From 8e7893e541aeb8472a6f34eb15ef7d86afc68fea Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Tue, 15 Aug 2017 16:32:51 -0400 Subject: [PATCH] Refactor RBAC authorizer entry points This change refactors various RBAC authorizer functions to be more flexible in their inputs. This makes it easier to reuse the various components that make up the authorizer. Signed-off-by: Monis Khan --- pkg/kubeapiserver/authorizer/BUILD | 3 -- pkg/kubeapiserver/authorizer/config.go | 43 ++----------------- plugin/pkg/auth/authorizer/rbac/BUILD | 2 + plugin/pkg/auth/authorizer/rbac/rbac.go | 34 +++++++++++++++ .../auth/authorizer/rbac/subject_locator.go | 6 +++ 5 files changed, 46 insertions(+), 42 deletions(-) diff --git a/pkg/kubeapiserver/authorizer/BUILD b/pkg/kubeapiserver/authorizer/BUILD index 5fab7712679..a2864f4014a 100644 --- a/pkg/kubeapiserver/authorizer/BUILD +++ b/pkg/kubeapiserver/authorizer/BUILD @@ -20,16 +20,13 @@ go_library( name = "go_default_library", srcs = ["config.go"], deps = [ - "//pkg/apis/rbac:go_default_library", "//pkg/auth/authorizer/abac:go_default_library", "//pkg/auth/nodeidentifier:go_default_library", "//pkg/client/informers/informers_generated/internalversion:go_default_library", - "//pkg/client/listers/rbac/internalversion:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library", "//plugin/pkg/auth/authorizer/node:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library", "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", - "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/union:go_default_library", diff --git a/pkg/kubeapiserver/authorizer/config.go b/pkg/kubeapiserver/authorizer/config.go index e30bbfddd5c..1466d2b4114 100644 --- a/pkg/kubeapiserver/authorizer/config.go +++ b/pkg/kubeapiserver/authorizer/config.go @@ -21,16 +21,13 @@ import ( "fmt" "time" - "k8s.io/apimachinery/pkg/labels" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizerfactory" "k8s.io/apiserver/pkg/authorization/union" "k8s.io/apiserver/plugin/pkg/authorizer/webhook" - rbacapi "k8s.io/kubernetes/pkg/apis/rbac" "k8s.io/kubernetes/pkg/auth/authorizer/abac" "k8s.io/kubernetes/pkg/auth/nodeidentifier" informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" - rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac" @@ -57,38 +54,6 @@ type AuthorizationConfig struct { InformerFactory informers.SharedInformerFactory } -type roleGetter struct { - lister rbaclisters.RoleLister -} - -func (g *roleGetter) GetRole(namespace, name string) (*rbacapi.Role, error) { - return g.lister.Roles(namespace).Get(name) -} - -type roleBindingLister struct { - lister rbaclisters.RoleBindingLister -} - -func (l *roleBindingLister) ListRoleBindings(namespace string) ([]*rbacapi.RoleBinding, error) { - return l.lister.RoleBindings(namespace).List(labels.Everything()) -} - -type clusterRoleGetter struct { - lister rbaclisters.ClusterRoleLister -} - -func (g *clusterRoleGetter) GetClusterRole(name string) (*rbacapi.ClusterRole, error) { - return g.lister.Get(name) -} - -type clusterRoleBindingLister struct { - lister rbaclisters.ClusterRoleBindingLister -} - -func (l *clusterRoleBindingLister) ListClusterRoleBindings() ([]*rbacapi.ClusterRoleBinding, error) { - return l.lister.List(labels.Everything()) -} - // New returns the right sort of union of multiple authorizer.Authorizer objects // based on the authorizationMode or an error. func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { @@ -141,10 +106,10 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { authorizers = append(authorizers, webhookAuthorizer) case modes.ModeRBAC: rbacAuthorizer := rbac.New( - &roleGetter{config.InformerFactory.Rbac().InternalVersion().Roles().Lister()}, - &roleBindingLister{config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()}, - &clusterRoleGetter{config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()}, - &clusterRoleBindingLister{config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()}, + &rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()}, + &rbac.RoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()}, + &rbac.ClusterRoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()}, + &rbac.ClusterRoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()}, ) authorizers = append(authorizers, rbacAuthorizer) default: diff --git a/plugin/pkg/auth/authorizer/rbac/BUILD b/plugin/pkg/auth/authorizer/rbac/BUILD index 37fdbaaf0c5..4325ab9c12b 100644 --- a/plugin/pkg/auth/authorizer/rbac/BUILD +++ b/plugin/pkg/auth/authorizer/rbac/BUILD @@ -14,8 +14,10 @@ go_library( ], deps = [ "//pkg/apis/rbac:go_default_library", + "//pkg/client/listers/rbac/internalversion:go_default_library", "//pkg/registry/rbac/validation:go_default_library", "//vendor/github.com/golang/glog:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/labels:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", diff --git a/plugin/pkg/auth/authorizer/rbac/rbac.go b/plugin/pkg/auth/authorizer/rbac/rbac.go index 25d773909e7..6341936edc5 100644 --- a/plugin/pkg/auth/authorizer/rbac/rbac.go +++ b/plugin/pkg/auth/authorizer/rbac/rbac.go @@ -24,10 +24,12 @@ import ( "bytes" + "k8s.io/apimachinery/pkg/labels" utilerrors "k8s.io/apimachinery/pkg/util/errors" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/kubernetes/pkg/apis/rbac" + rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion" rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation" ) @@ -156,3 +158,35 @@ func RuleAllows(requestAttributes authorizer.Attributes, rule *rbac.PolicyRule) return rbac.VerbMatches(rule, requestAttributes.GetVerb()) && rbac.NonResourceURLMatches(rule, requestAttributes.GetPath()) } + +type RoleGetter struct { + Lister rbaclisters.RoleLister +} + +func (g *RoleGetter) GetRole(namespace, name string) (*rbac.Role, error) { + return g.Lister.Roles(namespace).Get(name) +} + +type RoleBindingLister struct { + Lister rbaclisters.RoleBindingLister +} + +func (l *RoleBindingLister) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) { + return l.Lister.RoleBindings(namespace).List(labels.Everything()) +} + +type ClusterRoleGetter struct { + Lister rbaclisters.ClusterRoleLister +} + +func (g *ClusterRoleGetter) GetClusterRole(name string) (*rbac.ClusterRole, error) { + return g.Lister.Get(name) +} + +type ClusterRoleBindingLister struct { + Lister rbaclisters.ClusterRoleBindingLister +} + +func (l *ClusterRoleBindingLister) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) { + return l.Lister.List(labels.Everything()) +} diff --git a/plugin/pkg/auth/authorizer/rbac/subject_locator.go b/plugin/pkg/auth/authorizer/rbac/subject_locator.go index e86df3249ce..0f5f413b9a3 100644 --- a/plugin/pkg/auth/authorizer/rbac/subject_locator.go +++ b/plugin/pkg/auth/authorizer/rbac/subject_locator.go @@ -31,6 +31,12 @@ type RoleToRuleMapper interface { GetRoleReferenceRules(roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error) } +type SubjectLocator interface { + AllowedSubjects(attributes authorizer.Attributes) ([]rbac.Subject, error) +} + +var _ = SubjectLocator(&SubjectAccessEvaluator{}) + type SubjectAccessEvaluator struct { superUser string