github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-11 06:02:18 +00:00
Code Issues Projects Releases Wiki Activity

Add basic Authorization.

Browse Source 
Added basic interface for authorizer implementations.
Added default "authorize everything" and "authorize nothing
implementations.
Added authorization check immediately after authentication check.
Added an integration test of authorization at the HTTP level of
abstraction.
This commit is contained in:
Eric Tune
2014-10-16 14:18:16 -07:00
parent 893291d81d
commit 55c2d6bbbb
9 changed files with 433 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/master/master.go
View File

@@ -66,6 +66,7 @@ type Config struct {
APIPrefix string
CorsAllowedOriginList util.StringList
TokenAuthFile string
AuthorizationMode string
// Number of masters running; all masters must be started with the
// same value for this field. (Numbers > 1 currently untested.)
@@ -101,6 +102,7 @@ type Master struct {
apiPrefix string
corsAllowedOriginList util.StringList
tokenAuthFile string
authorizationzMode string
masterCount int
// "Outputs"
@@ -220,9 +222,11 @@ func New(c *Config) *Master {
apiPrefix: c.APIPrefix,
corsAllowedOriginList: c.CorsAllowedOriginList,
tokenAuthFile: c.TokenAuthFile,
masterCount: c.MasterCount,
readOnlyServer: net.JoinHostPort(c.PublicAddress, strconv.Itoa(int(c.ReadOnlyPort))),
readWriteServer: net.JoinHostPort(c.PublicAddress, strconv.Itoa(int(c.ReadWritePort))),
authorizationzMode: c.AuthorizationMode,
masterCount: c.MasterCount,
readOnlyServer: net.JoinHostPort(c.PublicAddress, strconv.Itoa(int(c.ReadOnlyPort))),
readWriteServer: net.JoinHostPort(c.PublicAddress, strconv.Itoa(int(c.ReadWritePort))),
}
m.masterServices = util.NewRunner(m.serviceWriterLoop, m.roServiceWriterLoop)
m.init(c)
@@ -310,6 +314,14 @@ func (m *Master) init(c *Config) {
handler = apiserver.CORS(handler, allowedOriginRegexps, nil, nil, "true")
}
// Install Authorizer
authorizer, err := apiserver.NewAuthorizerFromAuthorizationConfig(m.authorizationzMode)
if err != nil {
glog.Fatal(err)
}
handler = apiserver.WithAuthorizationCheck(handler, apiserver.BasicAttributeGetter, authorizer)
// Install Authenticator
if authenticator != nil {
handler = handlers.NewRequestAuthenticator(userContexts, authenticator, handlers.Unauthorized, handler)
}