From 88119903e507b607d754dc7fc7af9e6cc78ffa81 Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Tue, 7 Jun 2016 10:53:18 -0700 Subject: [PATCH 1/2] pkg/apis/rbac: make apiversion optional for subjects and fix validation --- pkg/apis/rbac/v1alpha1/types.go | 5 ++--- pkg/apis/rbac/validation/validation.go | 3 --- pkg/apis/rbac/validation/validation_test.go | 9 --------- 3 files changed, 2 insertions(+), 15 deletions(-) diff --git a/pkg/apis/rbac/v1alpha1/types.go b/pkg/apis/rbac/v1alpha1/types.go index 0863dfbf588..5157ec776f8 100644 --- a/pkg/apis/rbac/v1alpha1/types.go +++ b/pkg/apis/rbac/v1alpha1/types.go @@ -54,9 +54,8 @@ type Subject struct { // Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". // If the Authorizer does not recognized the kind value, the Authorizer should report an error. Kind string `json:"kind" protobuf:"bytes,1,opt,name=kind"` - // APIVersion holds the API group and version of the referenced object. For non-object references such as "Group" and "User" this is - // expected to be API version of this API group. For example "rbac/v1alpha1". - APIVersion string `json:"apiVersion" protobuf:"bytes,2,opt.name=apiVersion"` + // APIVersion holds the API group and version of the referenced object. + APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,2,opt.name=apiVersion"` // Name of the object being referenced. Name string `json:"name" protobuf:"bytes,3,opt,name=name"` // Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty diff --git a/pkg/apis/rbac/validation/validation.go b/pkg/apis/rbac/validation/validation.go index 4a384e65ee4..c43f733037b 100644 --- a/pkg/apis/rbac/validation/validation.go +++ b/pkg/apis/rbac/validation/validation.go @@ -105,9 +105,6 @@ func validateRoleBindingSubject(subject rbac.Subject, isNamespaced bool, fldPath if len(subject.Name) == 0 { allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) } - if len(subject.APIVersion) != 0 { - allErrs = append(allErrs, field.Forbidden(fldPath.Child("apiVersion"), subject.APIVersion)) - } switch subject.Kind { case rbac.ServiceAccountKind: diff --git a/pkg/apis/rbac/validation/validation_test.go b/pkg/apis/rbac/validation/validation_test.go index c513729a7b5..9a62f3bfb55 100644 --- a/pkg/apis/rbac/validation/validation_test.go +++ b/pkg/apis/rbac/validation/validation_test.go @@ -96,15 +96,6 @@ func TestValidateRoleBinding(t *testing.T) { T: field.ErrorTypeInvalid, F: "subjects[0].name", }, - "forbidden fields": { - A: rbac.RoleBinding{ - ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"}, - RoleRef: api.ObjectReference{Namespace: "master", Name: "valid"}, - Subjects: []rbac.Subject{{Name: "subject", Kind: rbac.ServiceAccountKind, APIVersion: "foo"}}, - }, - T: field.ErrorTypeForbidden, - F: "subjects[0].apiVersion", - }, "missing subject name": { A: rbac.RoleBinding{ ObjectMeta: api.ObjectMeta{Namespace: api.NamespaceDefault, Name: "master"}, From 2bf54ac799a32081731047a973294172bcefe51b Mon Sep 17 00:00:00 2001 From: Eric Chiang Date: Mon, 13 Jun 2016 09:48:02 -0700 Subject: [PATCH 2/2] regenerated --- .../rbac.authorization.k8s.io_v1alpha1.json | 3 +- pkg/apis/rbac/v1alpha1/generated.proto | 3 +- pkg/apis/rbac/v1alpha1/types.generated.go | 33 +++++++++++-------- .../v1alpha1/types_swagger_doc_generated.go | 2 +- 4 files changed, 23 insertions(+), 18 deletions(-) diff --git a/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json b/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json index e60b5629584..738a52a68d3 100644 --- a/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json +++ b/api/swagger-spec/rbac.authorization.k8s.io_v1alpha1.json @@ -2821,7 +2821,6 @@ "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", "required": [ "kind", - "apiVersion", "name" ], "properties": { @@ -2831,7 +2830,7 @@ }, "apiVersion": { "type": "string", - "description": "APIVersion holds the API group and version of the referenced object. For non-object references such as \"Group\" and \"User\" this is expected to be API version of this API group. For example \"rbac/v1alpha1\"." + "description": "APIVersion holds the API group and version of the referenced object." }, "name": { "type": "string", diff --git a/pkg/apis/rbac/v1alpha1/generated.proto b/pkg/apis/rbac/v1alpha1/generated.proto index 71a2f612f14..50067aaf158 100644 --- a/pkg/apis/rbac/v1alpha1/generated.proto +++ b/pkg/apis/rbac/v1alpha1/generated.proto @@ -146,8 +146,7 @@ message Subject { // If the Authorizer does not recognized the kind value, the Authorizer should report an error. optional string kind = 1; - // APIVersion holds the API group and version of the referenced object. For non-object references such as "Group" and "User" this is - // expected to be API version of this API group. For example "rbac/v1alpha1". + // APIVersion holds the API group and version of the referenced object. optional string apiVersion = 2; // Name of the object being referenced. diff --git a/pkg/apis/rbac/v1alpha1/types.generated.go b/pkg/apis/rbac/v1alpha1/types.generated.go index f2e010ad1bc..79bf3ab0c77 100644 --- a/pkg/apis/rbac/v1alpha1/types.generated.go +++ b/pkg/apis/rbac/v1alpha1/types.generated.go @@ -604,12 +604,13 @@ func (x *Subject) CodecEncodeSelf(e *codec1978.Encoder) { var yyq2 [4]bool _, _, _ = yysep2, yyq2, yy2arr2 const yyr2 bool = false + yyq2[1] = x.APIVersion != "" yyq2[3] = x.Namespace != "" var yynn2 int if yyr2 || yy2arr2 { r.EncodeArrayStart(4) } else { - yynn2 = 3 + yynn2 = 2 for _, b := range yyq2 { if b { yynn2++ @@ -639,21 +640,27 @@ func (x *Subject) CodecEncodeSelf(e *codec1978.Encoder) { } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayElem1234) - yym7 := z.EncBinary() - _ = yym7 - if false { + if yyq2[1] { + yym7 := z.EncBinary() + _ = yym7 + if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(x.APIVersion)) + } } else { - r.EncodeString(codecSelferC_UTF81234, string(x.APIVersion)) + r.EncodeString(codecSelferC_UTF81234, "") } } else { - z.EncSendContainerState(codecSelfer_containerMapKey1234) - r.EncodeString(codecSelferC_UTF81234, string("apiVersion")) - z.EncSendContainerState(codecSelfer_containerMapValue1234) - yym8 := z.EncBinary() - _ = yym8 - if false { - } else { - r.EncodeString(codecSelferC_UTF81234, string(x.APIVersion)) + if yyq2[1] { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + r.EncodeString(codecSelferC_UTF81234, string("apiVersion")) + z.EncSendContainerState(codecSelfer_containerMapValue1234) + yym8 := z.EncBinary() + _ = yym8 + if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(x.APIVersion)) + } } } if yyr2 || yy2arr2 { diff --git a/pkg/apis/rbac/v1alpha1/types_swagger_doc_generated.go b/pkg/apis/rbac/v1alpha1/types_swagger_doc_generated.go index c9d723469df..501d78b0346 100644 --- a/pkg/apis/rbac/v1alpha1/types_swagger_doc_generated.go +++ b/pkg/apis/rbac/v1alpha1/types_swagger_doc_generated.go @@ -126,7 +126,7 @@ func (RoleList) SwaggerDoc() map[string]string { var map_Subject = map[string]string{ "": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", "kind": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.", - "apiVersion": "APIVersion holds the API group and version of the referenced object. For non-object references such as \"Group\" and \"User\" this is expected to be API version of this API group. For example \"rbac/v1alpha1\".", + "apiVersion": "APIVersion holds the API group and version of the referenced object.", "name": "Name of the object being referenced.", "namespace": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.", }