forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
attributes.go
99 lines (83 loc) · 3.42 KB
/
attributes.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package adapter
import (
kapi "k8s.io/kubernetes/pkg/api"
kauthorizer "k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
oauthorizer "github.com/openshift/origin/pkg/authorization/authorizer"
)
// ensure we satisfy both interfaces
var _ = oauthorizer.AuthorizationAttributes(AdapterAttributes{})
var _ = kauthorizer.Attributes(AdapterAttributes{})
// AdapterAttributes satisfies both origin authorizer.AuthorizationAttributes and k8s authorizer.Attributes interfaces
type AdapterAttributes struct {
namespace string
userName string
groups []string
oauthorizer.AuthorizationAttributes
}
// OriginAuthorizerAttributes adapts Kubernetes authorization attributes to Origin authorization attributes
// Note that some info (like resourceName, apiVersion, apiGroup) is not available from the Kubernetes attributes
func OriginAuthorizerAttributes(kattrs kauthorizer.Attributes) (kapi.Context, oauthorizer.AuthorizationAttributes) {
// Build a context to hold the namespace and user info
ctx := kapi.NewContext()
ctx = kapi.WithNamespace(ctx, kattrs.GetNamespace())
ctx = kapi.WithUser(ctx, &user.DefaultInfo{
Name: kattrs.GetUserName(),
Groups: kattrs.GetGroups(),
})
// If the passed attributes already satisfy our interface, use it directly
if oattrs, ok := kattrs.(oauthorizer.AuthorizationAttributes); ok {
return ctx, oattrs
}
// Otherwise build what we can
oattrs := &oauthorizer.DefaultAuthorizationAttributes{
Verb: kattrs.GetVerb(),
Resource: kattrs.GetResource(),
APIGroup: kattrs.GetAPIGroup(),
NonResourceURL: kattrs.IsResourceRequest() == false,
URL: kattrs.GetPath(),
// TODO: add to kube authorizer attributes
// APIVersion string
// ResourceName string
// RequestAttributes interface{}
}
return ctx, oattrs
}
// KubernetesAuthorizerAttributes adapts Origin authorization attributes to Kubernetes authorization attributes
// The returned attributes can be passed to OriginAuthorizerAttributes to access extra information from the Origin attributes interface
func KubernetesAuthorizerAttributes(namespace string, userName string, groups []string, oattrs oauthorizer.AuthorizationAttributes) kauthorizer.Attributes {
return AdapterAttributes{
namespace: namespace,
userName: userName,
groups: groups,
AuthorizationAttributes: oattrs,
}
}
// GetNamespace satisfies the kubernetes authorizer.Attributes interface
// origin gets this value from the request context
func (a AdapterAttributes) GetNamespace() string {
return a.namespace
}
// GetUserName satisfies the kubernetes authorizer.Attributes interface
// origin gets this value from the request context
func (a AdapterAttributes) GetUserName() string {
return a.userName
}
// GetGroups satisfies the kubernetes authorizer.Attributes interface
// origin gets this value from the request context
func (a AdapterAttributes) GetGroups() []string {
return a.groups
}
// IsReadOnly satisfies the kubernetes authorizer.Attributes interface based on the verb
func (a AdapterAttributes) IsReadOnly() bool {
v := a.GetVerb()
return v == "get" || v == "list" || v == "watch"
}
// IsResourceRequest satisfies the kubernetes authorizer.Attributes interface
func (a AdapterAttributes) IsResourceRequest() bool {
return !a.IsNonResourceURL()
}
// GetPath satisfies the kubernetes authorizer.Attributes interface
func (a AdapterAttributes) GetPath() string {
return a.GetURL()
}