Basic ACL file.

Added function to read basic ACL from a CSV file. Added implementation of Authorize based on that file's policies. Added docs on authentication and authorization. Added example file and tested it.
2025-09-08 12:41:58 +00:00 · 2014-10-06 16:11:04 -07:00
parent f4cffdc7cf
commit 6e81e8c896
9 changed files with 457 additions and 57 deletions
--- a/pkg/apiserver/authz.go
+++ b/pkg/apiserver/authz.go
@@ -20,6 +20,7 @@ import (
 	"errors"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authorizer"
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authorizer/abac"
 )

 // Attributes implements authorizer.Attributes interface.
@@ -56,20 +57,26 @@ func NewAlwaysDenyAuthorizer() authorizer.Authorizer {
 const (
 	ModeAlwaysAllow string = "AlwaysAllow"
 	ModeAlwaysDeny  string = "AlwaysDeny"
+	ModeABAC        string = "ABAC"
 )

 // Keep this list in sync with constant list above.
-var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny}
+var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABAC}

 // NewAuthorizerFromAuthorizationConfig returns the right sort of authorizer.Authorizer
 // based on the authorizationMode xor an error.  authorizationMode should be one of AuthorizationModeChoices.
-func NewAuthorizerFromAuthorizationConfig(authorizationMode string) (authorizer.Authorizer, error) {
+func NewAuthorizerFromAuthorizationConfig(authorizationMode string, authorizationPolicyFile string) (authorizer.Authorizer, error) {
+	if authorizationPolicyFile != "" && authorizationMode != "ABAC" {
+		return nil, errors.New("Cannot specify --authorization_policy_file without mode ABAC")
+	}
 	// Keep cases in sync with constant list above.
 	switch authorizationMode {
 	case ModeAlwaysAllow:
 		return NewAlwaysAllowAuthorizer(), nil
 	case ModeAlwaysDeny:
 		return NewAlwaysDenyAuthorizer(), nil
+	case ModeABAC:
+		return abac.NewFromFile(authorizationPolicyFile)
 	default:
 		return nil, errors.New("Unknown authorization mode")
 	}