}
              }
            },
            "description": "OK"
          },
          "401": {
            "description": "Unauthorized"
          }
        },
        "tags": [
          "node_v1"
        ]
      }
    },
    "/apis/node.k8s.io/v1/runtimeclasses": {
      "delete": {

Wenn es keinen `Authorization`-Header sieht, oder der Wert keinen `Bearer`-Token hat, antwortet es direkt mit einem 401-Statuscode-Error (`UNAUTHORIZED`).

Sie müssen nicht einmal prüfen, ob der Token existiert, um einen Fehler zurückzugeben. Seien Sie sicher, dass Ihre Funktion, wenn sie ausgeführt wird, ein `str` in diesem Token enthält.

## 实现的操作

FastAPI 校验请求中的 `Authorization` 请求头，核对请求头的值是不是由 `Bearer ` ＋ 令牌组成， 并返回令牌字符串（`str`）。

如果没有找到 `Authorization` 请求头，或请求头的值不是 `Bearer ` ＋ 令牌。FastAPI 直接返回 401 错误状态码（`UNAUTHORIZED`）。

开发者不需要检查错误信息，查看令牌是否存在，只要该函数能够执行，函数中就会包含令牌字符串。

正如下图所示，API 文档已经包含了这项功能：

<img src="/img/tutorial/security/image03.png">

目前，暂时还没有实现验证令牌是否有效的功能，不过后文很快就会介绍的。

## 小结

	var authzResult *bool
	var authzError error
	// isAuthorized is a small wrapper around credscontroller.Authorize so we only call it once instead of each time in the loop
	isAuthorized := func() bool {
		if authzResult != nil {
			return *authzResult
		}
		res := false

                }
              }
            },
            "description": "OK"
          },
          "401": {
            "description": "Unauthorized"
          }
        },
        "tags": [
          "authorization_v1"
        ]
      }
    },
    "/apis/authorization.k8s.io/v1/namespaces/{namespace}/localsubjectaccessreviews": {

				Title:   "Kubernetes CRD Swagger",
				Version: "v0.1.0",
			},
		},
		CommonResponses: map[int]spec.Response{
			401: {
				ResponseProps: spec.ResponseProps{
					Description: "Unauthorized",
				},
			},
		},
		GetOperationIDAndTags: openapi.GetOperationIDAndTags,
		GetDefinitionName: func(name string) (string, spec.Extensions) {
			buildDefinitions.Do(generateBuildDefinitionsFunc)

      # deployed test services changes on each run due to a randomly generated namespace suffixes.
      # Turning the XDS-Auth ON will result in the error messages like:
      # Unauthorized XDS: 10.1.0.159:41960 with identity [spiffe://cluster.local/ns/mounted-certs/sa/client client.mounted-certs.svc]:

                }
              }
            },
            "description": "OK"
          },
          "401": {
            "description": "Unauthorized"
          }
        },
        "tags": [
          "authentication_v1"
        ]
      }
    },
    "/apis/authentication.k8s.io/v1/selfsubjectreviews": {
      "parameters": [
        {

		err := wh.Validate(context.TODO(), attr, nil)
		authorized := err == nil

		if test.expectedErr && err == nil {
			t.Errorf("Expected error")
		} else if !test.expectedErr && err != nil {
			t.Fatal(err)
		}
		if test.expectedAuthorized && !authorized {
			if test.expectedCached {
				t.Errorf("Webhook should have successful response cached, but authorizer reported unauthorized.")
			} else {

	// The duration to cache 'authorized' responses from the webhook
	// authorizer.
	// Same as setting `--authorization-webhook-cache-authorized-ttl` flag
	// Default: 5m0s
	AuthorizedTTL metav1.Duration `json:"authorizedTTL"`
	// The duration to cache 'unauthorized' responses from the webhook
	// authorizer.
	// Same as setting `--authorization-webhook-cache-unauthorized-ttl` flag
	// Default: 30s