mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 04:33:26 +00:00
slim down authorization listing interfaces
This commit is contained in:
parent
aa485ce82c
commit
ceaf026881
@ -32,7 +32,7 @@ import (
|
||||
type AuthorizationRuleResolver interface {
|
||||
// GetRoleReferenceRules attempts to resolve the role reference of a RoleBinding or ClusterRoleBinding. The passed namespace should be the namepsace
|
||||
// of the role binding, the empty string if a cluster role binding.
|
||||
GetRoleReferenceRules(ctx api.Context, roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error)
|
||||
GetRoleReferenceRules(roleRef rbac.RoleRef, namespace string) ([]rbac.PolicyRule, error)
|
||||
|
||||
// RulesFor returns the list of rules that apply to a given user in a given namespace and error. If an error is returned, the slice of
|
||||
// PolicyRules may not be complete, but it contains all retrievable rules. This is done because policy rules are purely additive and policy determinations
|
||||
@ -77,35 +77,34 @@ func NewDefaultRuleResolver(roleGetter RoleGetter, roleBindingLister RoleBinding
|
||||
}
|
||||
|
||||
type RoleGetter interface {
|
||||
GetRole(ctx api.Context, id string) (*rbac.Role, error)
|
||||
GetRole(namespace, name string) (*rbac.Role, error)
|
||||
}
|
||||
|
||||
type RoleBindingLister interface {
|
||||
ListRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.RoleBindingList, error)
|
||||
ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error)
|
||||
}
|
||||
|
||||
type ClusterRoleGetter interface {
|
||||
GetClusterRole(ctx api.Context, id string) (*rbac.ClusterRole, error)
|
||||
GetClusterRole(name string) (*rbac.ClusterRole, error)
|
||||
}
|
||||
|
||||
type ClusterRoleBindingLister interface {
|
||||
ListClusterRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.ClusterRoleBindingList, error)
|
||||
ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error)
|
||||
}
|
||||
|
||||
func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbac.PolicyRule, error) {
|
||||
policyRules := []rbac.PolicyRule{}
|
||||
errorlist := []error{}
|
||||
|
||||
ctx := api.NewContext()
|
||||
if clusterRoleBindings, err := r.clusterRoleBindingLister.ListClusterRoleBindings(ctx, &api.ListOptions{}); err != nil {
|
||||
if clusterRoleBindings, err := r.clusterRoleBindingLister.ListClusterRoleBindings(); err != nil {
|
||||
errorlist = append(errorlist, err)
|
||||
|
||||
} else {
|
||||
for _, clusterRoleBinding := range clusterRoleBindings.Items {
|
||||
for _, clusterRoleBinding := range clusterRoleBindings {
|
||||
if !appliesTo(user, clusterRoleBinding.Subjects, "") {
|
||||
continue
|
||||
}
|
||||
rules, err := r.GetRoleReferenceRules(ctx, clusterRoleBinding.RoleRef, "")
|
||||
rules, err := r.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "")
|
||||
if err != nil {
|
||||
errorlist = append(errorlist, err)
|
||||
continue
|
||||
@ -115,17 +114,15 @@ func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbac
|
||||
}
|
||||
|
||||
if len(namespace) > 0 {
|
||||
ctx := api.WithNamespace(api.NewContext(), namespace)
|
||||
|
||||
if roleBindings, err := r.roleBindingLister.ListRoleBindings(ctx, &api.ListOptions{}); err != nil {
|
||||
if roleBindings, err := r.roleBindingLister.ListRoleBindings(namespace); err != nil {
|
||||
errorlist = append(errorlist, err)
|
||||
|
||||
} else {
|
||||
for _, roleBinding := range roleBindings.Items {
|
||||
for _, roleBinding := range roleBindings {
|
||||
if !appliesTo(user, roleBinding.Subjects, namespace) {
|
||||
continue
|
||||
}
|
||||
rules, err := r.GetRoleReferenceRules(ctx, roleBinding.RoleRef, namespace)
|
||||
rules, err := r.GetRoleReferenceRules(roleBinding.RoleRef, namespace)
|
||||
if err != nil {
|
||||
errorlist = append(errorlist, err)
|
||||
continue
|
||||
@ -139,17 +136,17 @@ func (r *DefaultRuleResolver) RulesFor(user user.Info, namespace string) ([]rbac
|
||||
}
|
||||
|
||||
// GetRoleReferenceRules attempts to resolve the RoleBinding or ClusterRoleBinding.
|
||||
func (r *DefaultRuleResolver) GetRoleReferenceRules(ctx api.Context, roleRef rbac.RoleRef, bindingNamespace string) ([]rbac.PolicyRule, error) {
|
||||
func (r *DefaultRuleResolver) GetRoleReferenceRules(roleRef rbac.RoleRef, bindingNamespace string) ([]rbac.PolicyRule, error) {
|
||||
switch kind := rbac.RoleRefGroupKind(roleRef); kind {
|
||||
case rbac.Kind("Role"):
|
||||
role, err := r.roleGetter.GetRole(api.WithNamespace(ctx, bindingNamespace), roleRef.Name)
|
||||
role, err := r.roleGetter.GetRole(bindingNamespace, roleRef.Name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return role.Rules, nil
|
||||
|
||||
case rbac.Kind("ClusterRole"):
|
||||
clusterRole, err := r.clusterRoleGetter.GetClusterRole(api.WithNamespace(ctx, ""), roleRef.Name)
|
||||
clusterRole, err := r.clusterRoleGetter.GetClusterRole(roleRef.Name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -193,7 +190,7 @@ func appliesToUser(user user.Info, subject rbac.Subject, namespace string) bool
|
||||
}
|
||||
|
||||
// NewTestRuleResolver returns a rule resolver from lists of role objects.
|
||||
func NewTestRuleResolver(roles []rbac.Role, roleBindings []rbac.RoleBinding, clusterRoles []rbac.ClusterRole, clusterRoleBindings []rbac.ClusterRoleBinding) AuthorizationRuleResolver {
|
||||
func NewTestRuleResolver(roles []*rbac.Role, roleBindings []*rbac.RoleBinding, clusterRoles []*rbac.ClusterRole, clusterRoleBindings []*rbac.ClusterRoleBinding) AuthorizationRuleResolver {
|
||||
r := staticRoles{
|
||||
roles: roles,
|
||||
roleBindings: roleBindings,
|
||||
@ -208,62 +205,49 @@ func newMockRuleResolver(r *staticRoles) AuthorizationRuleResolver {
|
||||
}
|
||||
|
||||
type staticRoles struct {
|
||||
roles []rbac.Role
|
||||
roleBindings []rbac.RoleBinding
|
||||
clusterRoles []rbac.ClusterRole
|
||||
clusterRoleBindings []rbac.ClusterRoleBinding
|
||||
roles []*rbac.Role
|
||||
roleBindings []*rbac.RoleBinding
|
||||
clusterRoles []*rbac.ClusterRole
|
||||
clusterRoleBindings []*rbac.ClusterRoleBinding
|
||||
}
|
||||
|
||||
func (r *staticRoles) GetRole(ctx api.Context, id string) (*rbac.Role, error) {
|
||||
namespace, ok := api.NamespaceFrom(ctx)
|
||||
if !ok || namespace == "" {
|
||||
func (r *staticRoles) GetRole(namespace, name string) (*rbac.Role, error) {
|
||||
if len(namespace) == 0 {
|
||||
return nil, errors.New("must provide namespace when getting role")
|
||||
}
|
||||
for _, role := range r.roles {
|
||||
if role.Namespace == namespace && role.Name == id {
|
||||
return &role, nil
|
||||
if role.Namespace == namespace && role.Name == name {
|
||||
return role, nil
|
||||
}
|
||||
}
|
||||
return nil, errors.New("role not found")
|
||||
}
|
||||
|
||||
func (r *staticRoles) GetClusterRole(ctx api.Context, id string) (*rbac.ClusterRole, error) {
|
||||
namespace, ok := api.NamespaceFrom(ctx)
|
||||
if ok && namespace != "" {
|
||||
return nil, errors.New("cannot provide namespace when getting cluster role")
|
||||
}
|
||||
func (r *staticRoles) GetClusterRole(name string) (*rbac.ClusterRole, error) {
|
||||
for _, clusterRole := range r.clusterRoles {
|
||||
if clusterRole.Namespace == namespace && clusterRole.Name == id {
|
||||
return &clusterRole, nil
|
||||
if clusterRole.Name == name {
|
||||
return clusterRole, nil
|
||||
}
|
||||
}
|
||||
return nil, errors.New("role not found")
|
||||
}
|
||||
|
||||
func (r *staticRoles) ListRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.RoleBindingList, error) {
|
||||
namespace, ok := api.NamespaceFrom(ctx)
|
||||
if !ok || namespace == "" {
|
||||
func (r *staticRoles) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) {
|
||||
if len(namespace) == 0 {
|
||||
return nil, errors.New("must provide namespace when listing role bindings")
|
||||
}
|
||||
|
||||
roleBindingList := new(rbac.RoleBindingList)
|
||||
roleBindingList := []*rbac.RoleBinding{}
|
||||
for _, roleBinding := range r.roleBindings {
|
||||
if roleBinding.Namespace != namespace {
|
||||
continue
|
||||
}
|
||||
// TODO(ericchiang): need to implement label selectors?
|
||||
roleBindingList.Items = append(roleBindingList.Items, roleBinding)
|
||||
roleBindingList = append(roleBindingList, roleBinding)
|
||||
}
|
||||
return roleBindingList, nil
|
||||
}
|
||||
|
||||
func (r *staticRoles) ListClusterRoleBindings(ctx api.Context, options *api.ListOptions) (*rbac.ClusterRoleBindingList, error) {
|
||||
namespace, ok := api.NamespaceFrom(ctx)
|
||||
if ok && namespace != "" {
|
||||
return nil, errors.New("cannot list cluster role bindings from within a namespace")
|
||||
}
|
||||
clusterRoleBindings := new(rbac.ClusterRoleBindingList)
|
||||
clusterRoleBindings.Items = make([]rbac.ClusterRoleBinding, len(r.clusterRoleBindings))
|
||||
copy(clusterRoleBindings.Items, r.clusterRoleBindings)
|
||||
return clusterRoleBindings, nil
|
||||
func (r *staticRoles) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) {
|
||||
return r.clusterRoleBindings, nil
|
||||
}
|
||||
|
@ -73,13 +73,13 @@ func TestDefaultRuleResolver(t *testing.T) {
|
||||
}
|
||||
|
||||
staticRoles1 := staticRoles{
|
||||
roles: []rbac.Role{
|
||||
roles: []*rbac.Role{
|
||||
{
|
||||
ObjectMeta: api.ObjectMeta{Namespace: "namespace1", Name: "readthings"},
|
||||
Rules: []rbac.PolicyRule{ruleReadPods, ruleReadServices},
|
||||
},
|
||||
},
|
||||
clusterRoles: []rbac.ClusterRole{
|
||||
clusterRoles: []*rbac.ClusterRole{
|
||||
{
|
||||
ObjectMeta: api.ObjectMeta{Name: "cluster-admin"},
|
||||
Rules: []rbac.PolicyRule{ruleAdmin},
|
||||
@ -89,7 +89,7 @@ func TestDefaultRuleResolver(t *testing.T) {
|
||||
Rules: []rbac.PolicyRule{ruleWriteNodes},
|
||||
},
|
||||
},
|
||||
roleBindings: []rbac.RoleBinding{
|
||||
roleBindings: []*rbac.RoleBinding{
|
||||
{
|
||||
ObjectMeta: api.ObjectMeta{Namespace: "namespace1"},
|
||||
Subjects: []rbac.Subject{
|
||||
@ -99,7 +99,7 @@ func TestDefaultRuleResolver(t *testing.T) {
|
||||
RoleRef: rbac.RoleRef{APIGroup: rbac.GroupName, Kind: "Role", Name: "readthings"},
|
||||
},
|
||||
},
|
||||
clusterRoleBindings: []rbac.ClusterRoleBinding{
|
||||
clusterRoleBindings: []*rbac.ClusterRoleBinding{
|
||||
{
|
||||
Subjects: []rbac.Subject{
|
||||
{Kind: rbac.UserKind, Name: "admin"},
|
||||
|
@ -79,3 +79,12 @@ func (s *storage) DeleteClusterRole(ctx api.Context, name string) error {
|
||||
_, err := s.Delete(ctx, name, nil)
|
||||
return err
|
||||
}
|
||||
|
||||
// AuthorizerAdapter adapts the registry to the authorizer interface
|
||||
type AuthorizerAdapter struct {
|
||||
Registry Registry
|
||||
}
|
||||
|
||||
func (a AuthorizerAdapter) GetClusterRole(name string) (*rbac.ClusterRole, error) {
|
||||
return a.Registry.GetClusterRole(api.NewContext(), name)
|
||||
}
|
||||
|
@ -48,7 +48,7 @@ func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, e
|
||||
}
|
||||
|
||||
clusterRoleBinding := obj.(*rbac.ClusterRoleBinding)
|
||||
rules, err := s.ruleResolver.GetRoleReferenceRules(ctx, clusterRoleBinding.RoleRef, clusterRoleBinding.Namespace)
|
||||
rules, err := s.ruleResolver.GetRoleReferenceRules(clusterRoleBinding.RoleRef, clusterRoleBinding.Namespace)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -66,7 +66,7 @@ func (s *Storage) Update(ctx api.Context, name string, obj rest.UpdatedObjectInf
|
||||
nonEscalatingInfo := wrapUpdatedObjectInfo(obj, func(ctx api.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
|
||||
clusterRoleBinding := obj.(*rbac.ClusterRoleBinding)
|
||||
|
||||
rules, err := s.ruleResolver.GetRoleReferenceRules(ctx, clusterRoleBinding.RoleRef, clusterRoleBinding.Namespace)
|
||||
rules, err := s.ruleResolver.GetRoleReferenceRules(clusterRoleBinding.RoleRef, clusterRoleBinding.Namespace)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -79,3 +79,21 @@ func (s *storage) DeleteClusterRoleBinding(ctx api.Context, name string) error {
|
||||
_, err := s.Delete(ctx, name, nil)
|
||||
return err
|
||||
}
|
||||
|
||||
// AuthorizerAdapter adapts the registry to the authorizer interface
|
||||
type AuthorizerAdapter struct {
|
||||
Registry Registry
|
||||
}
|
||||
|
||||
func (a AuthorizerAdapter) ListClusterRoleBindings() ([]*rbac.ClusterRoleBinding, error) {
|
||||
list, err := a.Registry.ListClusterRoleBindings(api.NewContext(), &api.ListOptions{})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
ret := []*rbac.ClusterRoleBinding{}
|
||||
for i := range list.Items {
|
||||
ret = append(ret, &list.Items[i])
|
||||
}
|
||||
return ret, nil
|
||||
}
|
||||
|
@ -71,10 +71,10 @@ func (p *RESTStorageProvider) v1alpha1Storage(apiResourceConfigSource genericapi
|
||||
newRuleValidator := func() rbacvalidation.AuthorizationRuleResolver {
|
||||
once.Do(func() {
|
||||
authorizationRuleResolver = rbacvalidation.NewDefaultRuleResolver(
|
||||
role.NewRegistry(roleetcd.NewREST(restOptionsGetter(rbac.Resource("roles")))),
|
||||
rolebinding.NewRegistry(rolebindingetcd.NewREST(restOptionsGetter(rbac.Resource("rolebindings")))),
|
||||
clusterrole.NewRegistry(clusterroleetcd.NewREST(restOptionsGetter(rbac.Resource("clusterroles")))),
|
||||
clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(restOptionsGetter(rbac.Resource("clusterrolebindings")))),
|
||||
role.AuthorizerAdapter{Registry: role.NewRegistry(roleetcd.NewREST(restOptionsGetter(rbac.Resource("roles"))))},
|
||||
rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(rolebindingetcd.NewREST(restOptionsGetter(rbac.Resource("rolebindings"))))},
|
||||
clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterroleetcd.NewREST(restOptionsGetter(rbac.Resource("clusterroles"))))},
|
||||
clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(restOptionsGetter(rbac.Resource("clusterrolebindings"))))},
|
||||
)
|
||||
})
|
||||
return authorizationRuleResolver
|
||||
|
@ -79,3 +79,12 @@ func (s *storage) DeleteRole(ctx api.Context, name string) error {
|
||||
_, err := s.Delete(ctx, name, nil)
|
||||
return err
|
||||
}
|
||||
|
||||
// AuthorizerAdapter adapts the registry to the authorizer interface
|
||||
type AuthorizerAdapter struct {
|
||||
Registry Registry
|
||||
}
|
||||
|
||||
func (a AuthorizerAdapter) GetRole(namespace, name string) (*rbac.Role, error) {
|
||||
return a.Registry.GetRole(api.WithNamespace(api.NewContext(), namespace), name)
|
||||
}
|
||||
|
@ -48,7 +48,7 @@ func (s *Storage) Create(ctx api.Context, obj runtime.Object) (runtime.Object, e
|
||||
}
|
||||
|
||||
roleBinding := obj.(*rbac.RoleBinding)
|
||||
rules, err := s.ruleResolver.GetRoleReferenceRules(ctx, roleBinding.RoleRef, roleBinding.Namespace)
|
||||
rules, err := s.ruleResolver.GetRoleReferenceRules(roleBinding.RoleRef, roleBinding.Namespace)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -66,7 +66,7 @@ func (s *Storage) Update(ctx api.Context, name string, obj rest.UpdatedObjectInf
|
||||
nonEscalatingInfo := wrapUpdatedObjectInfo(obj, func(ctx api.Context, obj runtime.Object, oldObj runtime.Object) (runtime.Object, error) {
|
||||
roleBinding := obj.(*rbac.RoleBinding)
|
||||
|
||||
rules, err := s.ruleResolver.GetRoleReferenceRules(ctx, roleBinding.RoleRef, roleBinding.Namespace)
|
||||
rules, err := s.ruleResolver.GetRoleReferenceRules(roleBinding.RoleRef, roleBinding.Namespace)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
@ -80,3 +80,21 @@ func (s *storage) DeleteRoleBinding(ctx api.Context, name string) error {
|
||||
_, err := s.Delete(ctx, name, nil)
|
||||
return err
|
||||
}
|
||||
|
||||
// AuthorizerAdapter adapts the registry to the authorizer interface
|
||||
type AuthorizerAdapter struct {
|
||||
Registry Registry
|
||||
}
|
||||
|
||||
func (a AuthorizerAdapter) ListRoleBindings(namespace string) ([]*rbac.RoleBinding, error) {
|
||||
list, err := a.Registry.ListRoleBindings(api.WithNamespace(api.NewContext(), namespace), &api.ListOptions{})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
ret := []*rbac.RoleBinding{}
|
||||
for i := range list.Items {
|
||||
ret = append(ret, &list.Items[i])
|
||||
}
|
||||
return ret, nil
|
||||
}
|
||||
|
@ -59,10 +59,10 @@ func New(roleRegistry role.Registry, roleBindingRegistry rolebinding.Registry, c
|
||||
authorizer := &RBACAuthorizer{
|
||||
superUser: superUser,
|
||||
authorizationRuleResolver: validation.NewDefaultRuleResolver(
|
||||
roleRegistry,
|
||||
roleBindingRegistry,
|
||||
clusterRoleRegistry,
|
||||
clusterRoleBindingRegistry,
|
||||
role.AuthorizerAdapter{Registry: roleRegistry},
|
||||
rolebinding.AuthorizerAdapter{Registry: roleBindingRegistry},
|
||||
clusterrole.AuthorizerAdapter{Registry: clusterRoleRegistry},
|
||||
clusterrolebinding.AuthorizerAdapter{Registry: clusterRoleBindingRegistry},
|
||||
),
|
||||
}
|
||||
return authorizer
|
||||
|
@ -37,12 +37,12 @@ func newRule(verbs, apiGroups, resources, nonResourceURLs string) rbac.PolicyRul
|
||||
}
|
||||
}
|
||||
|
||||
func newRole(name, namespace string, rules ...rbac.PolicyRule) rbac.Role {
|
||||
return rbac.Role{ObjectMeta: api.ObjectMeta{Namespace: namespace, Name: name}, Rules: rules}
|
||||
func newRole(name, namespace string, rules ...rbac.PolicyRule) *rbac.Role {
|
||||
return &rbac.Role{ObjectMeta: api.ObjectMeta{Namespace: namespace, Name: name}, Rules: rules}
|
||||
}
|
||||
|
||||
func newClusterRole(name string, rules ...rbac.PolicyRule) rbac.ClusterRole {
|
||||
return rbac.ClusterRole{ObjectMeta: api.ObjectMeta{Name: name}, Rules: rules}
|
||||
func newClusterRole(name string, rules ...rbac.PolicyRule) *rbac.ClusterRole {
|
||||
return &rbac.ClusterRole{ObjectMeta: api.ObjectMeta{Name: name}, Rules: rules}
|
||||
}
|
||||
|
||||
const (
|
||||
@ -50,8 +50,8 @@ const (
|
||||
bindToClusterRole uint16 = 0x1
|
||||
)
|
||||
|
||||
func newClusterRoleBinding(roleName string, subjects ...string) rbac.ClusterRoleBinding {
|
||||
r := rbac.ClusterRoleBinding{
|
||||
func newClusterRoleBinding(roleName string, subjects ...string) *rbac.ClusterRoleBinding {
|
||||
r := &rbac.ClusterRoleBinding{
|
||||
ObjectMeta: api.ObjectMeta{},
|
||||
RoleRef: rbac.RoleRef{
|
||||
APIGroup: rbac.GroupName,
|
||||
@ -68,8 +68,8 @@ func newClusterRoleBinding(roleName string, subjects ...string) rbac.ClusterRole
|
||||
return r
|
||||
}
|
||||
|
||||
func newRoleBinding(namespace, roleName string, bindType uint16, subjects ...string) rbac.RoleBinding {
|
||||
r := rbac.RoleBinding{ObjectMeta: api.ObjectMeta{Namespace: namespace}}
|
||||
func newRoleBinding(namespace, roleName string, bindType uint16, subjects ...string) *rbac.RoleBinding {
|
||||
r := &rbac.RoleBinding{ObjectMeta: api.ObjectMeta{Namespace: namespace}}
|
||||
|
||||
switch bindType {
|
||||
case bindToRole:
|
||||
@ -117,10 +117,10 @@ func (d *defaultAttributes) GetPath() string { return "" }
|
||||
|
||||
func TestAuthorizer(t *testing.T) {
|
||||
tests := []struct {
|
||||
roles []rbac.Role
|
||||
roleBindings []rbac.RoleBinding
|
||||
clusterRoles []rbac.ClusterRole
|
||||
clusterRoleBindings []rbac.ClusterRoleBinding
|
||||
roles []*rbac.Role
|
||||
roleBindings []*rbac.RoleBinding
|
||||
clusterRoles []*rbac.ClusterRole
|
||||
clusterRoleBindings []*rbac.ClusterRoleBinding
|
||||
|
||||
superUser string
|
||||
|
||||
@ -128,10 +128,10 @@ func TestAuthorizer(t *testing.T) {
|
||||
shouldFail []authorizer.Attributes
|
||||
}{
|
||||
{
|
||||
clusterRoles: []rbac.ClusterRole{
|
||||
clusterRoles: []*rbac.ClusterRole{
|
||||
newClusterRole("admin", newRule("*", "*", "*", "*")),
|
||||
},
|
||||
roleBindings: []rbac.RoleBinding{
|
||||
roleBindings: []*rbac.RoleBinding{
|
||||
newRoleBinding("ns1", "admin", bindToClusterRole, "User:admin", "Group:admins"),
|
||||
},
|
||||
shouldPass: []authorizer.Attributes{
|
||||
@ -150,12 +150,12 @@ func TestAuthorizer(t *testing.T) {
|
||||
},
|
||||
{
|
||||
// Non-resource-url tests
|
||||
clusterRoles: []rbac.ClusterRole{
|
||||
clusterRoles: []*rbac.ClusterRole{
|
||||
newClusterRole("non-resource-url-getter", newRule("get", "", "", "/apis")),
|
||||
newClusterRole("non-resource-url", newRule("*", "", "", "/apis")),
|
||||
newClusterRole("non-resource-url-prefix", newRule("get", "", "", "/apis/*")),
|
||||
},
|
||||
clusterRoleBindings: []rbac.ClusterRoleBinding{
|
||||
clusterRoleBindings: []*rbac.ClusterRoleBinding{
|
||||
newClusterRoleBinding("non-resource-url-getter", "User:foo", "Group:bar"),
|
||||
newClusterRoleBinding("non-resource-url", "User:admin", "Group:admin"),
|
||||
newClusterRoleBinding("non-resource-url-prefix", "User:prefixed", "Group:prefixed"),
|
||||
@ -191,10 +191,10 @@ func TestAuthorizer(t *testing.T) {
|
||||
},
|
||||
{
|
||||
// test subresource resolution
|
||||
clusterRoles: []rbac.ClusterRole{
|
||||
clusterRoles: []*rbac.ClusterRole{
|
||||
newClusterRole("admin", newRule("*", "*", "pods", "*")),
|
||||
},
|
||||
roleBindings: []rbac.RoleBinding{
|
||||
roleBindings: []*rbac.RoleBinding{
|
||||
newRoleBinding("ns1", "admin", bindToClusterRole, "User:admin", "Group:admins"),
|
||||
},
|
||||
shouldPass: []authorizer.Attributes{
|
||||
@ -206,10 +206,10 @@ func TestAuthorizer(t *testing.T) {
|
||||
},
|
||||
{
|
||||
// test subresource resolution
|
||||
clusterRoles: []rbac.ClusterRole{
|
||||
clusterRoles: []*rbac.ClusterRole{
|
||||
newClusterRole("admin", newRule("*", "*", "pods/status", "*")),
|
||||
},
|
||||
roleBindings: []rbac.RoleBinding{
|
||||
roleBindings: []*rbac.RoleBinding{
|
||||
newRoleBinding("ns1", "admin", bindToClusterRole, "User:admin", "Group:admins"),
|
||||
},
|
||||
shouldPass: []authorizer.Attributes{
|
||||
|
@ -91,10 +91,10 @@ func newRBACAuthorizer(t *testing.T, superUser string, config *master.Config) au
|
||||
return generic.RESTOptions{StorageConfig: storageConfig, Decorator: generic.UndecoratedStorage, ResourcePrefix: resource}
|
||||
}
|
||||
|
||||
roleRegistry := role.NewRegistry(roleetcd.NewREST(newRESTOptions("roles")))
|
||||
roleBindingRegistry := rolebinding.NewRegistry(rolebindingetcd.NewREST(newRESTOptions("rolebindings")))
|
||||
clusterRoleRegistry := clusterrole.NewRegistry(clusterroleetcd.NewREST(newRESTOptions("clusterroles")))
|
||||
clusterRoleBindingRegistry := clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(newRESTOptions("clusterrolebindings")))
|
||||
roleRegistry := role.AuthorizerAdapter{Registry: role.NewRegistry(roleetcd.NewREST(newRESTOptions("roles")))}
|
||||
roleBindingRegistry := rolebinding.AuthorizerAdapter{Registry: rolebinding.NewRegistry(rolebindingetcd.NewREST(newRESTOptions("rolebindings")))}
|
||||
clusterRoleRegistry := clusterrole.AuthorizerAdapter{Registry: clusterrole.NewRegistry(clusterroleetcd.NewREST(newRESTOptions("clusterroles")))}
|
||||
clusterRoleBindingRegistry := clusterrolebinding.AuthorizerAdapter{Registry: clusterrolebinding.NewRegistry(clusterrolebindingetcd.NewREST(newRESTOptions("clusterrolebindings")))}
|
||||
return rbac.New(roleRegistry, roleBindingRegistry, clusterRoleRegistry, clusterRoleBindingRegistry, superUser)
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user