audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage #48184
Conversation
|
Hi @CaoShuFeng. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| // UpdateEventAttribs updates authorizer attributes according to attribs | ||
| func UpdateEventAttribs(ev *auditinternal.Event, attribs authorizer.Attributes) { | ||
| if user := attribs.GetUser(); user != nil { | ||
| ev.User.Username = user.GetName() |
There was a problem hiding this comment.
mutating this seems wrong. I'd want both the requesting user and effective/impersonated user in my audit log
There was a problem hiding this comment.
@liggitt
Thanks for your review.
I will research it.
There was a problem hiding this comment.
There was a problem hiding this comment.
I'm not sure if I'm following what this is doing, but ev.User should be the "real" user, and ev.ImpersonatedUser should hold the the impersonated user attributes. What are we missing?
I agree with @liggitt that the audit event should be thought of as "append only". I.e. we shouldn't change information from earlier stages.
There was a problem hiding this comment.
Hi, @tallclair
I think we can extend the event type, add a new ev.EffectiveUser to events.
The ev.User in the log is the "real" user, but it is not the "effective" user. Because impersonation will change the user info after the audit filter gathers event info.
Can we add this to the TODO list @tallclair ?
@ericchiang What's your opinion?
There was a problem hiding this comment.
Usually EffectiveUser is equal to ImpersonatedUser.
But when user run kubectl with --as=username option, the difference comes.
This tables shows the difference, we can see that some groups are automatically added.
The related codes are here:
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go#L87
https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/endpoints/filters/impersonation.go#L121
There was a problem hiding this comment.
If we don't want to add a new field "EffectiveUser", I think we can copy some codes form impersonation.go to audit.go, and we can also add the same groups to the impersonated user.
Then the impersonated user will become effective user.
There was a problem hiding this comment.
Don't copy code, I'd expect impersonated user to hold the output of the impersonation filter, what you are calling the effective user
There was a problem hiding this comment.
I'd expect impersonated user to hold the output of the impersonation filter, what you are calling the effective user
I aggree.
There was a problem hiding this comment.
I updated the code.
Please review again, thanks.
060b659 to
3989d45
Compare
|
/unassign |
|
Okay, so the issue is that the API server adds additional groups to the impersonated user that the audit log isn't picking up. Rather than mutating the event log later, can we move impersonation before audit log in the handler chain and have the impersonation filter ( Something like: package request
// Existing API
func UserFrom(ctx Context) (user.Info, bool) {}
func WithUser(parent Context, user user.Info) Context {}
// NewAPI. Maybe parameter names could be improved?
// WithImpersionation indicates that the user performing the request is now impersonating the
// provided user. Further calls to WithUser on the returned context will return the impersonating
// user info.
func WithImpersionation(parent Context, impersonator, impersonating user.Info) Context {}
// ImpersionationFrom returns the full impersonation information from the request. If the request
// did not use impersonation, it returns false indicating that UserFrom should be used instead.
func ImpersionationFrom(ctx Context) (impersonator, impersonating, user.Info, ok bool) {}Then have the audit log mechanism use cc @sttts |
We can. But then we loose the 403 from impersonation. @soltysh was working on a catch-up audit handler to get the 403s from authentication. I guess his approach will also work with impersonation if we switch the handler chain order. @soltysh ? |
|
Sorry to disturb you guys again and again.
Thanks very much. |
That shouldn't be the problem. The issue I'm trying to address in openshift (so far) is to be able to log failed authz requests, which our current implementation omits due to design decision we've made at the beginning. @crassirostris @sttts @ericchiang not sure if we want to address this at some point in k8s? |
|
/ok-to-test Some possible options:
I think I'm for the first one. |
|
/test pull-kubernetes-e2e-gce-etcd3 |
|
@CaoShuFeng What's the status of this PR? |
| @@ -142,6 +143,11 @@ func WithImpersonation(handler http.Handler, requestContextMapper request.Reques | |||
| } | |||
| } | |||
|
|
|||
| if !groupsSpecified && username != user.Anonymous { | |||
There was a problem hiding this comment.
Now I'm puzzled. Why we need to do this, if we have this snippet in place and audit happens before impersonation?
There was a problem hiding this comment.
We have 4 stages.
This change will effect the other three stages rather than "StageRequestReceived".
We do this because the snippet may not complete.
There was a problem hiding this comment.
There was a problem hiding this comment.
As far as I see the groups and UID might be different than in the old code. Can we drop the old snippet and use this instead? Having two code paths for the same things is confusing.
There was a problem hiding this comment.
👍 to what Stefan said, replace the old code with the new one, entirely. I did not understand you correctly, initially.
|
@CaoShuFeng will you be able to update this one asap, as well? |
I have get off work today. I will update this tomorrow morning. |
Log the newest impersonated user info in the second audit event. This will help users to debug rbac problems.
3989d45 to
1c3dc52
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CaoShuFeng, sttts Associated issue requirement bypassed by: sttts The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
Automatic merge from submit-queue (batch tested with PRs 51301, 50497, 50112, 48184, 50993) |
Impersonation will automatically add system:authenticated, system:serviceaccounts group to the impersonated user info. This pr use the newest impersonated user info in the second audit event. This will help users to debug rbac problems.
Release note:
@liggitt @sttts