From dd572dd6240430f79b7db502c9092b6fc21d1c1f Mon Sep 17 00:00:00 2001 From: Hasan Turken Date: Wed, 21 Aug 2024 13:27:31 +0300 Subject: [PATCH] Add original user/group as extra in impersonate for virtual workspace Signed-off-by: Hasan Turken --- pkg/virtual/apiexport/builder/build.go | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/pkg/virtual/apiexport/builder/build.go b/pkg/virtual/apiexport/builder/build.go index d5a74de82ac..e1a7115302b 100644 --- a/pkg/virtual/apiexport/builder/build.go +++ b/pkg/virtual/apiexport/builder/build.go @@ -52,7 +52,16 @@ import ( kcpinformers "github.com/kcp-dev/kcp/sdk/client/informers/externalversions" ) -const VirtualWorkspaceName string = "apiexport" +const ( + // VirtualWorkspaceName is the name of the virtual workspace. + VirtualWorkspaceName string = "apiexport" + // OriginalUserAnnotationKey is the key used in a user's "extra" to + // specify the original user of the authenticating request. + OriginalUserAnnotationKey = "authorization.kcp.io/original-username" + // OriginalGroupsAnnotationKey is the key used in a user's "extra" to + // specify the original groups of the authenticating request. + OriginalGroupsAnnotationKey = "authorization.kcp.io/original-groups" +) func BuildVirtualWorkspace( rootPathPrefix string, @@ -113,6 +122,15 @@ func BuildVirtualWorkspace( serviceaccount.ClusterNameKey: {cluster.Name.Path().String()}, }, } + + if user, ok := genericapirequest.UserFrom(ctx); ok { + // We pass the original user and groups as extra fields to + // the impersonation config so that the receiver can make + // decisions based on the original user/groups. + impersonationConfig.Impersonate.Extra[OriginalUserAnnotationKey] = []string{user.GetName()} + impersonationConfig.Impersonate.Extra[OriginalGroupsAnnotationKey] = user.GetGroups() + } + impersonatedClient, err := kcpdynamic.NewForConfig(impersonationConfig) if err != nil { return nil, fmt.Errorf("error generating dynamic client: %w", err)