New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable protobuf in Origin for server-to-server #9814
Changes from all commits
4c97110
70be02e
87e06a5
96c2e49
8d0afb2
d71dfa7
4e0ba9b
bf711f7
edcc5b4
9aacfa7
1f31ddc
92685ee
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -105,6 +105,8 @@ type RoleBinding struct { | |
RoleRef kapi.ObjectReference | ||
} | ||
|
||
type RolesByName map[string]*Role | ||
|
||
// +genclient=true | ||
|
||
// Policy is a object that holds all the Roles for a particular namespace. There is at most | ||
|
@@ -117,9 +119,11 @@ type Policy struct { | |
LastModified unversioned.Time | ||
|
||
// Roles holds all the Roles held by this Policy, mapped by Role.Name | ||
Roles map[string]*Role | ||
Roles RolesByName | ||
} | ||
|
||
type RoleBindingsByName map[string]*RoleBinding | ||
|
||
// PolicyBinding is a object that holds all the RoleBindings for a particular namespace. There is | ||
// one PolicyBinding document per referenced Policy namespace | ||
type PolicyBinding struct { | ||
|
@@ -133,7 +137,7 @@ type PolicyBinding struct { | |
// PolicyRef is a reference to the Policy that contains all the Roles that this PolicyBinding's RoleBindings may reference | ||
PolicyRef kapi.ObjectReference | ||
// RoleBindings holds all the RoleBindings held by this PolicyBinding, mapped by RoleBinding.Name | ||
RoleBindings map[string]*RoleBinding | ||
RoleBindings RoleBindingsByName | ||
} | ||
|
||
// SelfSubjectRulesReview is a resource you can create to determine which actions you can perform in a namespace | ||
|
@@ -171,8 +175,10 @@ type ResourceAccessReviewResponse struct { | |
// Namespace is the namespace used for the access review | ||
Namespace string | ||
// Users is the list of users who can perform the action | ||
// +genconversion=false | ||
Users sets.String | ||
// Groups is the list of groups who can perform the action | ||
// +genconversion=false | ||
Groups sets.String | ||
|
||
// EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned. | ||
|
@@ -187,7 +193,7 @@ type ResourceAccessReview struct { | |
unversioned.TypeMeta | ||
|
||
// Action describes the action being tested | ||
Action AuthorizationAttributes | ||
Action | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. anonymous inclusion makes me sad. We can't get autogeneration and keep this named? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Name has to be the same as the type if on one side it's anonymous (which it On Fri, Jul 22, 2016 at 1:17 PM, David Eads notifications@github.com
|
||
} | ||
|
||
// SubjectAccessReviewResponse describes whether or not a user or group can perform an action | ||
|
@@ -207,10 +213,11 @@ type SubjectAccessReview struct { | |
unversioned.TypeMeta | ||
|
||
// Action describes the action being tested | ||
Action AuthorizationAttributes | ||
Action | ||
// User is optional. If both User and Groups are empty, the current authenticated user is used. | ||
User string | ||
// Groups is optional. Groups is the list of groups to which the User belongs. | ||
// +genconversion=false | ||
Groups sets.String | ||
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". | ||
// Nil for a self-SAR, means "use the scopes on this request". | ||
|
@@ -223,27 +230,28 @@ type LocalResourceAccessReview struct { | |
unversioned.TypeMeta | ||
|
||
// Action describes the action being tested | ||
Action AuthorizationAttributes | ||
Action | ||
} | ||
|
||
// LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace | ||
type LocalSubjectAccessReview struct { | ||
unversioned.TypeMeta | ||
|
||
// Action describes the action being tested. The Namespace element is FORCED to the current namespace. | ||
Action AuthorizationAttributes | ||
Action | ||
// User is optional. If both User and Groups are empty, the current authenticated user is used. | ||
User string | ||
// Groups is optional. Groups is the list of groups to which the User belongs. | ||
// +genconversion=false | ||
Groups sets.String | ||
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups". | ||
// Nil for a self-SAR, means "use the scopes on this request". | ||
// Nil for a regular SAR, means the same as empty. | ||
Scopes []string | ||
} | ||
|
||
// AuthorizationAttributes describes a request to be authorized | ||
type AuthorizationAttributes struct { | ||
// Action describes a request to be authorized | ||
type Action struct { | ||
// Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces | ||
Namespace string | ||
// Verb is one of: get, list, watch, create, update, delete | ||
|
@@ -327,6 +335,8 @@ type ClusterRoleBinding struct { | |
RoleRef kapi.ObjectReference | ||
} | ||
|
||
type ClusterRolesByName map[string]*ClusterRole | ||
|
||
// ClusterPolicy is a object that holds all the ClusterRoles for a particular namespace. There is at most | ||
// one ClusterPolicy document per namespace. | ||
type ClusterPolicy struct { | ||
|
@@ -338,9 +348,11 @@ type ClusterPolicy struct { | |
LastModified unversioned.Time | ||
|
||
// Roles holds all the ClusterRoles held by this ClusterPolicy, mapped by Role.Name | ||
Roles map[string]*ClusterRole | ||
Roles ClusterRolesByName | ||
} | ||
|
||
type ClusterRoleBindingsByName map[string]*ClusterRoleBinding | ||
|
||
// ClusterPolicyBinding is a object that holds all the ClusterRoleBindings for a particular namespace. There is | ||
// one ClusterPolicyBinding document per referenced ClusterPolicy namespace | ||
type ClusterPolicyBinding struct { | ||
|
@@ -354,7 +366,7 @@ type ClusterPolicyBinding struct { | |
// ClusterPolicyRef is a reference to the ClusterPolicy that contains all the ClusterRoles that this ClusterPolicyBinding's RoleBindings may reference | ||
PolicyRef kapi.ObjectReference | ||
// RoleBindings holds all the RoleBindings held by this ClusterPolicyBinding, mapped by RoleBinding.Name | ||
RoleBindings map[string]*ClusterRoleBinding | ||
RoleBindings ClusterRoleBindingsByName | ||
} | ||
|
||
// ClusterPolicyList is a collection of ClusterPolicies | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this wired to check the upstream ones too? Actually, given protobuf rules, we probably need additional checks to ensure that we're compatible, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does not check upstream protobuf, what do you mean by "additional
checks"?
On Fri, Jul 22, 2016 at 1:16 PM, David Eads notifications@github.com
wrote:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We had a couple API carries since shipped a
v1
first. We need to make sure that never happens again or if it does, make sure that its not serialized to protobuf.I guess we could all promise to do no evil.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That applies to conversions, clients, and deep copies too. Agree we should
have something to test, but should be done together.
On Fri, Jul 22, 2016 at 2:09 PM, David Eads notifications@github.com
wrote: