github/steve
1
0
Fork 0
mirror of https://github.com/niusmallnan/steve.git synced 2025-06-27 06:56:55 +00:00
Code Issues Projects Releases Wiki Activity

Implement generic CanDo against k8s roles

Browse Source
This commit is contained in:
Darren Shepherd 2021-05-18 22:34:46 -07:00
parent 43139e348a
commit a1ef4004f8
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
pkg/accesscontrol/access_control.go
View File

@ -4,6 +4,8 @@ import (
"github.com/rancher/apiserver/pkg/server" "github.com/rancher/apiserver/pkg/server"
"github.com/rancher/apiserver/pkg/types" "github.com/rancher/apiserver/pkg/types"
"github.com/rancher/steve/pkg/attributes" "github.com/rancher/steve/pkg/attributes"
"github.com/rancher/wrangler/pkg/kv"
"k8s.io/apimachinery/pkg/runtime/schema"
) )
type AccessControl struct { type AccessControl struct {
@ -14,6 +16,25 @@ func NewAccessControl() *AccessControl {
return &AccessControl{} return &AccessControl{}
} }
func (a *AccessControl) CanDo(apiOp *types.APIRequest, resource, verb, namespace, name string) error {
apiSchema := apiOp.Schemas.LookupSchema(resource)
if apiSchema != nil && attributes.GVK(apiSchema).Kind != "" {
access := GetAccessListMap(apiSchema)
if access[verb].Grants(namespace, name) {
return nil
}
}
group, resource := kv.Split(resource, "/")
accessSet := apiOp.Schemas.Attributes["accessSet"].(*AccessSet)
if accessSet.Grants(verb, schema.GroupResource{
Group: group,
Resource: resource,
}, namespace, name) {
return nil
}
return a.SchemaBasedAccess.CanDo(apiOp, resource, verb, namespace, name)
}
func (a *AccessControl) CanWatch(apiOp *types.APIRequest, schema *types.APISchema) error { func (a *AccessControl) CanWatch(apiOp *types.APIRequest, schema *types.APISchema) error {
if attributes.GVK(schema).Kind != "" { if attributes.GVK(schema).Kind != "" {
access := GetAccessListMap(schema) access := GetAccessListMap(schema)

13
pkg/schema/factory.go
View File

@ -125,9 +125,20 @@ func (c *Collection) schemasForSubject(access *accesscontrol.AccessSet) (*types.
} }
} }
result.Attributes = map[string]interface{}{
"accessSet": access,
}
return result, nil return result, nil
} }
func (c *Collection) defaultStore() types.Store {
templates := c.templates[""]
if len(templates) > 0 {
return templates[0].Store
}
return nil
}
func (c *Collection) applyTemplates(schema *types.APISchema) { func (c *Collection) applyTemplates(schema *types.APISchema) {
c.lock.RLock() c.lock.RLock()
defer c.lock.RUnlock() defer c.lock.RUnlock()
@ -152,7 +163,7 @@ func (c *Collection) applyTemplates(schema *types.APISchema) {
if t.StoreFactory == nil { if t.StoreFactory == nil {
schema.Store = t.Store schema.Store = t.Store
} else { } else {
schema.Store = t.StoreFactory(templates[2].Store) schema.Store = t.StoreFactory(c.defaultStore())
} }
} }
if t.Customize != nil { if t.Customize != nil {