system:masters tokens are not restricted by scopes

[simo5]

While trying to build an integration test for webhooks I came up to the fact that a user that uses a token with system:masters in the groups and scopes has scopes completely ignored and full access a system:masters.

This is in master

[simo5]

@deads2k @liggitt @enj comments ?

[liggitt]

Not surprising, but not really concerning. No OAuth-authenticated users can have that group (it's not a valid Group API object name)

[enj]

@deads2k made scopes authz come before system:masters, so it should deny.

[simo5]

@liggitt I was passing in that group from an external authorizer with no issue, so that statement is not fully true

[simo5]

@liggitt Note that passing system:masters as group is not a problem, but I remember discussing the authorization pipeline with @deads2k on a recent refactor and the scope authorizer was explicitly put before the system:masters check in order to allow using scopes in that case too

[deads2k]

@liggitt Note that passing system:masters as group is not a problem, but I remember discussing the authorization pipeline with @deads2k on a recent refactor and the scope authorizer was explicitly put before the system:masters check in order to allow using scopes in that case too

Yeah, I'm surprised it didn't work. It didn't work before, so we haven't regressed and can fix it later, but I did swizzle the order to try to deny early:

https://github.com/openshift/origin/blob/master/pkg/cmd/server/origin/authorizer.go#L37-L46

[simo5]

@deads2k that code is exactly what I was reminding, so we need to figure out at some point why it is not working.
I am not concerned this is a regression or anything or I would have made it a P0 and a Security issue :-)

[enj]

See #18966 (comment) for an update on this.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[simo5]

This was by design and the "bug" was fixed in a different way

[enj]

The underlying issue of not being able to scope system:masters still remains right? Or is there some changes in the upstream loopback token?

/remove-lifecycle stale
/lifecycle frozen

[simo5]

My understanding is that system:master is and will remain unscoped, but I'll defer to anyone that wants to do otherwise I guess.

[enj]

I believe #21530 makes this impossible.

We should update

origin/pkg/cmd/openshift-kube-apiserver/openshiftkubeapiserver/patch_authorizer.go

Lines 41 to 50 in 364a599

	openshiftAuthorizer := authorizerunion.New(
	// Wrap with an authorizer that detects unsafe requests and modifies verbs/resources appropriately so policy can address them separately.
	// Scopes are first because they will authoritatively deny and can logically be attached to anyone.
	browsersafe.NewBrowserSafeAuthorizer(scopeLimitedAuthorizer, user.AllAuthenticated),
	// authorizes system:masters to do anything, just like upstream
	authorizerfactory.NewPrivilegedGroups(user.SystemPrivilegedGroup),
	nodeAuthorizer,
	// Wrap with an authorizer that detects unsafe requests and modifies verbs/resources appropriately so policy can address them separately
	browsersafe.NewBrowserSafeAuthorizer(kubeAuthorizer, user.AllAuthenticated),
	)

to not give the false impression that system:masters honors any deny authorizer.