Closed braghettos closed 4 months ago
To date, we put all the custom logic here => https://github.com/kubernetes/apiserver/blob/master/pkg/registry/generic/registry/store.go#L170 that is, after the CR has been taken from the store (etcd). The ideal would be to have the object here in this method https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go#L20
/cc @deads2k @enj @liggitt
I'll let the experts comment on this one. I have the feeling that there is a reason why such functionality is not already implemented, but I'm not a security expert.
All of this stuff is done automatically for you if you wire your server correctly, for example DelegatingAuthenticationOptions
takes care of authentication.
request.UserFrom
can be used in later layers to get the user.Info
:
Use this code as an example for wiring up an aggregated API server correctly.
Hi @enj thank you very much for your quick response!
What we would like to do is to access the user.Info
struct from this Decorator
=> apiserver/pkg/registry/generic/registry/store.go#L170.
Decorator
that is used, for instance, here => apiserver/pkg/registry/generic/registry/store.go#L812.
Since this Decorator
des not expose the Context
, we can’t do the UserFrom(ctx context.Context)
call.
Taking as reference the sample-apiserver, exists a way to access to the user.Info
who is asking for the resource from within the Decorator
?
All the best, Luca
@lucasepe I am not sure that I would recommend that you change the resource based on the user, but you can do that via:
GenericConfig.RESTOptionsGetter
of your serverRESTOptions
that further wraps the existing StorageDecorator
StorageDecorator
wrap the storage.Interface
storage.Interface
methods such as Get
use the request context to perform whatever mutation you want on the returned resourceThank you very much @enj ! It works!
All the best, Luca
/close
@enj: Closing this issue.
Hi everyone! We're implementing an aggregation layer leveraging the apiserver package. In our use case we need to retrieve the headers in order to understand who's the user making the request.
We were looking at the documentation: https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#extension-apiserver-authenticates-the-request - in particular the following paragraph:
Check that the TLS connection was authenticated using a client certificate which:
But it seems that the apiserver package is not exposing these headers. Could anyone help me pointing out if there's a way to retrieve these headers after the authn/authz phases?
Thanks for any help!