add namespace/CreatePermission RPC

infinimesh · Apr 7, 2019 · 04cbb23 · 04cbb23
1 parent 5009440
commit 04cbb23
Show file tree

Hide file tree

Showing 5 changed files with 413 additions and 77 deletions.
diff --git a/cmd/apiserver/namespace.go b/cmd/apiserver/namespace.go
@@ -6,6 +6,7 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
+	"github.com/infinimesh/infinimesh/pkg/apiserver/apipb"
 	"github.com/infinimesh/infinimesh/pkg/node/nodepb"
 )
 
@@ -88,3 +89,33 @@ func (n *namespaceAPI) GetNamespace(ctx context.Context, request *nodepb.GetName
 	}
 	return nil, status.Error(codes.PermissionDenied, "Account is not allowed to access this resource")
 }
+
+func (n *namespaceAPI) CreatePermission(ctx context.Context, request *apipb.CreateNamespacePermissionRequest) (response *apipb.CreateNamespacePermissionResponse, err error) {
+	account, ok := ctx.Value("account_id").(string)
+	if !ok {
+		return nil, status.Error(codes.Unauthenticated, "Unauthenticated")
+	}
+
+	resp, err := n.accountClient.IsAuthorizedNamespace(ctx, &nodepb.IsAuthorizedNamespaceRequest{
+		Account:   account,
+		Namespace: request.Namespace,
+		Action:    nodepb.Action_WRITE,
+	})
+	if err != nil {
+		return nil, status.Error(codes.Internal, err.Error())
+	}
+
+	if resp.GetDecision().GetValue() {
+		_, err := n.accountClient.AuthorizeNamespace(ctx, &nodepb.AuthorizeNamespaceRequest{
+			Account:   request.AccountId,
+			Namespace: request.Namespace,
+			Action:    request.Permission.Action,
+		})
+		if err != nil {
+			return &apipb.CreateNamespacePermissionResponse{}, status.Error(codes.Internal, "Failed to authorize for namespace")
+		}
+		return &apipb.CreateNamespacePermissionResponse{}, nil
+	}
+
+	return nil, status.Error(codes.PermissionDenied, "Account is not allowed to access this resource")
+}
diff --git a/docs/swagger-ui/openapi.yaml b/docs/swagger-ui/openapi.yaml
@@ -1,5 +1,13 @@
 components:
   schemas:
+    apiCreateNamespacePermissionResponse:
+      type: object
+    apiPermission:
+      description: 'Permission.Action may either be NONE, READ or WRITE.'
+      properties:
+        action:
+          $ref: '#/components/schemas/nodeAction'
+      type: object
     apiTokenRequest:
       properties:
         password:
@@ -101,6 +109,13 @@ components:
         uid:
           type: string
       type: object
+    nodeAction:
+      default: NONE
+      enum:
+        - NONE
+        - READ
+        - WRITE
+      type: string
     nodeCreateNamespaceRequest:
       properties:
         name:
@@ -1048,6 +1063,35 @@ paths:
           description: A successful response.
       tags:
         - Namespaces
+  '/namespaces/{namespace}/permissions/{account_id}':
+    put:
+      operationId: CreatePermission
+      parameters:
+        - in: path
+          name: namespace
+          required: true
+          schema:
+            type: string
+        - in: path
+          name: account_id
+          required: true
+          schema:
+            type: string
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/apiPermission'
+        required: true
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/apiCreateNamespacePermissionResponse'
+          description: A successful response.
+      tags:
+        - Namespaces
   /objects:
     get:
       operationId: ListObjects