Get the actual k8s username for automatic role creation and CLI display #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, CurrentUser[Name]() implementation was split in the config area for standard CF and CF-on-k8s. It would have been great to update the k8s version to call /whoami, but the cloud controller logic doesn't seem to belong in the config area. So instead, GetCurrentUser() has been added to the actor interface, and also to the AuthActor interface. This has a standard CF and a k8s CF implementation. The standard implementation just defers to the config method, whereas the k8s implementation invokes the new /whoami endpoint on the cloud controller. This commit also introduces handling that endpoint. Issue: cloudfoundry/korifi#147
Co-authored-by: Kieron Browne <[email protected]>
jdgonzaleza
approved these changes
Nov 16, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Does this PR modify CLI v6, CLI v7, or CLI v8?
v7
Description of the Change
Up to this point, the current user when using cf-on-k8s has returned the name of the user entry selected on login from the kube config file. This is not the actual logged-on user name.
cf create-space, for example, needs the correct user name in order to send create role requests to the API. Also, most commands print the current user. This change enables correct role creation, and fixes the command output at the same time.In order to determine the k8s user name, we need to ask k8s, since we might for example be sending an opaque token. Therefore we have introduced a
/whoamiendpoint in the API, and we invoke that, passing the authentication client cert or token, and receive a response with the username andkind- i.e. User or ServiceAccount.Since this logic involves the API, we have introduced
GetCurrentUser()into the Actor interface. This is implemented by the defaultAuthActor for standard CF, and by the kubernetesAuthActor for cf-on-k8s. The default actor defers to the config method, whereas the k8s actor invokes /whoami.In order to fix the username presented in the command output, we have modified calls to cmd.Config.CurrentUser() to cmd.Actor.GetCurrentUser() through the command/v7 package, which was a trivial but large change to many files and tests.
cc @mnitchev, @cloudfoundry/eirini
Why Is This PR Valuable?
Why Should This Be In Core?
Applicable Issues
How Urgent Is The Change?
Other Relevant Parties