Skip to content

Issue-356: Drop unnecessary Authorizer#364

Open
ibihim wants to merge 4 commits intobrancz:sig-auth-acceptancefrom
ibihim:ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs
Open

Issue-356: Drop unnecessary Authorizer#364
ibihim wants to merge 4 commits intobrancz:sig-auth-acceptancefrom
ibihim:ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs

Conversation

@ibihim
Copy link
Collaborator

@ibihim ibihim commented Mar 13, 2025

What

  • Remove non resource attributes generator.

Why

  • We might not need it. Normal requests already have the given form of only "path", "verb" and "user".
  • It might be more secure, as we don't mask other attributes.

Notes

@ibihim ibihim changed the title [wip] issue 356 drop or not to drop attrs issue 356 drop or not to drop attrs Mar 20, 2025
@ibihim ibihim force-pushed the ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs branch 2 times, most recently from 0da710f to 640a6f0 Compare March 20, 2025 11:09
@ibihim
Copy link
Collaborator Author

ibihim commented Apr 4, 2025

@ibihim add log output before change, to show an exemplary resource attribute for that case.

Make a (manual) test for what would happen, if you have a resource request.

@stlaz stlaz added the sig-auth-acceptance issues created during review for sig-auth-acceptance label Apr 8, 2025
@ibihim ibihim changed the title issue 356 drop or not to drop attrs Issue-356: Drop unnecessary Authorizer Apr 23, 2025
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an odd change. Can you please write full unit test coverage of the original code (so a unit tests commit comes first) and then start moving authorizers around?

@ibihim ibihim force-pushed the ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs branch 5 times, most recently from 6e27005 to 075d874 Compare May 6, 2025 10:08
Masking the resource attributes value to "just" path, verb and user is
potentially suboptimal, as it ignores other fields that would be of
interest for a SAR request.
This use-case makes sense for regular HTTP request (non kubernetes
resource request), but those kind of requests, don't populate the other
fields in the resource attributes anyway.
Is theoretically a regression, which we should keep in mind.
@ibihim ibihim force-pushed the ibihim/2025-03-13_issue-356_drop-or-not-to-drop-attrs branch from 075d874 to 7a64375 Compare November 26, 2025 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

sig-auth-acceptance issues created during review for sig-auth-acceptance

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments