authorize personalSAR based on selfsubjectaccessreviews.authorization.k8s.io

[deads2k]

This eliminates our usage of the AttributeRestrictions for policy rules and the matching authorization attributes. It helps us collapse onto the upstream authorizer interface.

Instead of authorizing using the AttributeRestrictions, the requestInfoResolver uses the information to lie about the resource being accessed. When its a personalSAR or personalLSAR, the requestInfo is written to selfsubjectaccessreviews.authorization.k8s.io

@liggitt This is what we spoke about
@enj ptal
@mfojtik @soltysh fyi

[deads2k]

[test]

[enj]

Nits.

Opened #13312 to cleanup policy rules.

[enj]

Just return nil, err?

[deads2k]

Actually no, The upstream function docs like this: "If error is not nil, RequestInfo holds the information as best it is known before the failure", so that at least some error comes back that might make sense.

[enj]

switch?

[enj]

Having recently read the pile of tests we have for the SAR stuff, I am quite confident that this is good 😄

[deads2k]

@enj is that like "minor comments, then LGTM"?

[enj]

Yup.

[openshift-bot]

Evaluated for origin test up to e3f7aaa

[stevekuznetsov]

Removing merge tag -- seeing issues with node dep starting, fix is probably in #13317 so let's let that go first.

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/56/) (Base Commit: c9ed4e5)

[stevekuznetsov]

[merge]

[openshift-bot]

Evaluated for origin merge up to e3f7aaa

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/23/) (Base Commit: 39ceb75) (Image: devenv-rhel7_6062)