From e9b2a664a0b3c9ed2e0492e055daf52306b6f48d Mon Sep 17 00:00:00 2001 From: Alex Dellapenta Date: Wed, 15 Jun 2016 11:05:44 -0400 Subject: [PATCH 1/3] Revert "Follow-up to Explain Impersonation (PR#2020)" This reverts commit e0f30048f06d69444e0f7840d66e0d48b4e9ab69. --- .../additional_concepts/authentication.adoc | 37 ++++++++----------- 1 file changed, 15 insertions(+), 22 deletions(-) diff --git a/architecture/additional_concepts/authentication.adoc b/architecture/additional_concepts/authentication.adoc index ca2327b5e7d7..26b303634a91 100644 --- a/architecture/additional_concepts/authentication.adoc +++ b/architecture/additional_concepts/authentication.adoc @@ -87,29 +87,22 @@ the `system:anonymous` virtual user and the `system:unauthenticated` virtual group to the request. This allows the authorization layer to determine which requests, if any, an anonymous user is allowed to make. -[[authentication-impersonation]] === Impersonation -A request to the {product-title} API may include an *Impersonate-User* header, -which indicates that the requester wants to have the request handled as though -it came from the specified user. This can be done on the command line by passing -the `*--as=username*` flag. - -Before User A is allowed to impersonate User B, User A is first authenticated. -Then, an authorization check occurs to ensure that User A is allowed to -impersonate the user named User B. If User A is requesting to impersonate a -service account (*system:serviceaccount:namespace:name*), {product-title} checks -to ensure that User A can impersonate the *serviceaccount* named *name* in -*namespace*. If the check fails, the request fails with a 403 (Forbidden) error -code. - -By default, project administrators and editors are allowed to impersonate -service accounts in their namespace. The *sudoers* role allows a user to -impersonate *system:admin*, which in turn has cluster administrator permissions. -This grants some protection against typos (but not security) for someone -administering the cluster. For example, `oc delete nodes --all` would be -forbidden, but `oc delete nodes --all --as=system:admin` would be allowed. You -can add a user to that group using `oadm policy add-cluster-role-to-user sudoer -`. +A request the OpenShift API may include an `"Impersonate-User"` header, which indicates that requester wants +to have request handled as though it came from the specified user. This can be done on the command line +by passing the `--as=username` flag. + +Before UserA is allowed to impersonate UserB, UserA is first authenticated and then an authorization +check is made to be sure UserA is allowed to "impersonate" the "user" named "UserB". If UserA is requesting to +impersonate a service account (`system:serviceaccount:namespace:name`), we check to make sure that UserA can +"impersonate" the "serviceaccount" named "name" in "namespace". If he is disallowed, a 403 will be returned. + +By default, project admins and editors are allowed impersonate service accounts in their namespace. There is +also a new group called `sudoers`. That role allows a user to impersonate `system:admin`, which in turn has +cluster-admin permissions. This grants some protection against typos (but *not* security) for someone administering +the cluster. For example, `oc delete nodes --all` would be forbidden, but `oc delete nodes --all --as=system:admin` +would be allowed. You still have the power, but you have to mean it. You can add a user to that group using +`oadm policy add-cluster-role-to-user sudoer `. [[oauth]] From 476928bb8d51a8a20db94dda2f88f09ff965718d Mon Sep 17 00:00:00 2001 From: Alex Dellapenta Date: Wed, 15 Jun 2016 11:06:19 -0400 Subject: [PATCH 2/3] Revert "explain impersonation" This reverts commit 6997fd49e9f16ef1e98fa3dbde2e7a1740f66fb3. --- .../additional_concepts/authentication.adoc | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/architecture/additional_concepts/authentication.adoc b/architecture/additional_concepts/authentication.adoc index 26b303634a91..63f7472be47b 100644 --- a/architecture/additional_concepts/authentication.adoc +++ b/architecture/additional_concepts/authentication.adoc @@ -87,23 +87,6 @@ the `system:anonymous` virtual user and the `system:unauthenticated` virtual group to the request. This allows the authorization layer to determine which requests, if any, an anonymous user is allowed to make. -=== Impersonation -A request the OpenShift API may include an `"Impersonate-User"` header, which indicates that requester wants -to have request handled as though it came from the specified user. This can be done on the command line -by passing the `--as=username` flag. - -Before UserA is allowed to impersonate UserB, UserA is first authenticated and then an authorization -check is made to be sure UserA is allowed to "impersonate" the "user" named "UserB". If UserA is requesting to -impersonate a service account (`system:serviceaccount:namespace:name`), we check to make sure that UserA can -"impersonate" the "serviceaccount" named "name" in "namespace". If he is disallowed, a 403 will be returned. - -By default, project admins and editors are allowed impersonate service accounts in their namespace. There is -also a new group called `sudoers`. That role allows a user to impersonate `system:admin`, which in turn has -cluster-admin permissions. This grants some protection against typos (but *not* security) for someone administering -the cluster. For example, `oc delete nodes --all` would be forbidden, but `oc delete nodes --all --as=system:admin` -would be allowed. You still have the power, but you have to mean it. You can add a user to that group using -`oadm policy add-cluster-role-to-user sudoer `. - [[oauth]] == OAuth From 02122947af13b593d0fbba5d4ca4af8eaf99481d Mon Sep 17 00:00:00 2001 From: Alex Dellapenta Date: Wed, 15 Jun 2016 14:01:05 -0400 Subject: [PATCH 3/3] Revhistory for OSE 3.1 impersonation revert. --- architecture/revhistory_architecture.adoc | 19 ++++++++++++++++--- welcome/revhistory_full.adoc | 4 ++++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/architecture/revhistory_architecture.adoc b/architecture/revhistory_architecture.adoc index b124c8068b15..fba637af8fff 100644 --- a/architecture/revhistory_architecture.adoc +++ b/architecture/revhistory_architecture.adoc @@ -6,6 +6,21 @@ :experimental: // do-release: revhist-tables +== Wed Jun 15 2016 + +// tag::architecture_wed_jun_15_2016[] +[cols="1,3",options="header"] +|=== + +|Affected Topic |Description of Change +//Mon May 30 2016 +|link:../architecture/additional_concepts/authentication.html[Additional Concepts -> Authentication] +|Removed the Impersonation section, which does not apply to {product-title} 3.1. + +|=== + +// end::architecture_wed_jun_15_2016[] + == Fri Jun 10 2016 // tag::architecture_fri_jun_10_2016[] @@ -37,9 +52,7 @@ |Affected Topic |Description of Change //Mon May 30 2016 |link:../architecture/additional_concepts/authentication.html[Additional Concepts -> Authentication] -|Added the link:../architecture/additional_concepts/authentication.html#authentication-impersonation[Impersonation] section. - - +|Added the Impersonation section. |=== diff --git a/welcome/revhistory_full.adoc b/welcome/revhistory_full.adoc index a955d27205a5..e9920351152e 100644 --- a/welcome/revhistory_full.adoc +++ b/welcome/revhistory_full.adoc @@ -10,6 +10,10 @@ date. // do-release: revhist-tables +== Wed Jun 15 2016 +.Architecture +include::architecture/revhistory_architecture.adoc[tag=architecture_wed_jun_15_2016] + == Mon Jun 13 2016 .Installation and Configuration include::install_config/revhistory_install_config.adoc[tag=install_config_mon_jun_13_2016]