github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 21:47:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #50710 from enj/enj/r/rbac_auth_builders

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 46927, 50664, 50710)

Refactor RBAC authorizer entry points

This change refactors various RBAC authorizer functions to be more flexible in their inputs.  This makes it easier to reuse the various components that make up the authorizer.

Signed-off-by: Monis Khan <mkhan@redhat.com>

```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2017-08-16 11:54:27 -07:00 committed by GitHub
commit 6430b1002c
5 changed files with 46 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/kubeapiserver/authorizer/BUILD
View File

@ -20,16 +20,13 @@ go_library(
name = "go_default_library", name = "go_default_library",
srcs = ["config.go"], srcs = ["config.go"],
deps = [ deps = [
"//pkg/apis/rbac:go_default_library",
"//pkg/auth/authorizer/abac:go_default_library", "//pkg/auth/authorizer/abac:go_default_library",
"//pkg/auth/nodeidentifier:go_default_library", "//pkg/auth/nodeidentifier:go_default_library",
"//pkg/client/informers/informers_generated/internalversion:go_default_library", "//pkg/client/informers/informers_generated/internalversion:go_default_library",
"//pkg/client/listers/rbac/internalversion:go_default_library",
"//pkg/kubeapiserver/authorizer/modes:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library",
"//plugin/pkg/auth/authorizer/node:go_default_library", "//plugin/pkg/auth/authorizer/node:go_default_library",
"//plugin/pkg/auth/authorizer/rbac:go_default_library", "//plugin/pkg/auth/authorizer/rbac:go_default_library",
"//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library", "//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/union:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/union:go_default_library",

43
pkg/kubeapiserver/authorizer/config.go
View File

@ -21,16 +21,13 @@ import (
"fmt" "fmt"
"time" "time"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizerfactory" "k8s.io/apiserver/pkg/authorization/authorizerfactory"
"k8s.io/apiserver/pkg/authorization/union" "k8s.io/apiserver/pkg/authorization/union"
"k8s.io/apiserver/plugin/pkg/authorizer/webhook" "k8s.io/apiserver/plugin/pkg/authorizer/webhook"
rbacapi "k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/auth/authorizer/abac" "k8s.io/kubernetes/pkg/auth/authorizer/abac"
"k8s.io/kubernetes/pkg/auth/nodeidentifier" "k8s.io/kubernetes/pkg/auth/nodeidentifier"
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion" informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion"
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac" "k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
@ -57,38 +54,6 @@ type AuthorizationConfig struct {
InformerFactory informers.SharedInformerFactory InformerFactory informers.SharedInformerFactory
} }
type roleGetter struct {
lister rbaclisters.RoleLister
}
func (g *roleGetter) GetRole(namespace, name string) (*rbacapi.Role, error) {
return g.lister.Roles(namespace).Get(name)
}
type roleBindingLister struct {
lister rbaclisters.RoleBindingLister
}
func (l *roleBindingLister) ListRoleBindings(namespace string) ([]*rbacapi.RoleBinding, error) {
return l.lister.RoleBindings(namespace).List(labels.Everything())
}
type clusterRoleGetter struct {
lister rbaclisters.ClusterRoleLister
}
func (g *clusterRoleGetter) GetClusterRole(name string) (*rbacapi.ClusterRole, error) {
return g.lister.Get(name)
}
type clusterRoleBindingLister struct {
lister rbaclisters.ClusterRoleBindingLister
}
func (l *clusterRoleBindingLister) ListClusterRoleBindings() ([]*rbacapi.ClusterRoleBinding, error) {
return l.lister.List(labels.Everything())
}
// New returns the right sort of union of multiple authorizer.Authorizer objects // New returns the right sort of union of multiple authorizer.Authorizer objects
// based on the authorizationMode or an error. // based on the authorizationMode or an error.
func (config AuthorizationConfig) New() (authorizer.Authorizer, error) { func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
@ -141,10 +106,10 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
authorizers = append(authorizers, webhookAuthorizer) authorizers = append(authorizers, webhookAuthorizer)
case modes.ModeRBAC: case modes.ModeRBAC:
rbacAuthorizer := rbac.New( rbacAuthorizer := rbac.New(
&roleGetter{config.InformerFactory.Rbac().InternalVersion().Roles().Lister()}, &rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
&roleBindingLister{config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()}, &rbac.RoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()},
&clusterRoleGetter{config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()}, &rbac.ClusterRoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()},
&clusterRoleBindingLister{config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()}, &rbac.ClusterRoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()},
) )
authorizers = append(authorizers, rbacAuthorizer) authorizers = append(authorizers, rbacAuthorizer)
default: default:

2
plugin/pkg/auth/authorizer/rbac/BUILD
View File

@ -14,8 +14,10 @@ go_library(
], ],
deps = [ deps = [
"//pkg/apis/rbac:go_default_library", "//pkg/apis/rbac:go_default_library",
"//pkg/client/listers/rbac/internalversion:go_default_library",
"//pkg/registry/rbac/validation:go_default_library", "//pkg/registry/rbac/validation:go_default_library",
"//vendor/github.com/golang/glog:go_default_library", "//vendor/github.com/golang/glog:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",

34
plugin/pkg/auth/authorizer/rbac/rbac.go
View File

@ -24,10 +24,12 @@ import (
"bytes" "bytes"
"k8s.io/apimachinery/pkg/labels"
utilerrors "k8s.io/apimachinery/pkg/util/errors" utilerrors "k8s.io/apimachinery/pkg/util/errors"
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/kubernetes/pkg/apis/rbac" "k8s.io/kubernetes/pkg/apis/rbac"
rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion"
rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation" rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
) )
@ -156,3 +158,35 @@ func RuleAllows(requestAttributes authorizer.Attributes, rule *rbac.PolicyRule)
return rbac.VerbMatches(rule, requestAttributes.GetVerb()) && return rbac.VerbMatches(rule, requestAttributes.GetVerb()) &&
rbac.NonResourceURLMatches(rule, requestAttributes.GetPath()) rbac.NonResourceURLMatches(rule, requestAttributes.GetPath())
} }
type RoleGetter struct {
Lister rbaclisters.RoleLister
}
func (g *RoleGetter) GetRole(namespace, name string) (*rbac.Role, error) {
return g.Lister.Roles(namespace).Get(name)
}
type RoleBindingLister struct {
Lister rbaclisters.RoleBindingLister
}
func (l *RoleBindingLister) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) {
return l.Lister.RoleBindings(namespace).List(labels.Everything())
}
type ClusterRoleGetter struct {
Lister rbaclisters.ClusterRoleLister
}
func (g *ClusterRoleGetter) GetClusterRole(name string) (*rbac.ClusterRole, error) {
return g.Lister.Get(name)
}
type ClusterRoleBindingLister struct {
Lister rbaclisters.ClusterRoleBindingLister
}
func (l *ClusterRoleBindingLister) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) {
return l.Lister.List(labels.Everything())
}

6
plugin/pkg/auth/authorizer/rbac/subject_locator.go
View File

@ -31,6 +31,12 @@ type RoleToRuleMapper interface {
GetRoleReferenceRules(roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error) GetRoleReferenceRules(roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error)
} }
type SubjectLocator interface {
AllowedSubjects(attributes authorizer.Attributes) ([]rbac.Subject, error)
}
var _ = SubjectLocator(&SubjectAccessEvaluator{})
type SubjectAccessEvaluator struct { type SubjectAccessEvaluator struct {
superUser string superUser string