate) and write the conversion to preserve case. Thoughts?

[deads2k]

Oh, and we stop tolowering in our authorizer for 3.6.

[deads2k]

@enj We're going with the oadm migrate. You need another card?

[deads2k]

@enj I think you should remove the normalization commit and remind me to look at this on Monday.

[openshift-bot]

Evaluated for origin test up to bf34a59

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/293/) (Base Commit: 9e19032)

[enj]

@deads2k @liggitt I opened #13429 #13430 #13432 to track the remaining issues.

RBAC conversions no longer normalize and use Covers to test attribute restrictions.

Let me know if you want to merge this as-is and have separate PRs for each of those fixes or if you want me to add some of the fixes here.

[deads2k]

lgtm [merge]

[openshift-bot]

Evaluated for origin merge up to bf34a59

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/149/) (Base Commit: 612dcfb) (Image: devenv-rhel7_6087)

[deads2k]

@enj add validation for a role and cluster role that makes including any attributerestrictions invalid. It may frustrate some people who have serialized roles that include these, but it also forces them to look at why and see that their rule won't work.

Other paths that I decided against:

1. conversion drops the rule entirely. No warning to a user that their intent is no longer fulfilled.
2. conversion changes the rule to selfSAR. Doesn't work during rolling upgrades.
3. doing nothing. During a rolling upgrade, you can create a rule that does nothing on the current server but allows power on the older servers.