diff --git a/architecture/additional_concepts/authentication.adoc b/architecture/additional_concepts/authentication.adoc index 0674c769db2b..05f35473ed09 100644 --- a/architecture/additional_concepts/authentication.adoc +++ b/architecture/additional_concepts/authentication.adoc @@ -88,30 +88,6 @@ the `system:anonymous` virtual user and the `system:unauthenticated` virtual group to the request. This allows the authorization layer to determine which requests, if any, an anonymous user is allowed to make. -[[authentication-impersonation]] -=== Impersonation -A request to the {product-title} API may include an *Impersonate-User* header, -which indicates that the requester wants to have the request handled as though -it came from the specified user. This can be done on the command line by passing -the `*--as=username*` flag. - -Before User A is allowed to impersonate User B, User A is first authenticated. -Then, an authorization check occurs to ensure that User A is allowed to -impersonate the user named User B. If User A is requesting to impersonate a -service account (*system:serviceaccount:namespace:name*), {product-title} checks -to ensure that User A can impersonate the *serviceaccount* named *name* in -*namespace*. If the check fails, the request fails with a 403 (Forbidden) error -code. - -By default, project administrators and editors are allowed to impersonate -service accounts in their namespace. The *sudoers* role allows a user to -impersonate *system:admin*, which in turn has cluster administrator permissions. -This grants some protection against typos (but not security) for someone -administering the cluster. For example, `oc delete nodes --all` would be -forbidden, but `oc delete nodes --all --as=system:admin` would be allowed. You -can add a user to that group using `oadm policy add-cluster-role-to-user sudoer -`. - [[oauth]] == OAuth diff --git a/architecture/revhistory_architecture.adoc b/architecture/revhistory_architecture.adoc index 154e622aa676..2ac3e17f5be7 100644 --- a/architecture/revhistory_architecture.adoc +++ b/architecture/revhistory_architecture.adoc @@ -6,6 +6,21 @@ :experimental: // do-release: revhist-tables +== Wed Jun 15 2016 + +// tag::architecture_wed_jun_15_2016[] +[cols="1,3",options="header"] +|=== + +|Affected Topic |Description of Change +//Wed Jun 15 2016 +|link:../architecture/additional_concepts/authentication.html[Additional Concepts -> Authentication] +|Removed the Impersonation section, which does not apply to {product-title} 3.2. + +|=== + +// end::architecture_wed_jun_15_2016[] + == Fri Jun 10 2016 // tag::architecture_fri_jun_10_2016[] @@ -37,7 +52,7 @@ |Affected Topic |Description of Change //Mon May 30 2016 |link:../architecture/additional_concepts/authentication.html[Additional Concepts -> Authentication] -|Added the link:../architecture/additional_concepts/authentication.html#authentication-impersonation[Impersonation] section. +|Added the Impersonation section. |link:../architecture/core_concepts/routes.html[Core Concepts -> Routes] |Added the link:../architecture/core_concepts/routes.html#router-sharding[Router Sharding] section. diff --git a/welcome/revhistory_full.adoc b/welcome/revhistory_full.adoc index 1f4e1f7cb2da..7c3434213fd5 100644 --- a/welcome/revhistory_full.adoc +++ b/welcome/revhistory_full.adoc @@ -9,6 +9,10 @@ The following sections aggregate the revision histories of each guide by publish date. // do-release: revhist-tables +== Wed Jun 15 2016 +.Architecture +include::architecture/revhistory_architecture.adoc[tag=architecture_wed_jun_15_2016] + == Tue Jun 14 2016 .Installation and Configuration include::install_config/revhistory_install_config.adoc[tag=install_config_tue_jun_14_2016]