mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Merge pull request #100963 from enj/enj/i/authz_func_ctx
authorizer func: pass through context
This commit is contained in:
commit
f1c1379def
@ -58,7 +58,7 @@ func TestEscalation(t *testing.T) {
|
|||||||
|
|
||||||
authzCalled := 0
|
authzCalled := 0
|
||||||
fakeStorage := &fakeStorage{}
|
fakeStorage := &fakeStorage{}
|
||||||
fakeAuthorizer := authorizer.AuthorizerFunc(func(attr authorizer.Attributes) (authorizer.Decision, string, error) {
|
fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
|
||||||
authzCalled++
|
authzCalled++
|
||||||
if attr.GetUser().GetName() == "steve" {
|
if attr.GetUser().GetName() == "steve" {
|
||||||
return authorizer.DecisionAllow, "", nil
|
return authorizer.DecisionAllow, "", nil
|
||||||
|
@ -60,7 +60,7 @@ func TestEscalation(t *testing.T) {
|
|||||||
|
|
||||||
authzCalled := 0
|
authzCalled := 0
|
||||||
fakeStorage := &fakeStorage{}
|
fakeStorage := &fakeStorage{}
|
||||||
fakeAuthorizer := authorizer.AuthorizerFunc(func(attr authorizer.Attributes) (authorizer.Decision, string, error) {
|
fakeAuthorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
|
||||||
authzCalled++
|
authzCalled++
|
||||||
if attr.GetUser().GetName() == "steve" {
|
if attr.GetUser().GetName() == "steve" {
|
||||||
return authorizer.DecisionAllow, "", nil
|
return authorizer.DecisionAllow, "", nil
|
||||||
|
@ -71,10 +71,10 @@ type Authorizer interface {
|
|||||||
Authorize(ctx context.Context, a Attributes) (authorized Decision, reason string, err error)
|
Authorize(ctx context.Context, a Attributes) (authorized Decision, reason string, err error)
|
||||||
}
|
}
|
||||||
|
|
||||||
type AuthorizerFunc func(a Attributes) (Decision, string, error)
|
type AuthorizerFunc func(ctx context.Context, a Attributes) (Decision, string, error)
|
||||||
|
|
||||||
func (f AuthorizerFunc) Authorize(ctx context.Context, a Attributes) (Decision, string, error) {
|
func (f AuthorizerFunc) Authorize(ctx context.Context, a Attributes) (Decision, string, error) {
|
||||||
return f(a)
|
return f(ctx, a)
|
||||||
}
|
}
|
||||||
|
|
||||||
// RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace.
|
// RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace.
|
||||||
|
@ -17,6 +17,7 @@ limitations under the License.
|
|||||||
package path
|
package path
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
@ -46,7 +47,7 @@ func NewAuthorizer(alwaysAllowPaths []string) (authorizer.Authorizer, error) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return authorizer.AuthorizerFunc(func(a authorizer.Attributes) (authorizer.Decision, string, error) {
|
return authorizer.AuthorizerFunc(func(ctx context.Context, a authorizer.Attributes) (authorizer.Decision, string, error) {
|
||||||
if a.IsResourceRequest() {
|
if a.IsResourceRequest() {
|
||||||
return authorizer.DecisionNoOpinion, "", nil
|
return authorizer.DecisionNoOpinion, "", nil
|
||||||
}
|
}
|
||||||
|
@ -405,7 +405,7 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
|
|||||||
// 1. The "root" user is allowed to do anything
|
// 1. The "root" user is allowed to do anything
|
||||||
// 2. ServiceAccounts named "ro" are allowed read-only operations in their namespace
|
// 2. ServiceAccounts named "ro" are allowed read-only operations in their namespace
|
||||||
// 3. ServiceAccounts named "rw" are allowed any operation in their namespace
|
// 3. ServiceAccounts named "rw" are allowed any operation in their namespace
|
||||||
authorizer := authorizer.AuthorizerFunc(func(attrs authorizer.Attributes) (authorizer.Decision, string, error) {
|
authorizer := authorizer.AuthorizerFunc(func(ctx context.Context, attrs authorizer.Attributes) (authorizer.Decision, string, error) {
|
||||||
username := ""
|
username := ""
|
||||||
if user := attrs.GetUser(); user != nil {
|
if user := attrs.GetUser(); user != nil {
|
||||||
username = user.GetName()
|
username = user.GetName()
|
||||||
|
Loading…
Reference in New Issue
Block a user