github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

allow restricting subresource access

Browse Source
This commit is contained in:
deads2k 2016-08-03 08:19:57 -04:00
parent 8805bbba3f
commit 1e7adaa5c0
2 changed files with 52 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
plugin/pkg/auth/authorizer/rbac/rbac.go
View File

@ -44,10 +44,14 @@ func (r *RBACAuthorizer) Authorize(attr authorizer.Attributes) (bool, string, er
// Frame the authorization request as a privilege escalation check. // Frame the authorization request as a privilege escalation check.
var requestedRule rbac.PolicyRule var requestedRule rbac.PolicyRule
if attr.IsResourceRequest() { if attr.IsResourceRequest() {
resource := attr.GetResource()
if len(attr.GetSubresource()) > 0 {
resource = attr.GetResource() + "/" + attr.GetSubresource()
}
requestedRule = rbac.PolicyRule{ requestedRule = rbac.PolicyRule{
Verbs: []string{attr.GetVerb()}, Verbs: []string{attr.GetVerb()},
APIGroups: []string{attr.GetAPIGroup()}, // TODO(ericchiang): add api version here too? APIGroups: []string{attr.GetAPIGroup()}, // TODO(ericchiang): add api version here too?
Resources: []string{attr.GetResource()}, Resources: []string{resource},
ResourceNames: []string{attr.GetName()}, ResourceNames: []string{attr.GetName()},
} }
} else { } else {

51
plugin/pkg/auth/authorizer/rbac/rbac_test.go
View File

@ -90,6 +90,7 @@ type defaultAttributes struct {
groups string groups string
verb string verb string
resource string resource string
subresource string
namespace string namespace string
apiGroup string apiGroup string
} }
@ -106,7 +107,7 @@ func (d *defaultAttributes) GetVerb() string { return d.verb }
func (d *defaultAttributes) IsReadOnly() bool { return d.verb == "get" || d.verb == "watch" } func (d *defaultAttributes) IsReadOnly() bool { return d.verb == "get" || d.verb == "watch" }
func (d *defaultAttributes) GetNamespace() string { return d.namespace } func (d *defaultAttributes) GetNamespace() string { return d.namespace }
func (d *defaultAttributes) GetResource() string { return d.resource } func (d *defaultAttributes) GetResource() string { return d.resource }
func (d *defaultAttributes) GetSubresource() string { return "" } func (d *defaultAttributes) GetSubresource() string { return d.subresource }
func (d *defaultAttributes) GetName() string { return "" } func (d *defaultAttributes) GetName() string { return "" }
func (d *defaultAttributes) GetAPIGroup() string { return d.apiGroup } func (d *defaultAttributes) GetAPIGroup() string { return d.apiGroup }
func (d *defaultAttributes) GetAPIVersion() string { return "" } func (d *defaultAttributes) GetAPIVersion() string { return "" }
@ -133,17 +134,17 @@ func TestAuthorizer(t *testing.T) {
newRoleBinding("ns1", "admin", bindToClusterRole, "User:admin", "Group:admins"), newRoleBinding("ns1", "admin", bindToClusterRole, "User:admin", "Group:admins"),
}, },
shouldPass: []authorizer.Attributes{ shouldPass: []authorizer.Attributes{
&defaultAttributes{"admin", "", "get", "Pods", "ns1", ""}, &defaultAttributes{"admin", "", "get", "Pods", "", "ns1", ""},
&defaultAttributes{"admin", "", "watch", "Pods", "ns1", ""}, &defaultAttributes{"admin", "", "watch", "Pods", "", "ns1", ""},
&defaultAttributes{"admin", "group1", "watch", "Foobar", "ns1", ""}, &defaultAttributes{"admin", "group1", "watch", "Foobar", "", "ns1", ""},
&defaultAttributes{"joe", "admins", "watch", "Foobar", "ns1", ""}, &defaultAttributes{"joe", "admins", "watch", "Foobar", "", "ns1", ""},
&defaultAttributes{"joe", "group1,admins", "watch", "Foobar", "ns1", ""}, &defaultAttributes{"joe", "group1,admins", "watch", "Foobar", "", "ns1", ""},
}, },
shouldFail: []authorizer.Attributes{ shouldFail: []authorizer.Attributes{
&defaultAttributes{"admin", "", "GET", "Pods", "ns2", ""}, &defaultAttributes{"admin", "", "GET", "Pods", "", "ns2", ""},
&defaultAttributes{"admin", "", "GET", "Nodes", "", ""}, &defaultAttributes{"admin", "", "GET", "Nodes", "", "", ""},
&defaultAttributes{"admin", "admins", "GET", "Pods", "ns2", ""}, &defaultAttributes{"admin", "admins", "GET", "Pods", "", "ns2", ""},
&defaultAttributes{"admin", "admins", "GET", "Nodes", "", ""}, &defaultAttributes{"admin", "admins", "GET", "Nodes", "", "", ""},
}, },
}, },
{ {
@ -187,6 +188,36 @@ func TestAuthorizer(t *testing.T) {
authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"prefixed"}}, Verb: "get", Path: "/api/v1"}, authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"prefixed"}}, Verb: "get", Path: "/api/v1"},
}, },
}, },
{
// test subresource resolution
clusterRoles: []rbac.ClusterRole{
newClusterRole("admin", newRule("*", "*", "pods", "*")),
},
roleBindings: []rbac.RoleBinding{
newRoleBinding("ns1", "admin", bindToClusterRole, "User:admin", "Group:admins"),
},
shouldPass: []authorizer.Attributes{
&defaultAttributes{"admin", "", "get", "pods", "", "ns1", ""},
},
shouldFail: []authorizer.Attributes{
&defaultAttributes{"admin", "", "get", "pods", "status", "ns1", ""},
},
},
{
// test subresource resolution
clusterRoles: []rbac.ClusterRole{
newClusterRole("admin", newRule("*", "*", "pods/status", "*")),
},
roleBindings: []rbac.RoleBinding{
newRoleBinding("ns1", "admin", bindToClusterRole, "User:admin", "Group:admins"),
},
shouldPass: []authorizer.Attributes{
&defaultAttributes{"admin", "", "get", "pods", "status", "ns1", ""},
},
shouldFail: []authorizer.Attributes{
&defaultAttributes{"admin", "", "get", "pods", "", "ns1", ""},
},
},
} }
for i, tt := range tests { for i, tt := range tests {
ruleResolver := validation.NewTestRuleResolver(tt.roles, tt.roleBindings, tt.clusterRoles, tt.clusterRoleBindings) ruleResolver := validation.NewTestRuleResolver(tt.roles, tt.roleBindings, tt.clusterRoles, tt.clusterRoleBindings)