fix(kubernetes): Namespace access permission changes role bindings not created [R8S-366] (#826)

2025-08-05 05:45:22 +02:00 · 2025-07-11 14:55:48 +12:00 · 2025-07-11 14:55:48 +12:00 · b7e906701a
commit b7e906701a
parent 150d986179
10 changed files with 95 additions and 17 deletions
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@ -2,6 +2,7 @@ package auth

 import (
 	"net/http"
+	"strconv"
 	"strings"

 	portainer "github.com/portainer/portainer/api"
@ -82,6 +83,11 @@ func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *h
 		}
 	}

+	// Clear any existing user caches
+	if user != nil {
+		handler.KubernetesClientFactory.ClearUserClientCache(strconv.Itoa(int(user.ID)))
+	}
+
 	if user != nil && isUserInitialAdmin(user) || settings.AuthenticationMethod == portainer.AuthenticationInternal {
 		return handler.authenticateInternal(rw, user, payload.Password)
 	}
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@ -8,6 +8,7 @@ import (
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"

 	"github.com/gorilla/mux"
@ -23,16 +24,18 @@ type Handler struct {
 	OAuthService                portainer.OAuthService
 	ProxyManager                *proxy.Manager
 	KubernetesTokenCacheManager *kubernetes.TokenCacheManager
+	KubernetesClientFactory     *cli.ClientFactory
 	passwordStrengthChecker     security.PasswordStrengthChecker
 	bouncer                     security.BouncerService
 }

 // NewHandler creates a handler to manage authentication operations.
-func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimiter, passwordStrengthChecker security.PasswordStrengthChecker) *Handler {
+func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimiter, passwordStrengthChecker security.PasswordStrengthChecker, kubernetesClientFactory *cli.ClientFactory) *Handler {
 	h := &Handler{
 		Router:                  mux.NewRouter(),
 		passwordStrengthChecker: passwordStrengthChecker,
 		bouncer:                 bouncer,
+		KubernetesClientFactory: kubernetesClientFactory,
 	}

 	h.Handle("/auth/oauth/validate",
--- a/api/http/handler/auth/logout.go
+++ b/api/http/handler/auth/logout.go
@ -2,6 +2,7 @@ package auth

 import (
 	"net/http"
+	"strconv"

 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/logoutcontext"
@ -23,6 +24,7 @@ func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperro

 	if tokenData != nil {
 		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
+		handler.KubernetesClientFactory.ClearUserClientCache(strconv.Itoa(int(tokenData.ID)))
 		logoutcontext.Cancel(tokenData.Token)
 	}