Skip to content

Commit 1ed4596

Browse files
stevekuznetsovstevekuznetsov
authored
Merge pull request #17268 from smarterclayton/metrics
Old routers may not have permission to do SAR checks for metrics
2 parents e6b20e1 + a17f38f commit 1ed4596

File tree

1 file changed

+19
-10
lines changed

1 file changed

+19
-10
lines changed

pkg/router/metrics/metrics.go

+19-10
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import (
1414

1515
"k8s.io/apiserver/pkg/server/healthz"
1616

17+
"k8s.io/apimachinery/pkg/api/errors"
1718
"k8s.io/apiserver/pkg/authentication/authenticator"
1819
"k8s.io/apiserver/pkg/authorization/authorizer"
1920
)
@@ -62,9 +63,16 @@ func (l Listener) authorizeHandler(protected http.Handler) http.Handler {
6263
}
6364

6465
user, ok, err := l.Authenticator.AuthenticateRequest(req)
65-
if err != nil {
66-
glog.V(3).Infof("Unable to authenticate: %v", err)
67-
http.Error(w, "Unable to authenticate due to an error", http.StatusInternalServerError)
66+
if !ok || err != nil {
67+
// older routers will not have permission to check token access review, so treat this
68+
// as an authorization denied if so
69+
if !ok || errors.IsUnauthorized(err) {
70+
glog.V(5).Infof("Unable to authenticate: %v", err)
71+
http.Error(w, "Unable to authenticate due to an error", http.StatusUnauthorized)
72+
} else {
73+
glog.V(3).Infof("Unable to authenticate: %v", err)
74+
http.Error(w, "Unable to authenticate due to an error", http.StatusInternalServerError)
75+
}
6876
return
6977
}
7078
scopedRecord := l.Record
@@ -90,13 +98,14 @@ func (l Listener) authorizeHandler(protected http.Handler) http.Handler {
9098
}
9199
scopedRecord.User = user
92100
ok, reason, err := l.Authorizer.Authorize(scopedRecord)
93-
if err != nil {
94-
glog.V(3).Infof("Unable to authenticate: %v", err)
95-
http.Error(w, "Unable to authenticate due to an error", http.StatusInternalServerError)
96-
return
97-
}
98-
if !ok {
99-
http.Error(w, fmt.Sprintf("Unauthorized %s", reason), http.StatusUnauthorized)
101+
if !ok || err != nil {
102+
if !ok || errors.IsUnauthorized(err) {
103+
glog.V(5).Infof("Unable to authorize: %v", err)
104+
http.Error(w, fmt.Sprintf("Forbidden: %s", reason), http.StatusForbidden)
105+
} else {
106+
glog.V(3).Infof("Unable to authorize: %v", err)
107+
http.Error(w, "Unable to authorize the user due to an error", http.StatusInternalServerError)
108+
}
100109
return
101110
}
102111
protected.ServeHTTP(w, req)

0 commit comments

Comments
 (0)