kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

wire in ctx to rbac plugins 

Kubernetes-commit: 4e4eb8c5c95652b4cbe672a02e4077a93d0bfe2d
This commit is contained in:
Mangirdas Judeikis 2024-09-13 12:03:47 +03:00 committed by Kubernetes Publisher
parent 87a949c64a
commit 07be2984cd
5 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/authorization/authorizer/interfaces.go
View File

@ -92,7 +92,7 @@ func (f AuthorizerFunc) Authorize(ctx context.Context, a Attributes) (Decision,
// RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace. // RuleResolver provides a mechanism for resolving the list of rules that apply to a given user within a namespace.
type RuleResolver interface { type RuleResolver interface {
// RulesFor get the list of cluster wide rules, the list of rules in the specific namespace, incomplete status and errors. // RulesFor get the list of cluster wide rules, the list of rules in the specific namespace, incomplete status and errors.
RulesFor(user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error) RulesFor(ctx context.Context, user user.Info, namespace string) ([]ResourceRuleInfo, []NonResourceRuleInfo, bool, error)
} }
// RequestAttributesGetter provides a function that extracts Attributes from an http.Request // RequestAttributesGetter provides a function that extracts Attributes from an http.Request

4
pkg/authorization/authorizerfactory/builtin.go
View File

@ -33,7 +33,7 @@ func (alwaysAllowAuthorizer) Authorize(ctx context.Context, a authorizer.Attribu
return authorizer.DecisionAllow, "", nil return authorizer.DecisionAllow, "", nil
} }
func (alwaysAllowAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (alwaysAllowAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
return []authorizer.ResourceRuleInfo{ return []authorizer.ResourceRuleInfo{
&authorizer.DefaultResourceRuleInfo{ &authorizer.DefaultResourceRuleInfo{
Verbs: []string{"*"}, Verbs: []string{"*"},
@ -61,7 +61,7 @@ func (alwaysDenyAuthorizer) Authorize(ctx context.Context, a authorizer.Attribut
return authorizer.DecisionNoOpinion, "Everything is forbidden.", nil return authorizer.DecisionNoOpinion, "Everything is forbidden.", nil
} }
func (alwaysDenyAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (alwaysDenyAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, nil return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, nil
} }

4
pkg/authorization/union/union.go
View File

@ -77,7 +77,7 @@ func NewRuleResolvers(authorizationHandlers ...authorizer.RuleResolver) authoriz
} }
// RulesFor against a chain of authorizer.RuleResolver objects and returns nil if successful and returns error if unsuccessful // RulesFor against a chain of authorizer.RuleResolver objects and returns nil if successful and returns error if unsuccessful
func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (authzHandler unionAuthzRulesHandler) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
var ( var (
errList []error errList []error
resourceRulesList []authorizer.ResourceRuleInfo resourceRulesList []authorizer.ResourceRuleInfo
@ -86,7 +86,7 @@ func (authzHandler unionAuthzRulesHandler) RulesFor(user user.Info, namespace st
incompleteStatus := false incompleteStatus := false
for _, currAuthzHandler := range authzHandler { for _, currAuthzHandler := range authzHandler {
resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(user, namespace) resourceRules, nonResourceRules, incomplete, err := currAuthzHandler.RulesFor(ctx, user, namespace)
if incomplete { if incomplete {
incompleteStatus = true incompleteStatus = true

7
pkg/authorization/union/union_test.go
View File

@ -25,6 +25,7 @@ import (
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
) )
type mockAuthzHandler struct { type mockAuthzHandler struct {
@ -86,7 +87,7 @@ type mockAuthzRuleHandler struct {
err error err error
} }
func (mock *mockAuthzRuleHandler) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (mock *mockAuthzRuleHandler) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
if mock.err != nil { if mock.err != nil {
return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, mock.err return []authorizer.ResourceRuleInfo{}, []authorizer.NonResourceRuleInfo{}, false, mock.err
} }
@ -150,7 +151,7 @@ func TestAuthorizationResourceRules(t *testing.T) {
authzRulesHandler := NewRuleResolvers(handler1, handler2) authzRulesHandler := NewRuleResolvers(handler1, handler2)
rules, _, _, _ := authzRulesHandler.RulesFor(nil, "") rules, _, _, _ := authzRulesHandler.RulesFor(genericapirequest.NewContext(), nil, "")
actual := getResourceRules(rules) actual := getResourceRules(rules)
if !reflect.DeepEqual(expected, actual) { if !reflect.DeepEqual(expected, actual) {
t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual)
@ -189,7 +190,7 @@ func TestAuthorizationNonResourceRules(t *testing.T) {
authzRulesHandler := NewRuleResolvers(handler1, handler2) authzRulesHandler := NewRuleResolvers(handler1, handler2)
_, rules, _, _ := authzRulesHandler.RulesFor(nil, "") _, rules, _, _ := authzRulesHandler.RulesFor(genericapirequest.NewContext(), nil, "")
actual := getNonResourceRules(rules) actual := getNonResourceRules(rules)
if !reflect.DeepEqual(expected, actual) { if !reflect.DeepEqual(expected, actual) {
t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual) t.Errorf("Expected: \n%#v\n but actual: \n%#v\n", expected, actual)

2
plugin/pkg/authorizer/webhook/webhook.go
View File

@ -402,7 +402,7 @@ func labelSelectorToAuthorizationAPI(attr authorizer.Attributes) ([]metav1.Label
} }
// TODO: need to finish the method to get the rules when using webhook mode // TODO: need to finish the method to get the rules when using webhook mode
func (w *WebhookAuthorizer) RulesFor(user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) { func (w *WebhookAuthorizer) RulesFor(ctx context.Context, user user.Info, namespace string) ([]authorizer.ResourceRuleInfo, []authorizer.NonResourceRuleInfo, bool, error) {
var ( var (
resourceRules []authorizer.ResourceRuleInfo resourceRules []authorizer.ResourceRuleInfo
nonResourceRules []authorizer.NonResourceRuleInfo nonResourceRules []authorizer.NonResourceRuleInfo