New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authn: fix cache mutation by AuthenticatedGroupAdder #109969
authn: fix cache mutation by AuthenticatedGroupAdder #109969
Conversation
a0acfb9
to
3439250
Compare
99361b0
to
7ec0112
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One comment.
staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder_test.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/authentication/group/group_adder_test.go
Outdated
Show resolved
Hide resolved
staging/src/k8s.io/apiserver/pkg/authentication/group/group_adder_test.go
Outdated
Show resolved
Hide resolved
The cached token authenticator returns a cache value. The group adder changes it.
7ec0112
to
e09e81e
Compare
/kind bug |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
Confirmed that the test changes catch the mutation: # after fetching latest master
git checkout v1.24.0 staging/src/k8s.io/apiserver/pkg/authentication/group/authenticated_group_adder.go
git checkout v1.24.0 staging/src/k8s.io/apiserver/pkg/authentication/group/group_adder.go
git checkout v1.24.0 staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go
git reset
git diff
go test -race k8s.io/apiserver/pkg/authentication/group diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/group/authenticated_group_adder.go b/staging/src/k8s.io/apiserver/pkg/authentication/group/authenticated_group_adder.go
index 2f2cc6ec5a1..5ac6b2ddf9d 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/group/authenticated_group_adder.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/group/authenticated_group_adder.go
@@ -51,16 +51,11 @@ func (g *AuthenticatedGroupAdder) AuthenticateRequest(req *http.Request) (*authe
}
}
- newGroups := make([]string, 0, len(r.User.GetGroups())+1)
- newGroups = append(newGroups, r.User.GetGroups()...)
- newGroups = append(newGroups, user.AllAuthenticated)
-
- ret := *r // shallow copy
- ret.User = &user.DefaultInfo{
+ r.User = &user.DefaultInfo{
Name: r.User.GetName(),
UID: r.User.GetUID(),
- Groups: newGroups,
+ Groups: append(r.User.GetGroups(), user.AllAuthenticated),
Extra: r.User.GetExtra(),
}
- return &ret, true, nil
+ return r, true, nil
}
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/group/group_adder.go b/staging/src/k8s.io/apiserver/pkg/authentication/group/group_adder.go
index 1234c595aa3..3079dad6254 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/group/group_adder.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/group/group_adder.go
@@ -41,17 +41,11 @@ func (g *GroupAdder) AuthenticateRequest(req *http.Request) (*authenticator.Resp
if err != nil || !ok {
return nil, ok, err
}
-
- newGroups := make([]string, 0, len(r.User.GetGroups())+len(g.Groups))
- newGroups = append(newGroups, r.User.GetGroups()...)
- newGroups = append(newGroups, g.Groups...)
-
- ret := *r // shallow copy
- ret.User = &user.DefaultInfo{
+ r.User = &user.DefaultInfo{
Name: r.User.GetName(),
UID: r.User.GetUID(),
- Groups: newGroups,
+ Groups: append(r.User.GetGroups(), g.Groups...),
Extra: r.User.GetExtra(),
}
- return &ret, true, nil
+ return r, true, nil
}
diff --git a/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go b/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go
index 51e27a67d96..0ed5ee55965 100644
--- a/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go
+++ b/staging/src/k8s.io/apiserver/pkg/authentication/group/token_group_adder.go
@@ -41,17 +41,11 @@ func (g *TokenGroupAdder) AuthenticateToken(ctx context.Context, token string) (
if err != nil || !ok {
return nil, ok, err
}
-
- newGroups := make([]string, 0, len(r.User.GetGroups())+len(g.Groups))
- newGroups = append(newGroups, r.User.GetGroups()...)
- newGroups = append(newGroups, g.Groups...)
-
- ret := *r // shallow copy
- ret.User = &user.DefaultInfo{
+ r.User = &user.DefaultInfo{
Name: r.User.GetName(),
UID: r.User.GetUID(),
- Groups: newGroups,
+ Groups: append(r.User.GetGroups(), g.Groups...),
Extra: r.User.GetExtra(),
}
- return &ret, true, nil
+ return r, true, nil
}
|
…upstream-release-1.22 Automated cherry pick of #109969: authn: fix cache mutation by AuthenticatedGroupAdder
…upstream-release-1.24 Automated cherry pick of #109969: authn: fix cache mutation by AuthenticatedGroupAdder
…upstream-release-1.21 Automated cherry pick of #109969: authn: fix cache mutation by AuthenticatedGroupAdder
…upstream-release-1.23 Automated cherry pick of #109969: authn: fix cache mutation by AuthenticatedGroupAdder
The cached token authenticator returns a cache value. The group adder changes it.