search

openshift / oauth-proxy

A reverse proxy that provides authentication with OpenShift via OAuth and Kubernetes service accounts
MIT License
261 stars 137 forks source link

Problem with own defined verb and resource in OAuth subjectaccessreviews #167

Closed LarsMilland closed 4 years ago

LarsMilland commented 4 years ago

Hi

I am trying to get version 1.0.0 of this oauth-proxy working towards an OpenShift 3.1.146 environment with a custom crafted role and verb.

I have created my own "verbs" and "resources" in a new clusterrole "deploy":

apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
  name: deploy
rules:
- apiGroups:
  - build.openshift.io
  attributeRestrictions: null
  resources:
  - jenkins
  verbs:
  - deploy

and have that granted/bound to a user that I would like to have check for that permission via the OAuth proxy:

apiVersion: authorization.openshift.io/v1
groupNames:
- T_APPARC_Edit
kind: RoleBinding
metadata:
  name: deploy
  namespace: apparc-t
roleRef:
  name: deploy
subjects:
- kind: Group
  name: T_APPARC_Edit
- kind: User
  name: PP_UOpenShiftProjDemoXTestEdit
userNames:
- PP_UOpenShiftProjDemoXTestEdit

I would assume that the subjectaccessreviews API call should look something like this:

{
  "namespace": "apparc-t",
  "resource": "jenkins",
  "scopes": [],
  "verb": "deploy"
}

but using a token for this user: PP_UOpenShiftProjDemoXTestEdit the response I get back is:

{
  "kind": "SubjectAccessReviewResponse",
  "apiVersion": "authorization.openshift.io/v1",
  "namespace": "apparc-t",
  "allowed": false,
  "reason": "no RBAC policy matched"
}

Do anyone here know what could be wrong. Maybe how I should structure the SAR post contents to match this rolebinding? Or if it at all is possible to use the OpenShift OAuth API with the subjectaccessreviews like this for "resources" I have defined myself.

I know that the user I am using works, since I can do:

{
  "namespace": "apparc-t",
  "resource": "namespaces",
  "resourcename": "apparc-t",
  "scopes": [],
  "verb": "get"
}

getting this back

{
  "kind": "SubjectAccessReviewResponse",
  "apiVersion": "authorization.openshift.io/v1",
  "namespace": "apparc-t",
  "allowed": true,
  "reason": "RBAC: allowed by RoleBinding \"prometheus-view/apparc-t\" of ClusterRole \"view\" to User \"PP_UOpenShiftProjDemoXTestEdit\""
}

Best regards Lars Milland

LarsMilland commented 4 years ago

Hi

I have resolved my problem myself.

By adding the resourceAPIGroup to the SAR it worked for me.

So my SAR looks like this:

{ "resource": "jenkins", "verb": "deploy", "resourceAPIGroup": "build.openshift.io", "namespace": "apparc-t" }

Best regards Lars Milland