diff --git a/pkg/authorization/authorizer/interfaces.go b/pkg/authorization/authorizer/interfaces.go index d39deb17e..2f5f65e22 100644 --- a/pkg/authorization/authorizer/interfaces.go +++ b/pkg/authorization/authorizer/interfaces.go @@ -92,7 +92,7 @@ func (f AuthorizerFunc) Authorize(ctx context.Context, a Attributes) (Decision, // RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace. type RuleResolver interface { // RulesFor get the list of cluster wide rules, the list of rules in the specific namespace, incomplete status and errors. - RulesFor(user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error) + RulesFor(ctx context.Context, user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error) } // RequestAttributesGetter provides a function that extracts Attributes from an http.Request diff --git a/pkg/authorization/authorizerfactory/builtin.go b/pkg/authorization/authorizerfactory/builtin.go index 6fe3fa96e..b3b1f09a6 100644 --- a/pkg/authorization/authorizerfactory/builtin.go +++ b/pkg/authorization/authorizerfactory/builtin.go @@ -33,7 +33,7 @@ func (alwaysAllowAuthorizer) Authorize(ctx context.Context, a authorizer.Attribu return authorizer.DecisionAllow, "", nil } -func (alwaysAllowAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (alwaysAllowAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { return []authorizer.ResourceRuleInfo{ &authorizer.DefaultResourceRuleInfo{ Verbs: []string{"*"}, @@ -61,7 +61,7 @@ func (alwaysDenyAuthorizer) Authorize(ctx context.Context, a authorizer.Attribut return authorizer.DecisionNoOpinion, "Everything is forbidden.", nil } -func (alwaysDenyAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (alwaysDenyAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, nil } diff --git a/pkg/authorization/union/union.go b/pkg/authorization/union/union.go index 460d9a4ab..0e5007cfa 100644 --- a/pkg/authorization/union/union.go +++ b/pkg/authorization/union/union.go @@ -77,7 +77,7 @@ func NewRuleResolvers(authorizationHandlers ...authorizer.RuleResolver) authoriz } // RulesFor against a chain of authorizer.RuleResolver objects and returns nil if successful and returns error if unsuccessful -func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (authzHandler unionAuthzRulesHandler) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { var ( errList []error resourceRulesList []authorizer.ResourceRuleInfo @@ -86,7 +86,7 @@ func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace st incompleteStatus := false for _, currAuthzHandler := range authzHandler { - resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(user, namespace) + resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(ctx, user, namespace) if incomplete { incompleteStatus = true diff --git a/pkg/authorization/union/union_test.go b/pkg/authorization/union/union_test.go index 057c1cefe..c8b467866 100644 --- a/pkg/authorization/union/union_test.go +++ b/pkg/authorization/union/union_test.go @@ -25,6 +25,7 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" + genericapirequest "k8s.io/apiserver/pkg/endpoints/request" ) type mockAuthzHandler struct { @@ -86,7 +87,7 @@ type mockAuthzRuleHandler struct { err error } -func (mock *mockAuthzRuleHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (mock *mockAuthzRuleHandler) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { if mock.err != nil { return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, mock.err } @@ -150,7 +151,7 @@ func TestAuthorizationResourceRules(t *testing.T) { authzRulesHandler := NewRuleResolvers(handler1, handler2) - rules, _, _, _ := authzRulesHandler.RulesFor(nil, "") + rules, _, _, _ := authzRulesHandler.RulesFor(genericapirequest.NewContext(), nil, "") actual := getResourceRules(rules) if !reflect.DeepEqual(expected, actual) { t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) @@ -189,7 +190,7 @@ func TestAuthorizationNonResourceRules(t *testing.T) { authzRulesHandler := NewRuleResolvers(handler1, handler2) - _, rules, _, _ := authzRulesHandler.RulesFor(nil, "") + _, rules, _, _ := authzRulesHandler.RulesFor(genericapirequest.NewContext(), nil, "") actual := getNonResourceRules(rules) if !reflect.DeepEqual(expected, actual) { t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) diff --git a/plugin/pkg/authorizer/webhook/webhook.go b/plugin/pkg/authorizer/webhook/webhook.go index ebc4949d9..f70cce6e1 100644 --- a/plugin/pkg/authorizer/webhook/webhook.go +++ b/plugin/pkg/authorizer/webhook/webhook.go @@ -402,7 +402,7 @@ func labelSelectorToAuthorizationAPI(attr authorizer.Attributes) ([]metav1.Label } // TODO: need to finish the method to get the rules when using webhook mode -func (w *WebhookAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { +func (w *WebhookAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { var ( resourceRules []authorizer.ResourceRuleInfo nonResourceRules []authorizer.NonResourceRuleInfo