Skip to content

Commit a17f38f

Browse files
smarterclaytonsmarterclayton
committed
Old routers may not have permission to do SAR checks for metrics
Fallback to the old unauthorized status code. Do the same for the authentication and authorization checks, although authorization should be forbidden.
1 parent d076bb5 commit a17f38f

File tree

1 file changed

+19
-10
lines changed

1 file changed

+19
-10
lines changed

pkg/router/metrics/metrics.go

+19-10
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ import (
1414

1515
"k8s.io/apiserver/pkg/server/healthz"
1616

17+
"k8s.io/apimachinery/pkg/api/errors"
1718
"k8s.io/apiserver/pkg/authentication/authenticator"
1819
"k8s.io/apiserver/pkg/authorization/authorizer"
1920
)
@@ -62,9 +63,16 @@ func (l Listener) authorizeHandler(protected http.Handler) http.Handler {
6263
}
6364

6465
user, ok, err := l.Authenticator.AuthenticateRequest(req)
65-
if err != nil {
66-
glog.V(3).Infof("Unable to authenticate: %v", err)
67-
http.Error(w, "Unable to authenticate due to an error", http.StatusInternalServerError)
66+
if !ok || err != nil {
67+
// older routers will not have permission to check token access review, so treat this
68+
// as an authorization denied if so
69+
if !ok || errors.IsUnauthorized(err) {
70+
glog.V(5).Infof("Unable to authenticate: %v", err)
71+
http.Error(w, "Unable to authenticate due to an error", http.StatusUnauthorized)
72+
} else {
73+
glog.V(3).Infof("Unable to authenticate: %v", err)
74+
http.Error(w, "Unable to authenticate due to an error", http.StatusInternalServerError)
75+
}
6876
return
6977
}
7078
scopedRecord := l.Record
@@ -90,13 +98,14 @@ func (l Listener) authorizeHandler(protected http.Handler) http.Handler {
9098
}
9199
scopedRecord.User = user
92100
ok, reason, err := l.Authorizer.Authorize(scopedRecord)
93-
if err != nil {
94-
glog.V(3).Infof("Unable to authenticate: %v", err)
95-
http.Error(w, "Unable to authenticate due to an error", http.StatusInternalServerError)
96-
return
97-
}
98-
if !ok {
99-
http.Error(w, fmt.Sprintf("Unauthorized %s", reason), http.StatusUnauthorized)
101+
if !ok || err != nil {
102+
if !ok || errors.IsUnauthorized(err) {
103+
glog.V(5).Infof("Unable to authorize: %v", err)
104+
http.Error(w, fmt.Sprintf("Forbidden: %s", reason), http.StatusForbidden)
105+
} else {
106+
glog.V(3).Infof("Unable to authorize: %v", err)
107+
http.Error(w, "Unable to authorize the user due to an error", http.StatusInternalServerError)
108+
}
100109
return
101110
}
102111
protected.ServeHTTP(w, req)

0 commit comments

Comments
 (0)