diff --git a/architecture/additional_concepts/authentication.adoc b/architecture/additional_concepts/authentication.adoc index ca2327b5e7d7..63f7472be47b 100644 --- a/architecture/additional_concepts/authentication.adoc +++ b/architecture/additional_concepts/authentication.adoc @@ -87,30 +87,6 @@ the `system:anonymous` virtual user and the `system:unauthenticated` virtual group to the request. This allows the authorization layer to determine which requests, if any, an anonymous user is allowed to make. -[[authentication-impersonation]] -=== Impersonation -A request to the {product-title} API may include an *Impersonate-User* header, -which indicates that the requester wants to have the request handled as though -it came from the specified user. This can be done on the command line by passing -the `*--as=username*` flag. - -Before User A is allowed to impersonate User B, User A is first authenticated. -Then, an authorization check occurs to ensure that User A is allowed to -impersonate the user named User B. If User A is requesting to impersonate a -service account (*system:serviceaccount:namespace:name*), {product-title} checks -to ensure that User A can impersonate the *serviceaccount* named *name* in -*namespace*. If the check fails, the request fails with a 403 (Forbidden) error -code. - -By default, project administrators and editors are allowed to impersonate -service accounts in their namespace. The *sudoers* role allows a user to -impersonate *system:admin*, which in turn has cluster administrator permissions. -This grants some protection against typos (but not security) for someone -administering the cluster. For example, `oc delete nodes --all` would be -forbidden, but `oc delete nodes --all --as=system:admin` would be allowed. You -can add a user to that group using `oadm policy add-cluster-role-to-user sudoer -`. - [[oauth]] == OAuth diff --git a/architecture/revhistory_architecture.adoc b/architecture/revhistory_architecture.adoc index b124c8068b15..fba637af8fff 100644 --- a/architecture/revhistory_architecture.adoc +++ b/architecture/revhistory_architecture.adoc @@ -6,6 +6,21 @@ :experimental: // do-release: revhist-tables +== Wed Jun 15 2016 + +// tag::architecture_wed_jun_15_2016[] +[cols="1,3",options="header"] +|=== + +|Affected Topic |Description of Change +//Mon May 30 2016 +|link:../architecture/additional_concepts/authentication.html[Additional Concepts -> Authentication] +|Removed the Impersonation section, which does not apply to {product-title} 3.1. + +|=== + +// end::architecture_wed_jun_15_2016[] + == Fri Jun 10 2016 // tag::architecture_fri_jun_10_2016[] @@ -37,9 +52,7 @@ |Affected Topic |Description of Change //Mon May 30 2016 |link:../architecture/additional_concepts/authentication.html[Additional Concepts -> Authentication] -|Added the link:../architecture/additional_concepts/authentication.html#authentication-impersonation[Impersonation] section. - - +|Added the Impersonation section. |=== diff --git a/welcome/revhistory_full.adoc b/welcome/revhistory_full.adoc index a955d27205a5..e9920351152e 100644 --- a/welcome/revhistory_full.adoc +++ b/welcome/revhistory_full.adoc @@ -10,6 +10,10 @@ date. // do-release: revhist-tables +== Wed Jun 15 2016 +.Architecture +include::architecture/revhistory_architecture.adoc[tag=architecture_wed_jun_15_2016] + == Mon Jun 13 2016 .Installation and Configuration include::install_config/revhistory_install_config.adoc[tag=install_config_mon_jun_13_2016]