Add basic Authorization.

Added basic interface for authorizer implementations. Added default "authorize everything" and "authorize nothing implementations. Added authorization check immediately after authentication check. Added an integration test of authorization at the HTTP level of abstraction.
2025-09-11 14:11:14 +00:00 · 2014-10-16 14:18:16 -07:00
parent 893291d81d
commit 55c2d6bbbb
9 changed files with 433 additions and 4 deletions
--- a/pkg/apiserver/handlers.go
+++ b/pkg/apiserver/handlers.go
@@ -23,6 +23,7 @@ import (
 	"runtime/debug"
 	"strings"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authorizer"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/httplog"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/util"
 	"github.com/golang/glog"
@@ -118,3 +119,24 @@ func CORS(handler http.Handler, allowedOriginPatterns []*regexp.Regexp, allowedM
 		handler.ServeHTTP(w, req)
 	})
 }
+
+// RequestAttributeGetter is a function that extracts authorizer.Attributes from an http.Request
+type RequestAttributeGetter func(req *http.Request) (attribs authorizer.Attributes)
+
+// BasicAttributeGetter gets authorizer.Attributes from an http.Request.
+func BasicAttributeGetter(req *http.Request) (attribs authorizer.Attributes) {
+	// TODO: fill in attributes once attributes are defined.
+	return
+}
+
+// WithAuthorizationCheck passes all authorized requests on to handler, and returns a forbidden error otherwise.
+func WithAuthorizationCheck(handler http.Handler, getAttribs RequestAttributeGetter, a authorizer.Authorizer) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		err := a.Authorize(getAttribs(req))
+		if err == nil {
+			handler.ServeHTTP(w, req)
+			return
+		}
+		forbidden(w, req)
+	})
+}