Add impersonation support

2025-09-15 22:39:56 +00:00 · 2020-02-03 14:28:25 -07:00
parent a32064f238
commit c7ac7f35af
9 changed files with 139 additions and 46 deletions
--- a/pkg/client/factory.go
+++ b/pkg/client/factory.go
@@ -1,39 +1,43 @@
 package client

 import (
+	"fmt"
 	"time"

 	"github.com/rancher/steve/pkg/attributes"
 	"github.com/rancher/steve/pkg/schemaserver/types"
+	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/rest"
 )

 type Factory struct {
-	client      dynamic.Interface
-	watchClient dynamic.Interface
-	Config      *rest.Config
+	impersonate    bool
+	clientCfg      *rest.Config
+	watchClientCfg *rest.Config
+	client         dynamic.Interface
+	Config         *rest.Config
 }

-func NewFactory(cfg *rest.Config) (*Factory, error) {
-	newCfg := rest.CopyConfig(cfg)
-	newCfg.QPS = 10000
-	newCfg.Burst = 100
-	c, err := dynamic.NewForConfig(newCfg)
+func NewFactory(cfg *rest.Config, impersonate bool) (*Factory, error) {
+	clientCfg := rest.CopyConfig(cfg)
+	clientCfg.QPS = 10000
+	clientCfg.Burst = 100
+
+	watchClientCfg := rest.CopyConfig(cfg)
+	watchClientCfg.Timeout = 30 * time.Minute
+
+	dc, err := dynamic.NewForConfig(watchClientCfg)
 	if err != nil {
 		return nil, err
 	}

-	newCfg = rest.CopyConfig(cfg)
-	newCfg.Timeout = 30 * time.Minute
-	wc, err := dynamic.NewForConfig(newCfg)
-	if err != nil {
-		return nil, err
-	}
 	return &Factory{
-		client:      c,
-		watchClient: wc,
-		Config:      newCfg,
+		client:         dc,
+		impersonate:    impersonate,
+		clientCfg:      clientCfg,
+		watchClientCfg: watchClientCfg,
+		Config:         watchClientCfg,
 	}, nil
 }

@@ -42,11 +46,30 @@ func (p *Factory) DynamicClient() dynamic.Interface {
 }

 func (p *Factory) Client(ctx *types.APIRequest, s *types.APISchema, namespace string) (dynamic.ResourceInterface, error) {
-	gvr := attributes.GVR(s)
-	return p.client.Resource(gvr).Namespace(namespace), nil
+	return p.newClient(ctx, p.clientCfg, s, namespace)
 }

 func (p *Factory) ClientForWatch(ctx *types.APIRequest, s *types.APISchema, namespace string) (dynamic.ResourceInterface, error) {
-	gvr := attributes.GVR(s)
-	return p.watchClient.Resource(gvr).Namespace(namespace), nil
+	return p.newClient(ctx, p.watchClientCfg, s, namespace)
+}
+
+func (p *Factory) newClient(ctx *types.APIRequest, cfg *rest.Config, s *types.APISchema, namespace string) (dynamic.ResourceInterface, error) {
+	if p.impersonate {
+		user, ok := request.UserFrom(ctx.Context())
+		if !ok {
+			return nil, fmt.Errorf("user not found for impersonation")
+		}
+		cfg = rest.CopyConfig(cfg)
+		cfg.Impersonate.UserName = user.GetName()
+		cfg.Impersonate.Groups = user.GetGroups()
+		cfg.Impersonate.Extra = user.GetExtra()
+	}
+
+	client, err := dynamic.NewForConfig(cfg)
+	if err != nil {
+		return nil, err
+	}
+
+	gvr := attributes.GVR(s)
+	return client.Resource(gvr).Namespace(namespace), nil
 }