Details
-
Sub-task
-
Resolution: Unresolved
-
Undefined
-
None
-
None
Description
If we only use user selector in auth config, but not groups, it's impersonating user without escalating priviledge checks up to the groups user belongs to.
user: selector: auth.identity.user.username
From the SARSpec docs:
User is the user you’re testing for. If you specify “User” but not “Groups”, then is it interpreted as “What if User were not a member of any groups
Background
When inspecting a token for a user who has a certain role granted through the Group they belong to it seems to be failing with 403, even though the user has rights. This can be related to `user.selector` which presumably uses Impersonate-User header when issuing SAR call.
The same behavior can be observed when using `kubectl auth can-i` command:
❯ oc auth can-i get svc/modelregistry-sample -n model-registry --as=cluster-admin no ❯ oc auth can-i get svc/modelregistry-sample -n model-registry yes ❯ oc whoami cluster-admin
these are the request-responses being sent under the covers (in order)
--as=cluster-admin
Request Body: {"kind":"SelfSubjectAccessReview","apiVersion":"
authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"mod
el-registry","verb":"get","resource":"services","name":"modelregistry-sample"}},"status":{"allowed":false}}
curl -v -XPOST -H "Content-Type: application/json" -H "
Impersonate-User: cluster-admin" -H "Accept: application/json, */*" -H "User-Agent: oc/4.15.0 (linux/amd64) k
ubernetes/48dcf59" -H "Authorization: Bearer <masked>" 'https://api.dbokde-cluster.chbf.p3.openshiftapps.com:
443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
I0318 23:11:23.789150 1867524 round_trippers.go:553] POST https://api.dbokde-cluster.chbf.p3.openshiftapps.co
m:443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews 201 Created in 125 milliseconds
Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":
"authorization.k8s.io/v1","metadata":{"creationTimestamp":null,"managedFields":[{"manager":"oc","operation":"
Update","apiVersion":"authorization.k8s.io/v1","time":"2024-03-18T22:11:23Z","fieldsType":"FieldsV1","fieldsV
1":{"f:spec":{"f:resourceAttributes":{".":{},"f:name":{},"f:namespace":{},"f:resource":{},"f:verb":{}}}}}]},"
spec":{"resourceAttributes":{"namespace":"model-registry","verb":"get","resource":"services","name":"modelreg
istry-sample"}},"status":{"allowed":false}}
vs regular call
Request Body: {"kind":"SelfSubjectAccessReview","apiVersion":"
authorization.k8s.io/v1","metadata":{"creationTimestamp":null},"spec":{"resourceAttributes":{"namespace":"mod
el-registry","verb":"get","resource":"services","name":"modelregistry-sample"}},"status":{"allowed":false}}
curl -v -XPOST -H "Content-Type: application/json" -H "
Accept: application/json, */*" -H "User-Agent: oc/4.15.0 (linux/amd64) kubernetes/48dcf59" -H "Authorization:
Bearer <masked>" 'https://api.dbokde-cluster.chbf.p3.openshiftapps.com:443/apis/authorization.k8s.io/v1/self
subjectaccessreviews'
POST https://api.dbokde-cluster.chbf.p3.openshiftapps.co
m:443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews 201 Created in 202 milliseconds
Response Body: {"kind":"SelfSubjectAccessReview","apiVersion":
"authorization.k8s.io/v1","metadata":{"creationTimestamp":null,"managedFields":[{"manager":"oc","operation":"
Update","apiVersion":"authorization.k8s.io/v1","time":"2024-03-18T22:27:15Z","fieldsType":"FieldsV1","fieldsV
1":{"f:spec":{"f:resourceAttributes":{".":{},"f:name":{},"f:namespace":{},"f:resource":{},"f:verb":{}}}}}]},"
spec":{"resourceAttributes":{"namespace":"model-registry","verb":"get","resource":"services","name":"modelreg
istry-sample"}},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"osd-cluster-admin\"
of ClusterRole \"cluster-admin\" to Group \"cluster-admins\""}}