Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access rule update silently fails #44

Open
Atharex opened this issue Jan 12, 2021 · 2 comments
Open

Access rule update silently fails #44

Atharex opened this issue Jan 12, 2021 · 2 comments
Labels
bug Something is not working.

Comments

@Atharex
Copy link

Atharex commented Jan 12, 2021

Oathkeeper maester should be more careful when it comes to applying incorrect access rules.

I have used by mistake the NOOP handler under authorizers and the access rule got successfully applied to k8s, yet it did not work. After searching for errors, I've found in the maester log an INFO line, which made it seem everything was alright and the access rule was applied with the erroneous part ignored.

>>> kubectl logs oathkeeper-maester-6cfcff4b-62qmq -f
2021-01-11T17:58:17.557Z        INFO    setup   running in controller mode
2021-01-11T17:58:19.025Z        INFO    controller-runtime.metrics      metrics server is starting to listen    {"addr": "0.0.0.0:8080"}
2021-01-11T17:58:19.026Z        INFO    setup   using default values for authenticatorsAvailable
2021-01-11T17:58:19.026Z        INFO    setup   using default values for authorizersAvailable
2021-01-11T17:58:19.026Z        INFO    setup   using default values for mutatorsAvailable
2021-01-11T17:58:19.026Z        INFO    setup   starting manager
2021-01-11T17:58:19.027Z        INFO    controller-runtime.manager      starting metrics server {"path": "/metrics"}
2021-01-11T17:58:19.027Z        INFO    controller-runtime.controller   Starting EventSource    {"controller": "rule", "source": "kind source: /, Kind="}
2021-01-11T17:58:19.144Z        INFO    controller-runtime.controller   Starting Controller     {"controller": "rule"}
2021-01-11T17:58:19.144Z        INFO    controller-runtime.controller   Starting workers        {"controller": "rule", "worker count": 1}
2021-01-11T17:58:19.147Z        INFO    controllers.Rule        validation error in Rule ory-auth/ory-auth: "invalid handlers: [authorizer/noop], please check the configuration"
2021-01-11T17:58:19.260Z        INFO    controllers.Rule        updating ConfigMap
2021-01-11T17:58:19.264Z        DEBUG   controller-runtime.controller   Successfully Reconciled {"controller": "rule", "name": "ory-auth", "namespace": "ory-auth"}

However the config map for the access rules was empty. After I've changed the NOOP handler to ALLOW, the maester service returned the exactly same lines of logs, but this time correctly filled out the config map:

2021-01-11T19:38:57.817Z        INFO    controllers.Rule        updating ConfigMap
2021-01-11T19:38:57.827Z        DEBUG   controller-runtime.controller   Successfully Reconciled {"controller": "rule", "name": "ory-auth", "namespace": "ory-auth"}

Maester logging shoud be fixed to throw an ERROR in such cases, to show an incorrect access rule CR is trying to be applied (and it fails)
@aeneasr
Copy link
Member

aeneasr commented Jan 15, 2021

Yes, that can definitely be improved. Open for contributions!

@aeneasr aeneasr added the bug Something is not working. label Jan 15, 2021
@christian-roggia
Copy link

https://github.com/ory/oathkeeper-maester/blob/master/controllers/rule_controller.go#L76

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Atharex @aeneasr @christian-roggia