Skip to content

bug: admin permissions and resourceNames=* don't take effect for apibinding admission #1939

New issue
New issue
Closed
Closed
bug: admin permissions and resourceNames=* don't take effect for apibinding admission#1939
Labels
area/apiexportsarea/authorizationkind/bugCategorizes issue or PR as related to a bug.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.
@ncdc

Description

@ncdc
ncdc
opened on Sep 9, 2022

Describe the bug

When creating an APIBinding, the APIBinding admission logic performs a SAR with the following attributes:

bindAttr := authorizer.AttributesRecord{
		User:            user,
		Verb:            "bind",
		APIGroup:        apisv1alpha1.SchemeGroupVersion.Group,
		APIVersion:      apisv1alpha1.SchemeGroupVersion.Version,
		Resource:        "apiexports",
		Name:            apiExportName,
		ResourceRequest: true,
	}

if the user has admin permissions and/or a ClusterRole that grants bind to resourceNames: ["*"], their attempt to create the APIBinding is rejected with apibindings.apis.kcp.dev "test" is forbidden: unable to create APIImport: missing verb='bind' permission on apiexports

Steps To Reproduce

See description

Expected Behaviour

admin permissions and resourceNames=* would apply when checking binding permissions

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/apiexportsarea/authorizationkind/bugCategorizes issue or PR as related to a bug.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.

    Type

    No type

    Projects

    kcp

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions