github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 23:15:14 +00:00
Code Issues Projects Releases Wiki Activity

fix loopback authorizer

Browse Source
This commit is contained in:
deads2k 2016-10-03 11:30:56 -04:00
parent 3933ddbc9a
commit 8c20af79a4
3 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
pkg/auth/authorizer/union/union.go
View File

@ -37,17 +37,17 @@ func (authzHandler unionAuthzHandler) Authorize(a authorizer.Attributes) (bool,
errlist []error
reasonlist []string
)
for _, currAuthzHandler := range authzHandler {
authorized, reason, err := currAuthzHandler.Authorize(a)
if err != nil {
errlist = append(errlist, err)
continue
}
if len(reason) != 0 {
reasonlist = append(reasonlist, reason)
}
if !authorized {
if reason != "" {
reasonlist = append(reasonlist, reason)
}
continue
}
return true, reason, nil

7
pkg/genericapiserver/authorizer/authz.go
View File

@ -77,8 +77,11 @@ type privilegedGroupAuthorizer struct {
}
func (r *privilegedGroupAuthorizer) Authorize(attr authorizer.Attributes) (bool, string, error) {
for attr_group := range attr.GetUser().GetGroups() {
for priv_group := range r.groups {
if attr.GetUser() == nil {
return false, "Error", errors.New("no user on request.")
}
for _, attr_group := range attr.GetUser().GetGroups() {
for _, priv_group := range r.groups {
if priv_group == attr_group {
return true, "", nil
}

17
pkg/genericapiserver/authorizer/authz_test.go
View File

@ -20,6 +20,9 @@ import (
"testing"
"k8s.io/kubernetes/pkg/genericapiserver/options"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
)
// NewAlwaysAllowAuthorizer must return a struct which implements authorizer.Authorizer
@ -115,3 +118,17 @@ func TestNewAuthorizerFromAuthorizationConfig(t *testing.T) {
}
}
}
func TestPrivilegedGroupAuthorizer(t *testing.T) {
auth := NewPrivilegedGroups("allow-01", "allow-01")
yes := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "allow-01"}}}
no := authorizer.AttributesRecord{User: &user.DefaultInfo{Groups: []string{"no", "deny-01"}}}
if authorized, _, _ := auth.Authorize(yes); !authorized {
t.Errorf("failed")
}
if authorized, _, _ := auth.Authorize(no); authorized {
t.Errorf("failed")
}
}