Skip to content

update AzureIstioSecurityFilter to exclude roles when setting authentication

Mina Otgonbold requested to merge update-AzureIstioSecurityFilter into master

Type of change

  • Bug Fix
  • Feature

Does this introduce a change in the core logic?

  • [NO]

Does this introduce a change in the cloud provider implementation, if so which cloud?

  • AWS
  • Azure
  • GCP
  • IBM

Does this introduce a breaking change?

  • [NO]

What is the current behavior?

AzureIstioSecurityFilter sets roles when setting authentication. Passing roles are redundant as the Partition service does not perform role checks on the SA token. If a user accidentally assigns the roles then AzureIstioSecurityFilter throws the following error. The issue itself is caused due to spring-boot upgrade as mentioned in this post:

final JSONArray roles = Optional.ofNullable((JSONArray) claimsSet.getClaims().get("roles"))
                        .filter(r -> !r.isEmpty())
                        .orElse(DEFAULT_ROLE_CLAIM);
java.lang.ClassCastException
com.nimbusds.jose.shaded.json.JSONArray cannot be cast to net.minidev.json.JSONArray

What is the new/expected behavior?

AzureIstioSecurityFilter doesn't set roles when setting authentication. This will not impact as the partition service does not perform role checks on the SA token. Partition service only authorizes token of a type service principal and issuer with v1 or v2 aad url.

Edited by Mina Otgonbold

Merge request reports

Loading