mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Refactor RBAC authorizer entry points
This change refactors various RBAC authorizer functions to be more flexible in their inputs. This makes it easier to reuse the various components that make up the authorizer. Signed-off-by: Monis Khan <mkhan@redhat.com>
This commit is contained in:
parent
d2cf96d6ef
commit
8e7893e541
@ -20,16 +20,13 @@ go_library(
|
||||
name = "go_default_library",
|
||||
srcs = ["config.go"],
|
||||
deps = [
|
||||
"//pkg/apis/rbac:go_default_library",
|
||||
"//pkg/auth/authorizer/abac:go_default_library",
|
||||
"//pkg/auth/nodeidentifier:go_default_library",
|
||||
"//pkg/client/informers/informers_generated/internalversion:go_default_library",
|
||||
"//pkg/client/listers/rbac/internalversion:go_default_library",
|
||||
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
||||
"//plugin/pkg/auth/authorizer/node:go_default_library",
|
||||
"//plugin/pkg/auth/authorizer/rbac:go_default_library",
|
||||
"//plugin/pkg/auth/authorizer/rbac/bootstrappolicy:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/authorization/authorizerfactory:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/authorization/union:go_default_library",
|
||||
|
@ -21,16 +21,13 @@ import (
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizerfactory"
|
||||
"k8s.io/apiserver/pkg/authorization/union"
|
||||
"k8s.io/apiserver/plugin/pkg/authorizer/webhook"
|
||||
rbacapi "k8s.io/kubernetes/pkg/apis/rbac"
|
||||
"k8s.io/kubernetes/pkg/auth/authorizer/abac"
|
||||
"k8s.io/kubernetes/pkg/auth/nodeidentifier"
|
||||
informers "k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion"
|
||||
rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion"
|
||||
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
||||
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/node"
|
||||
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
|
||||
@ -57,38 +54,6 @@ type AuthorizationConfig struct {
|
||||
InformerFactory informers.SharedInformerFactory
|
||||
}
|
||||
|
||||
type roleGetter struct {
|
||||
lister rbaclisters.RoleLister
|
||||
}
|
||||
|
||||
func (g *roleGetter) GetRole(namespace, name string) (*rbacapi.Role, error) {
|
||||
return g.lister.Roles(namespace).Get(name)
|
||||
}
|
||||
|
||||
type roleBindingLister struct {
|
||||
lister rbaclisters.RoleBindingLister
|
||||
}
|
||||
|
||||
func (l *roleBindingLister) ListRoleBindings(namespace string) ([]*rbacapi.RoleBinding, error) {
|
||||
return l.lister.RoleBindings(namespace).List(labels.Everything())
|
||||
}
|
||||
|
||||
type clusterRoleGetter struct {
|
||||
lister rbaclisters.ClusterRoleLister
|
||||
}
|
||||
|
||||
func (g *clusterRoleGetter) GetClusterRole(name string) (*rbacapi.ClusterRole, error) {
|
||||
return g.lister.Get(name)
|
||||
}
|
||||
|
||||
type clusterRoleBindingLister struct {
|
||||
lister rbaclisters.ClusterRoleBindingLister
|
||||
}
|
||||
|
||||
func (l *clusterRoleBindingLister) ListClusterRoleBindings() ([]*rbacapi.ClusterRoleBinding, error) {
|
||||
return l.lister.List(labels.Everything())
|
||||
}
|
||||
|
||||
// New returns the right sort of union of multiple authorizer.Authorizer objects
|
||||
// based on the authorizationMode or an error.
|
||||
func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
|
||||
@ -141,10 +106,10 @@ func (config AuthorizationConfig) New() (authorizer.Authorizer, error) {
|
||||
authorizers = append(authorizers, webhookAuthorizer)
|
||||
case modes.ModeRBAC:
|
||||
rbacAuthorizer := rbac.New(
|
||||
&roleGetter{config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
|
||||
&roleBindingLister{config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()},
|
||||
&clusterRoleGetter{config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()},
|
||||
&clusterRoleBindingLister{config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()},
|
||||
&rbac.RoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().Roles().Lister()},
|
||||
&rbac.RoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().RoleBindings().Lister()},
|
||||
&rbac.ClusterRoleGetter{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoles().Lister()},
|
||||
&rbac.ClusterRoleBindingLister{Lister: config.InformerFactory.Rbac().InternalVersion().ClusterRoleBindings().Lister()},
|
||||
)
|
||||
authorizers = append(authorizers, rbacAuthorizer)
|
||||
default:
|
||||
|
@ -14,8 +14,10 @@ go_library(
|
||||
],
|
||||
deps = [
|
||||
"//pkg/apis/rbac:go_default_library",
|
||||
"//pkg/client/listers/rbac/internalversion:go_default_library",
|
||||
"//pkg/registry/rbac/validation:go_default_library",
|
||||
"//vendor/github.com/golang/glog:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/labels:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/errors:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/authentication/user:go_default_library",
|
||||
"//vendor/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
|
||||
|
@ -24,10 +24,12 @@ import (
|
||||
|
||||
"bytes"
|
||||
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
utilerrors "k8s.io/apimachinery/pkg/util/errors"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/authorization/authorizer"
|
||||
"k8s.io/kubernetes/pkg/apis/rbac"
|
||||
rbaclisters "k8s.io/kubernetes/pkg/client/listers/rbac/internalversion"
|
||||
rbacregistryvalidation "k8s.io/kubernetes/pkg/registry/rbac/validation"
|
||||
)
|
||||
|
||||
@ -156,3 +158,35 @@ func RuleAllows(requestAttributes authorizer.Attributes, rule *rbac.PolicyRule)
|
||||
return rbac.VerbMatches(rule, requestAttributes.GetVerb()) &&
|
||||
rbac.NonResourceURLMatches(rule, requestAttributes.GetPath())
|
||||
}
|
||||
|
||||
type RoleGetter struct {
|
||||
Lister rbaclisters.RoleLister
|
||||
}
|
||||
|
||||
func (g *RoleGetter) GetRole(namespace, name string) (*rbac.Role, error) {
|
||||
return g.Lister.Roles(namespace).Get(name)
|
||||
}
|
||||
|
||||
type RoleBindingLister struct {
|
||||
Lister rbaclisters.RoleBindingLister
|
||||
}
|
||||
|
||||
func (l *RoleBindingLister) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) {
|
||||
return l.Lister.RoleBindings(namespace).List(labels.Everything())
|
||||
}
|
||||
|
||||
type ClusterRoleGetter struct {
|
||||
Lister rbaclisters.ClusterRoleLister
|
||||
}
|
||||
|
||||
func (g *ClusterRoleGetter) GetClusterRole(name string) (*rbac.ClusterRole, error) {
|
||||
return g.Lister.Get(name)
|
||||
}
|
||||
|
||||
type ClusterRoleBindingLister struct {
|
||||
Lister rbaclisters.ClusterRoleBindingLister
|
||||
}
|
||||
|
||||
func (l *ClusterRoleBindingLister) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) {
|
||||
return l.Lister.List(labels.Everything())
|
||||
}
|
||||
|
@ -31,6 +31,12 @@ type RoleToRuleMapper interface {
|
||||
GetRoleReferenceRules(roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error)
|
||||
}
|
||||
|
||||
type SubjectLocator interface {
|
||||
AllowedSubjects(attributes authorizer.Attributes) ([]rbac.Subject, error)
|
||||
}
|
||||
|
||||
var _ = SubjectLocator(&SubjectAccessEvaluator{})
|
||||
|
||||
type SubjectAccessEvaluator struct {
|
||||
superUser string
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user