github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 10:43:56 +00:00
Code Issues Projects Releases Wiki Activity

add support for authorizing subresources

Browse Source
This commit is contained in:
deads2k 2015-04-10 12:42:52 -04:00
parent 8510fc67ff
commit 72817a0801
2 changed files with 68 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
pkg/apiserver/handlers.go
View File

@ -19,7 +19,6 @@ package apiserver
import ( import (
"fmt" "fmt"
"net/http" "net/http"
"path"
"regexp" "regexp"
"runtime/debug" "runtime/debug"
"strings" "strings"
@ -43,6 +42,11 @@ var specialVerbs = map[string]bool{
"watch": true, "watch": true,
} }
// namespaceSubresouces is a set of all the subresources available on a namespace resource. This is a special case because
// URLs look like api/v1beta3/namspaces/<namespace name>/[subresource | resource]. We need to be able to distinguish the two
// different cases.
var namespaceSubresources = util.NewStringSet("status", "finalize")
// Constant for the retry-after interval on rate limiting. // Constant for the retry-after interval on rate limiting.
// TODO: maybe make this dynamic? or user-adjustable? // TODO: maybe make this dynamic? or user-adjustable?
const RetryAfter = "1" const RetryAfter = "1"
@ -240,6 +244,8 @@ type APIRequestInfo struct {
Namespace string Namespace string
// Resource is the name of the resource being requested. This is not the kind. For example: pods // Resource is the name of the resource being requested. This is not the kind. For example: pods
Resource string Resource string
// Subresource is the name of the subresource being requested. This is not the kind or the resource. For example: status for a pods/pod-name/status
Subresource string
// Kind is the type of object being manipulated. For example: Pod // Kind is the type of object being manipulated. For example: Pod
Kind string Kind string
// Name is empty for some verbs, but if the request directly indicates a name (not in body content) then this field is filled in. // Name is empty for some verbs, but if the request directly indicates a name (not in body content) then this field is filled in.
@ -251,17 +257,6 @@ type APIRequestInfo struct {
Raw []string Raw []string
} }
// URLPath returns the URL path for this request, including /{resource}/{name} if present but nothing
// following that.
func (info APIRequestInfo) URLPath() string {
p := info.Parts
if n := len(p); n > 2 {
// Only take resource and name
p = p[:2]
}
return path.Join("/", path.Join(info.Raw...), path.Join(p...))
}
type APIRequestInfoResolver struct { type APIRequestInfoResolver struct {
APIPrefixes util.StringSet APIPrefixes util.StringSet
RestMapper meta.RESTMapper RestMapper meta.RESTMapper
@ -340,22 +335,20 @@ func (r *APIRequestInfoResolver) GetAPIRequestInfo(req *http.Request) (APIReques
// URL forms: /namespaces/{namespace}/{kind}/*, where parts are adjusted to be relative to kind // URL forms: /namespaces/{namespace}/{kind}/*, where parts are adjusted to be relative to kind
if currentParts[0] == "namespaces" { if currentParts[0] == "namespaces" {
if len(currentParts) < 3 { if len(currentParts) > 1 {
requestInfo.Resource = "namespaces"
if len(currentParts) > 1 {
requestInfo.Namespace = currentParts[1]
}
} else {
requestInfo.Resource = currentParts[2]
requestInfo.Namespace = currentParts[1] requestInfo.Namespace = currentParts[1]
currentParts = currentParts[2:]
// if there is another step after the namespace name and it is not a known namespace subresource
// move currentParts to include it as a resource in its own right
if len(currentParts) > 2 && !namespaceSubresources.Has(currentParts[2]) {
currentParts = currentParts[2:]
}
} }
} else { } else {
// URL forms: /{resource}/* // URL forms: /{resource}/*
// URL forms: POST /{resource} is a legacy API convention to create in "default" namespace // URL forms: POST /{resource} is a legacy API convention to create in "default" namespace
// URL forms: /{resource}/{resourceName} use the "default" namespace if omitted from query param // URL forms: /{resource}/{resourceName} use the "default" namespace if omitted from query param
// URL forms: /{resource} assume cross-namespace operation if omitted from query param // URL forms: /{resource} assume cross-namespace operation if omitted from query param
requestInfo.Resource = currentParts[0]
requestInfo.Namespace = req.URL.Query().Get("namespace") requestInfo.Namespace = req.URL.Query().Get("namespace")
if len(requestInfo.Namespace) == 0 { if len(requestInfo.Namespace) == 0 {
if len(currentParts) > 1 || req.Method == "POST" { if len(currentParts) > 1 || req.Method == "POST" {
@ -371,9 +364,16 @@ func (r *APIRequestInfoResolver) GetAPIRequestInfo(req *http.Request) (APIReques
// Raw should have everything not in Parts // Raw should have everything not in Parts
requestInfo.Raw = requestInfo.Raw[:len(requestInfo.Raw)-len(currentParts)] requestInfo.Raw = requestInfo.Raw[:len(requestInfo.Raw)-len(currentParts)]
// if there's another part remaining after the kind, then that's the resource name // parts look like: resource/resourceName/subresource/other/stuff/we/don't/interpret
if len(requestInfo.Parts) >= 2 { switch {
case len(requestInfo.Parts) >= 3:
requestInfo.Subresource = requestInfo.Parts[2]
fallthrough
case len(requestInfo.Parts) == 2:
requestInfo.Name = requestInfo.Parts[1] requestInfo.Name = requestInfo.Parts[1]
fallthrough
case len(requestInfo.Parts) == 1:
requestInfo.Resource = requestInfo.Parts[0]
} }
// if there's no name on the request and we thought it was a get before, then the actual verb is a list // if there's no name on the request and we thought it was a get before, then the actual verb is a list

83
pkg/apiserver/handlers_test.go
View File

@ -135,49 +135,56 @@ func TestReadOnly(t *testing.T) {
func TestGetAPIRequestInfo(t *testing.T) { func TestGetAPIRequestInfo(t *testing.T) {
successCases := []struct { successCases := []struct {
method string method string
url string url string
expectedVerb string expectedVerb string
expectedAPIVersion string expectedAPIVersion string
expectedNamespace string expectedNamespace string
expectedResource string expectedResource string
expectedKind string expectedSubresource string
expectedName string expectedKind string
expectedParts []string expectedName string
expectedParts []string
}{ }{
// resource paths // resource paths
{"GET", "/namespaces", "list", "", "", "namespaces", "Namespace", "", []string{"namespaces"}}, {"GET", "/namespaces", "list", "", "", "namespaces", "", "Namespace", "", []string{"namespaces"}},
{"GET", "/namespaces/other", "get", "", "other", "namespaces", "Namespace", "other", []string{"namespaces", "other"}}, {"GET", "/namespaces/other", "get", "", "other", "namespaces", "", "Namespace", "other", []string{"namespaces", "other"}},
{"GET", "/namespaces/other/pods", "list", "", "other", "pods", "Pod", "", []string{"pods"}}, {"GET", "/namespaces/other/pods", "list", "", "other", "pods", "", "Pod", "", []string{"pods"}},
{"GET", "/namespaces/other/pods/foo", "get", "", "other", "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/namespaces/other/pods/foo", "get", "", "other", "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/pods", "list", "", api.NamespaceAll, "pods", "Pod", "", []string{"pods"}}, {"GET", "/pods", "list", "", api.NamespaceAll, "pods", "", "Pod", "", []string{"pods"}},
{"POST", "/pods", "create", "", api.NamespaceDefault, "pods", "Pod", "", []string{"pods"}}, {"POST", "/pods", "create", "", api.NamespaceDefault, "pods", "", "Pod", "", []string{"pods"}},
{"GET", "/pods/foo", "get", "", api.NamespaceDefault, "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/pods/foo", "get", "", api.NamespaceDefault, "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/pods/foo?namespace=other", "get", "", "other", "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/pods/foo?namespace=other", "get", "", "other", "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/pods?namespace=other", "list", "", "other", "pods", "Pod", "", []string{"pods"}}, {"GET", "/pods?namespace=other", "list", "", "other", "pods", "", "Pod", "", []string{"pods"}},
// special verbs // special verbs
{"GET", "/proxy/namespaces/other/pods/foo", "proxy", "", "other", "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/proxy/namespaces/other/pods/foo", "proxy", "", "other", "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/proxy/pods/foo", "proxy", "", api.NamespaceDefault, "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/proxy/pods/foo", "proxy", "", api.NamespaceDefault, "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/redirect/namespaces/other/pods/foo", "redirect", "", "other", "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/redirect/namespaces/other/pods/foo", "redirect", "", "other", "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/redirect/pods/foo", "redirect", "", api.NamespaceDefault, "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/redirect/pods/foo", "redirect", "", api.NamespaceDefault, "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/watch/pods", "watch", "", api.NamespaceAll, "pods", "Pod", "", []string{"pods"}}, {"GET", "/watch/pods", "watch", "", api.NamespaceAll, "pods", "", "Pod", "", []string{"pods"}},
{"GET", "/watch/namespaces/other/pods", "watch", "", "other", "pods", "Pod", "", []string{"pods"}}, {"GET", "/watch/namespaces/other/pods", "watch", "", "other", "pods", "", "Pod", "", []string{"pods"}},
// fully-qualified paths // fully-qualified paths
{"GET", "/api/v1beta1/namespaces/other/pods", "list", "v1beta1", "other", "pods", "Pod", "", []string{"pods"}}, {"GET", "/api/v1beta1/namespaces/other/pods", "list", "v1beta1", "other", "pods", "", "Pod", "", []string{"pods"}},
{"GET", "/api/v1beta1/namespaces/other/pods/foo", "get", "v1beta1", "other", "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/api/v1beta1/namespaces/other/pods/foo", "get", "v1beta1", "other", "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/api/v1beta1/pods", "list", "v1beta1", api.NamespaceAll, "pods", "Pod", "", []string{"pods"}}, {"GET", "/api/v1beta1/pods", "list", "v1beta1", api.NamespaceAll, "pods", "", "Pod", "", []string{"pods"}},
{"POST", "/api/v1beta1/pods", "create", "v1beta1", api.NamespaceDefault, "pods", "Pod", "", []string{"pods"}}, {"POST", "/api/v1beta1/pods", "create", "v1beta1", api.NamespaceDefault, "pods", "", "Pod", "", []string{"pods"}},
{"GET", "/api/v1beta1/pods/foo", "get", "v1beta1", api.NamespaceDefault, "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/api/v1beta1/pods/foo", "get", "v1beta1", api.NamespaceDefault, "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/api/v1beta1/pods/foo?namespace=other", "get", "v1beta1", "other", "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/api/v1beta1/pods/foo?namespace=other", "get", "v1beta1", "other", "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/api/v1beta1/pods?namespace=other", "list", "v1beta1", "other", "pods", "Pod", "", []string{"pods"}}, {"GET", "/api/v1beta1/pods?namespace=other", "list", "v1beta1", "other", "pods", "", "Pod", "", []string{"pods"}},
{"GET", "/api/v1beta1/proxy/pods/foo", "proxy", "v1beta1", api.NamespaceDefault, "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/api/v1beta1/proxy/pods/foo", "proxy", "v1beta1", api.NamespaceDefault, "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/api/v1beta1/redirect/pods/foo", "redirect", "v1beta1", api.NamespaceDefault, "pods", "Pod", "foo", []string{"pods", "foo"}}, {"GET", "/api/v1beta1/redirect/pods/foo", "redirect", "v1beta1", api.NamespaceDefault, "pods", "", "Pod", "foo", []string{"pods", "foo"}},
{"GET", "/api/v1beta1/watch/pods", "watch", "v1beta1", api.NamespaceAll, "pods", "Pod", "", []string{"pods"}}, {"GET", "/api/v1beta1/watch/pods", "watch", "v1beta1", api.NamespaceAll, "pods", "", "Pod", "", []string{"pods"}},
{"GET", "/api/v1beta1/watch/namespaces/other/pods", "watch", "v1beta1", "other", "pods", "Pod", "", []string{"pods"}}, {"GET", "/api/v1beta1/watch/namespaces/other/pods", "watch", "v1beta1", "other", "pods", "", "Pod", "", []string{"pods"}},
// subresource identification
{"GET", "/namespaces/other/pods/foo/status", "get", "", "other", "pods", "status", "Pod", "foo", []string{"pods", "foo", "status"}},
{"GET", "/namespaces/other/finalize", "get", "", "other", "namespaces", "finalize", "Namespace", "other", []string{"namespaces", "other", "finalize"}},
{"PUT", "/namespaces/other/status", "update", "", "other", "namespaces", "status", "Namespace", "other", []string{"namespaces", "other", "status"}},
{"PUT", "/namespaces/other/anything", "update", "", "other", "anything", "", "", "", []string{"anything"}},
} }
apiRequestInfoResolver := &APIRequestInfoResolver{util.NewStringSet("api"), latest.RESTMapper} apiRequestInfoResolver := &APIRequestInfoResolver{util.NewStringSet("api"), latest.RESTMapper}
@ -204,15 +211,15 @@ func TestGetAPIRequestInfo(t *testing.T) {
if successCase.expectedResource != apiRequestInfo.Resource { if successCase.expectedResource != apiRequestInfo.Resource {
t.Errorf("Unexpected resource for url: %s, expected: %s, actual: %s", successCase.url, successCase.expectedResource, apiRequestInfo.Resource) t.Errorf("Unexpected resource for url: %s, expected: %s, actual: %s", successCase.url, successCase.expectedResource, apiRequestInfo.Resource)
} }
if successCase.expectedSubresource != apiRequestInfo.Subresource {
t.Errorf("Unexpected resource for url: %s, expected: %s, actual: %s", successCase.url, successCase.expectedSubresource, apiRequestInfo.Subresource)
}
if successCase.expectedName != apiRequestInfo.Name { if successCase.expectedName != apiRequestInfo.Name {
t.Errorf("Unexpected name for url: %s, expected: %s, actual: %s", successCase.url, successCase.expectedName, apiRequestInfo.Name) t.Errorf("Unexpected name for url: %s, expected: %s, actual: %s", successCase.url, successCase.expectedName, apiRequestInfo.Name)
} }
if !reflect.DeepEqual(successCase.expectedParts, apiRequestInfo.Parts) { if !reflect.DeepEqual(successCase.expectedParts, apiRequestInfo.Parts) {
t.Errorf("Unexpected parts for url: %s, expected: %v, actual: %v", successCase.url, successCase.expectedParts, apiRequestInfo.Parts) t.Errorf("Unexpected parts for url: %s, expected: %v, actual: %v", successCase.url, successCase.expectedParts, apiRequestInfo.Parts)
} }
if e, a := strings.Split(successCase.url, "?")[0], apiRequestInfo.URLPath(); e != a {
t.Errorf("Expected %v, got %v", e, a)
}
} }
errorCases := map[string]string{ errorCases := map[string]string{