forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
reviewer.go
65 lines (53 loc) · 1.59 KB
/
reviewer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
package auth
import (
kauthorizer "k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/kubernetes/plugin/pkg/auth/authorizer/rbac"
authorizationutil "github.com/openshift/origin/pkg/authorization/util"
)
// Review is a list of users and groups that can access a resource
type Review interface {
Users() []string
Groups() []string
EvaluationError() string
}
type defaultReview struct {
users []string
groups []string
evaluationError string
}
func (r *defaultReview) Users() []string {
return r.users
}
// Groups returns the groups that can access a resource
func (r *defaultReview) Groups() []string {
return r.groups
}
func (r *defaultReview) EvaluationError() string {
return r.evaluationError
}
// Reviewer performs access reviews for a project by name
type Reviewer interface {
Review(name string) (Review, error)
}
type authorizerReviewer struct {
policyChecker rbac.SubjectLocator
}
func NewAuthorizerReviewer(policyChecker rbac.SubjectLocator) Reviewer {
return &authorizerReviewer{policyChecker: policyChecker}
}
func (r *authorizerReviewer) Review(namespaceName string) (Review, error) {
attributes := kauthorizer.AttributesRecord{
Verb: "get",
Namespace: namespaceName,
Resource: "namespaces",
Name: namespaceName,
ResourceRequest: true,
}
subjects, err := r.policyChecker.AllowedSubjects(attributes)
review := &defaultReview{}
review.users, review.groups = authorizationutil.RBACSubjectsToUsersAndGroups(subjects, attributes.GetNamespace())
if err != nil {
review.evaluationError = err.Error()
}
return review, nil
}