diff --git a/app/scripts/filters/resources.js b/app/scripts/filters/resources.js index 19bfe7b75f..983c4ef3eb 100644 --- a/app/scripts/filters/resources.js +++ b/app/scripts/filters/resources.js @@ -37,7 +37,8 @@ angular.module('openshiftConsole') "jenkinsLogURL": ["openshift.io/jenkins-log-url"], "jenkinsStatus": ["openshift.io/jenkins-status-json"], "idledAt": ["idling.alpha.openshift.io/idled-at"], - "idledPreviousScale": ["idling.alpha.openshift.io/previous-scale"] + "idledPreviousScale": ["idling.alpha.openshift.io/previous-scale"], + "systemOnly": ["authorization.openshift.io/system-only"] }; return function(annotationKey) { return annotationMap[annotationKey] || null; diff --git a/app/scripts/services/membership/membership.js b/app/scripts/services/membership/membership.js index fbbd56bea3..dcab621676 100644 --- a/app/scripts/services/membership/membership.js +++ b/app/scripts/services/membership/membership.js @@ -114,18 +114,10 @@ angular return _.sortBy(roles, 'metadata.name'); }; - // TODO: follow-on PR, there will be an annotation for this var filterRoles = function(roles) { return _.filter(roles, function(item) { - // image-puller & image-pusher ok, other system: prob no - return (_.isEqual(item.metadata.name, 'system:image-puller') || - _.isEqual(item.metadata.name, 'system:image-pusher') || - _.isEqual(item.metadata.name, 'system:image-builder') || - _.isEqual(item.metadata.name, 'system:deployer') ) || - ! _.startsWith(item.metadata.name, 'cluster-') && - ! _.startsWith(item.metadata.name, 'system:') && - ! _.startsWith(item.metadata.name, 'registry-') && - ! _.startsWith(item.metadata.name, 'self-'); + // system-only must be explicitly 'true' to hide the annotation + return annotation(item, 'systemOnly') !== 'true'; }); }; diff --git a/dist/scripts/scripts.js b/dist/scripts/scripts.js index 6cbb65fc84..1b672715d1 100644 --- a/dist/scripts/scripts.js +++ b/dist/scripts/scripts.js @@ -2777,17 +2777,17 @@ b[a.tag] = b[a.tag] || {}, b[a.tag].name = a.tag, b[a.tag].status = angular.copy } }; }), angular.module("openshiftConsole").factory("MembershipService", [ "$filter", function(a) { -var b = (a("annotation"), function(a, b) { +var b = a("annotation"), c = function(a, b) { return 1 === _.filter(b, function(b) { return _.some(b.subjects, { name:a }); }).length; -}), c = function() { +}, d = function() { return _.reduce(_.slice(arguments), function(a, b, c) { return b ? _.isEqual(c, 0) ? b :a + "-" + b :a; }, ""); -}, d = function() { +}, e = function() { return { User:{ kind:"User", @@ -2826,39 +2826,39 @@ name:"SystemGroup", subjects:{} } }; -}, e = function(a, b) { -var e = _.reduce(a, function(a, d) { -var e = c(d.roleRef.namespace ? "Role" :"ClusterRole", d.roleRef.name); -return _.each(d.subjects, function(d) { -var f = c(d.namespace, d.name); -a[d.kind].subjects[f] || (a[d.kind].subjects[f] = { -name:d.name, -namespace:d.namespace, +}, f = function(a, b) { +var c = _.reduce(a, function(a, c) { +var e = d(c.roleRef.namespace ? "Role" :"ClusterRole", c.roleRef.name); +return _.each(c.subjects, function(c) { +var f = d(c.namespace, c.name); +a[c.kind].subjects[f] || (a[c.kind].subjects[f] = { +name:c.name, +namespace:c.namespace, roles:{} -}), _.includes(a[d.kind].subjects[f].roles, e) || (a[d.kind].subjects[f].roles[e] = b[e]); +}), _.includes(a[c.kind].subjects[f].roles, e) || (a[c.kind].subjects[f].roles[e] = b[e]); }), a; -}, d()); -return _.sortBy(e, "sortOrder"); -}, f = function(a) { -return _.sortBy(a, "metadata.name"); +}, e()); +return _.sortBy(c, "sortOrder"); }, g = function(a) { +return _.sortBy(a, "metadata.name"); +}, h = function(a) { return _.filter(a, function(a) { -return _.isEqual(a.metadata.name, "system:image-puller") || _.isEqual(a.metadata.name, "system:image-pusher") || _.isEqual(a.metadata.name, "system:image-builder") || _.isEqual(a.metadata.name, "system:deployer") || !_.startsWith(a.metadata.name, "cluster-") && !_.startsWith(a.metadata.name, "system:") && !_.startsWith(a.metadata.name, "registry-") && !_.startsWith(a.metadata.name, "self-"); +return "true" !== b(a, "systemOnly"); }); -}, h = function(a) { +}, i = function(a) { return _.reduce(a, function(a, b) { -return a[c(b.kind, b.metadata.name)] = b, a; +return a[d(b.kind, b.metadata.name)] = b, a; }, {}); -}, i = function(a, b) { -return _.merge(h(a), h(b)); +}, j = function(a, b) { +return _.merge(i(a), i(b)); }; return { -sortRoles:f, -filterRoles:g, -mapRolesForUI:i, -isLastRole:b, -getSubjectKinds:d, -mapRolebindingsForUI:e +sortRoles:g, +filterRoles:h, +mapRolesForUI:j, +isLastRole:c, +getSubjectKinds:e, +mapRolebindingsForUI:f }; } ]), angular.module("openshiftConsole").factory("RolesService", [ "$q", "DataService", function(a, b) { var c = function(c) { @@ -13639,7 +13639,8 @@ jenkinsBuildURL:[ "openshift.io/jenkins-build-uri" ], jenkinsLogURL:[ "openshift.io/jenkins-log-url" ], jenkinsStatus:[ "openshift.io/jenkins-status-json" ], idledAt:[ "idling.alpha.openshift.io/idled-at" ], -idledPreviousScale:[ "idling.alpha.openshift.io/previous-scale" ] +idledPreviousScale:[ "idling.alpha.openshift.io/previous-scale" ], +systemOnly:[ "authorization.openshift.io/system-only" ] }; return function(b) { return a[b] || null; diff --git a/test/spec/services/membership/membershipSpec.js b/test/spec/services/membership/membershipSpec.js index 03b65b7f77..60263fe4e2 100644 --- a/test/spec/services/membership/membershipSpec.js +++ b/test/spec/services/membership/membershipSpec.js @@ -86,28 +86,26 @@ describe('MembershipService', function() { describe('#filterRoles', function() { it('should filter out system-only roles', function() { var fakeList = [ - // specific roles filter will explicitly pass - {metadata: {name: 'system:image-puller'}}, - {metadata: {name: 'system:image-pusher'}}, - {metadata: {name: 'system:image-builder'}}, - {metadata: {name: 'system:deployer'}}, - // roles the filter will explicitly reject - {metadata: {name: 'cluster-magical-scary-role'}}, - {metadata: {name: 'system:special-scary-role'}}, - {metadata: {name: 'registry-ninja'}}, - {metadata: {name: 'self-destruction'}}, - // ignored - {metadata: {name: 'admin'}}, - {metadata: {name: 'edit'}} + // the string 'true' is the only acceptable value for 'authorization.openshift.io/system-only' + {metadata: {name: 'system-only-role', annotations: {'authorization.openshift.io/system-only': 'true'}}}, + // the rest of these will not be filtered + {metadata: {name: 'system-only-role2', annotations: {'authorization.openshift.io/system-only': 'false'}}}, + {metadata: {name: 'system-only-role3', annotations: {'authorization.openshift.io/system-only': 'show'}}}, + {metadata: {name: 'system-only-role4', annotations: {'authorization.openshift.io/system-only': ''}}}, + {metadata: {name: 'system-only-role5', annotations: {'authorization.openshift.io/system-only': undefined}}}, + {metadata: {name: 'system-only-role6', annotations: {'authorization.openshift.io/system-only': null}}}, + {metadata : {name : 'not-system-only'}}, + {metadata : {name : 'the-other-not-system-only' }} ]; expect(MembershipService.filterRoles(fakeList)).toEqual([ - {metadata : {name : 'system:image-puller'}}, - {metadata : {name : 'system:image-pusher' }}, - {metadata : {name : 'system:image-builder'}}, - {metadata : {name : 'system:deployer'}}, - {metadata : {name : 'admin'}}, - {metadata : {name : 'edit'}} + {metadata: {name: 'system-only-role2', annotations: {'authorization.openshift.io/system-only': 'false'}}}, + {metadata: {name: 'system-only-role3', annotations: {'authorization.openshift.io/system-only': 'show'}}}, + {metadata: {name: 'system-only-role4', annotations: {'authorization.openshift.io/system-only': ''}}}, + {metadata: {name: 'system-only-role5', annotations: {'authorization.openshift.io/system-only': undefined}}}, + {metadata: {name: 'system-only-role6', annotations: {'authorization.openshift.io/system-only': null}}}, + {metadata : {name : 'not-system-only'}}, + {metadata : {name : 'the-other-not-system-only' }} ]); }); });