Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Follow on to the AuthorizationAttributes -> Action PR to fix authorization conversions #9838

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions pkg/authorization/api/deep_copy_generated.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import (

func init() {
if err := api.Scheme.AddGeneratedDeepCopyFuncs(
DeepCopy_api_AuthorizationAttributes,
DeepCopy_api_Action,
DeepCopy_api_ClusterPolicy,
DeepCopy_api_ClusterPolicyBinding,
DeepCopy_api_ClusterPolicyBindingList,
Expand Down Expand Up @@ -48,7 +48,7 @@ func init() {
}
}

func DeepCopy_api_AuthorizationAttributes(in AuthorizationAttributes, out *AuthorizationAttributes, c *conversion.Cloner) error {
func DeepCopy_api_Action(in Action, out *Action, c *conversion.Cloner) error {
out.Namespace = in.Namespace
out.Verb = in.Verb
out.Group = in.Group
Expand Down Expand Up @@ -77,7 +77,7 @@ func DeepCopy_api_ClusterPolicy(in ClusterPolicy, out *ClusterPolicy, c *convers
}
if in.Roles != nil {
in, out := in.Roles, &out.Roles
*out = make(map[string]*ClusterRole)
*out = make(ClusterRolesByName)
for key, val := range in {
if newVal, err := c.DeepCopy(val); err != nil {
return err
Expand Down Expand Up @@ -106,7 +106,7 @@ func DeepCopy_api_ClusterPolicyBinding(in ClusterPolicyBinding, out *ClusterPoli
}
if in.RoleBindings != nil {
in, out := in.RoleBindings, &out.RoleBindings
*out = make(map[string]*ClusterRoleBinding)
*out = make(ClusterRoleBindingsByName)
for key, val := range in {
if newVal, err := c.DeepCopy(val); err != nil {
return err
Expand Down Expand Up @@ -260,7 +260,7 @@ func DeepCopy_api_LocalResourceAccessReview(in LocalResourceAccessReview, out *L
if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
return err
}
if err := DeepCopy_api_AuthorizationAttributes(in.Action, &out.Action, c); err != nil {
if err := DeepCopy_api_Action(in.Action, &out.Action, c); err != nil {
return err
}
return nil
Expand All @@ -270,7 +270,7 @@ func DeepCopy_api_LocalSubjectAccessReview(in LocalSubjectAccessReview, out *Loc
if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
return err
}
if err := DeepCopy_api_AuthorizationAttributes(in.Action, &out.Action, c); err != nil {
if err := DeepCopy_api_Action(in.Action, &out.Action, c); err != nil {
return err
}
out.User = in.User
Expand Down Expand Up @@ -309,7 +309,7 @@ func DeepCopy_api_Policy(in Policy, out *Policy, c *conversion.Cloner) error {
}
if in.Roles != nil {
in, out := in.Roles, &out.Roles
*out = make(map[string]*Role)
*out = make(RolesByName)
for key, val := range in {
if newVal, err := c.DeepCopy(val); err != nil {
return err
Expand Down Expand Up @@ -338,7 +338,7 @@ func DeepCopy_api_PolicyBinding(in PolicyBinding, out *PolicyBinding, c *convers
}
if in.RoleBindings != nil {
in, out := in.RoleBindings, &out.RoleBindings
*out = make(map[string]*RoleBinding)
*out = make(RoleBindingsByName)
for key, val := range in {
if newVal, err := c.DeepCopy(val); err != nil {
return err
Expand Down Expand Up @@ -468,7 +468,7 @@ func DeepCopy_api_ResourceAccessReview(in ResourceAccessReview, out *ResourceAcc
if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
return err
}
if err := DeepCopy_api_AuthorizationAttributes(in.Action, &out.Action, c); err != nil {
if err := DeepCopy_api_Action(in.Action, &out.Action, c); err != nil {
return err
}
return nil
Expand Down Expand Up @@ -624,7 +624,7 @@ func DeepCopy_api_SubjectAccessReview(in SubjectAccessReview, out *SubjectAccess
if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
return err
}
if err := DeepCopy_api_AuthorizationAttributes(in.Action, &out.Action, c); err != nil {
if err := DeepCopy_api_Action(in.Action, &out.Action, c); err != nil {
return err
}
out.User = in.User
Expand Down
32 changes: 22 additions & 10 deletions pkg/authorization/api/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,8 @@ type RoleBinding struct {
RoleRef kapi.ObjectReference
}

type RolesByName map[string]*Role

// +genclient=true

// Policy is a object that holds all the Roles for a particular namespace. There is at most
Expand All @@ -117,9 +119,11 @@ type Policy struct {
LastModified unversioned.Time

// Roles holds all the Roles held by this Policy, mapped by Role.Name
Roles map[string]*Role
Roles RolesByName
}

type RoleBindingsByName map[string]*RoleBinding

// PolicyBinding is a object that holds all the RoleBindings for a particular namespace. There is
// one PolicyBinding document per referenced Policy namespace
type PolicyBinding struct {
Expand All @@ -133,7 +137,7 @@ type PolicyBinding struct {
// PolicyRef is a reference to the Policy that contains all the Roles that this PolicyBinding's RoleBindings may reference
PolicyRef kapi.ObjectReference
// RoleBindings holds all the RoleBindings held by this PolicyBinding, mapped by RoleBinding.Name
RoleBindings map[string]*RoleBinding
RoleBindings RoleBindingsByName
}

// SelfSubjectRulesReview is a resource you can create to determine which actions you can perform in a namespace
Expand Down Expand Up @@ -171,8 +175,10 @@ type ResourceAccessReviewResponse struct {
// Namespace is the namespace used for the access review
Namespace string
// Users is the list of users who can perform the action
// +genconversion=false
Users sets.String
// Groups is the list of groups who can perform the action
// +genconversion=false
Groups sets.String

// EvaluationError is an indication that some error occurred during resolution, but partial results can still be returned.
Expand All @@ -187,7 +193,7 @@ type ResourceAccessReview struct {
unversioned.TypeMeta

// Action describes the action being tested
Action AuthorizationAttributes
Action
}

// SubjectAccessReviewResponse describes whether or not a user or group can perform an action
Expand All @@ -207,10 +213,11 @@ type SubjectAccessReview struct {
unversioned.TypeMeta

// Action describes the action being tested
Action AuthorizationAttributes
Action
// User is optional. If both User and Groups are empty, the current authenticated user is used.
User string
// Groups is optional. Groups is the list of groups to which the User belongs.
// +genconversion=false
Groups sets.String
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
// Nil for a self-SAR, means "use the scopes on this request".
Expand All @@ -223,27 +230,28 @@ type LocalResourceAccessReview struct {
unversioned.TypeMeta

// Action describes the action being tested
Action AuthorizationAttributes
Action
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I much prefer non-anonymous includes.

}

// LocalSubjectAccessReview is an object for requesting information about whether a user or group can perform an action in a particular namespace
type LocalSubjectAccessReview struct {
unversioned.TypeMeta

// Action describes the action being tested. The Namespace element is FORCED to the current namespace.
Action AuthorizationAttributes
Action
// User is optional. If both User and Groups are empty, the current authenticated user is used.
User string
// Groups is optional. Groups is the list of groups to which the User belongs.
// +genconversion=false
Groups sets.String
// Scopes to use for the evaluation. Empty means "use the unscoped (full) permissions of the user/groups".
// Nil for a self-SAR, means "use the scopes on this request".
// Nil for a regular SAR, means the same as empty.
Scopes []string
}

// AuthorizationAttributes describes a request to be authorized
type AuthorizationAttributes struct {
// Action describes a request to be authorized
type Action struct {
// Namespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces
Namespace string
// Verb is one of: get, list, watch, create, update, delete
Expand Down Expand Up @@ -327,6 +335,8 @@ type ClusterRoleBinding struct {
RoleRef kapi.ObjectReference
}

type ClusterRolesByName map[string]*ClusterRole

// ClusterPolicy is a object that holds all the ClusterRoles for a particular namespace. There is at most
// one ClusterPolicy document per namespace.
type ClusterPolicy struct {
Expand All @@ -338,9 +348,11 @@ type ClusterPolicy struct {
LastModified unversioned.Time

// Roles holds all the ClusterRoles held by this ClusterPolicy, mapped by Role.Name
Roles map[string]*ClusterRole
Roles ClusterRolesByName
}

type ClusterRoleBindingsByName map[string]*ClusterRoleBinding

// ClusterPolicyBinding is a object that holds all the ClusterRoleBindings for a particular namespace. There is
// one ClusterPolicyBinding document per referenced ClusterPolicy namespace
type ClusterPolicyBinding struct {
Expand All @@ -354,7 +366,7 @@ type ClusterPolicyBinding struct {
// ClusterPolicyRef is a reference to the ClusterPolicy that contains all the ClusterRoles that this ClusterPolicyBinding's RoleBindings may reference
PolicyRef kapi.ObjectReference
// RoleBindings holds all the RoleBindings held by this ClusterPolicyBinding, mapped by RoleBinding.Name
RoleBindings map[string]*ClusterRoleBinding
RoleBindings ClusterRoleBindingsByName
}

// ClusterPolicyList is a collection of ClusterPolicies
Expand Down
Loading