Skip to content

Commit 6e20c55

Browse files
deads2kdeads2k
committed
wire in smart group adder
1 parent 3c3aa4c commit 6e20c55

File tree

1 file changed

+14
-5
lines changed

1 file changed

+14
-5
lines changed

pkg/cmd/server/origin/master_config.go

+14-5
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ import (
1818
kapierrors "k8s.io/kubernetes/pkg/api/errors"
1919
"k8s.io/kubernetes/pkg/api/unversioned"
2020
"k8s.io/kubernetes/pkg/apiserver/request"
21+
"k8s.io/kubernetes/pkg/auth/group"
2122
"k8s.io/kubernetes/pkg/client/cache"
2223
kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
2324
"k8s.io/kubernetes/pkg/client/restclient"
@@ -41,7 +42,6 @@ import (
4142
"github.com/openshift/origin/pkg/auth/authenticator/request/paramtoken"
4243
"github.com/openshift/origin/pkg/auth/authenticator/request/unionrequest"
4344
"github.com/openshift/origin/pkg/auth/authenticator/request/x509request"
44-
"github.com/openshift/origin/pkg/auth/group"
4545
authnregistry "github.com/openshift/origin/pkg/auth/oauth/registry"
4646
"github.com/openshift/origin/pkg/auth/userregistry/identitymapper"
4747
authorizationapi "github.com/openshift/origin/pkg/authorization/api"
@@ -665,6 +665,8 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
665665
authenticators = append(authenticators, certauth)
666666
}
667667

668+
resultingAuthenticator := &unionrequest.Authenticator{FailOnError: true, Handlers: authenticators}
669+
668670
topLevelAuthenticators := []authenticator.Request{}
669671
// if we have a front proxy providing authentication configuration, wire it up and it should come first
670672
if config.AuthConfig.RequestHeader != nil {
@@ -678,15 +680,22 @@ func newAuthenticator(config configapi.MasterConfig, restOptionsGetter restoptio
678680
if err != nil {
679681
return nil, fmt.Errorf("Error building front proxy auth config: %v", err)
680682
}
681-
topLevelAuthenticators = append(topLevelAuthenticators, requestHeaderAuthenticator)
683+
topLevelAuthenticators = append(topLevelAuthenticators, &unionrequest.Authenticator{
684+
FailOnError: false,
685+
Handlers: []authenticator.Request{requestHeaderAuthenticator, resultingAuthenticator},
686+
})
687+
688+
} else {
689+
topLevelAuthenticators = append(topLevelAuthenticators, resultingAuthenticator)
690+
682691
}
683-
topLevelAuthenticators = append(topLevelAuthenticators, group.NewGroupAdder(&unionrequest.Authenticator{FailOnError: true, Handlers: authenticators}, []string{bootstrappolicy.AuthenticatedGroup}))
692+
684693
topLevelAuthenticators = append(topLevelAuthenticators, anonymous.NewAuthenticator())
685694

686-
return &unionrequest.Authenticator{
695+
return group.NewAuthenticatedGroupAdder(&unionrequest.Authenticator{
687696
FailOnError: true,
688697
Handlers: topLevelAuthenticators,
689-
}, nil
698+
}), nil
690699
}
691700

692701
func newProjectAuthorizationCache(authorizer authorizer.Authorizer, kubeClient *kclientset.Clientset, informerFactory shared.InformerFactory) *projectauth.AuthorizationCache {

0 commit comments

Comments
 (0)