Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
7f4e5c56
Unverified
Commit
7f4e5c56
authored
Mar 07, 2017
by
Jordan Liggitt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Use namespace from context
parent
cf116070
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
39 additions
and
17 deletions
+39
-17
BUILD
pkg/registry/rbac/clusterrolebinding/policybased/BUILD
+1
-0
storage.go
pkg/registry/rbac/clusterrolebinding/policybased/storage.go
+5
-4
escalation_check.go
pkg/registry/rbac/escalation_check.go
+1
-1
storage.go
pkg/registry/rbac/rolebinding/policybased/storage.go
+18
-4
rbac_test.go
test/integration/auth/rbac_test.go
+14
-8
No files found.
pkg/registry/rbac/clusterrolebinding/policybased/BUILD
View file @
7f4e5c56
...
...
@@ -16,6 +16,7 @@ go_library(
"//pkg/registry/rbac:go_default_library",
"//pkg/registry/rbac/validation:go_default_library",
"//vendor:k8s.io/apimachinery/pkg/api/errors",
"//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
"//vendor:k8s.io/apimachinery/pkg/runtime",
"//vendor:k8s.io/apiserver/pkg/authorization/authorizer",
"//vendor:k8s.io/apiserver/pkg/endpoints/request",
...
...
pkg/registry/rbac/clusterrolebinding/policybased/storage.go
View file @
7f4e5c56
...
...
@@ -19,6 +19,7 @@ package policybased
import
(
"k8s.io/apimachinery/pkg/api/errors"
metav1
"k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apiserver/pkg/authorization/authorizer"
genericapirequest
"k8s.io/apiserver/pkg/endpoints/request"
...
...
@@ -48,11 +49,11 @@ func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object) (run
}
clusterRoleBinding
:=
obj
.
(
*
rbac
.
ClusterRoleBinding
)
if
rbacregistry
.
BindingAuthorized
(
ctx
,
clusterRoleBinding
.
RoleRef
,
clusterRoleBinding
.
Namespac
e
,
s
.
authorizer
)
{
if
rbacregistry
.
BindingAuthorized
(
ctx
,
clusterRoleBinding
.
RoleRef
,
metav1
.
NamespaceNon
e
,
s
.
authorizer
)
{
return
s
.
StandardStorage
.
Create
(
ctx
,
obj
)
}
rules
,
err
:=
s
.
ruleResolver
.
GetRoleReferenceRules
(
clusterRoleBinding
.
RoleRef
,
clusterRoleBinding
.
Namespac
e
)
rules
,
err
:=
s
.
ruleResolver
.
GetRoleReferenceRules
(
clusterRoleBinding
.
RoleRef
,
metav1
.
NamespaceNon
e
)
if
err
!=
nil
{
return
nil
,
err
}
...
...
@@ -71,12 +72,12 @@ func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.Up
clusterRoleBinding
:=
obj
.
(
*
rbac
.
ClusterRoleBinding
)
// if we're explicitly authorized to bind this clusterrole, return
if
rbacregistry
.
BindingAuthorized
(
ctx
,
clusterRoleBinding
.
RoleRef
,
clusterRoleBinding
.
Namespac
e
,
s
.
authorizer
)
{
if
rbacregistry
.
BindingAuthorized
(
ctx
,
clusterRoleBinding
.
RoleRef
,
metav1
.
NamespaceNon
e
,
s
.
authorizer
)
{
return
obj
,
nil
}
// Otherwise, see if we already have all the permissions contained in the referenced clusterrole
rules
,
err
:=
s
.
ruleResolver
.
GetRoleReferenceRules
(
clusterRoleBinding
.
RoleRef
,
clusterRoleBinding
.
Namespac
e
)
rules
,
err
:=
s
.
ruleResolver
.
GetRoleReferenceRules
(
clusterRoleBinding
.
RoleRef
,
metav1
.
NamespaceNon
e
)
if
err
!=
nil
{
return
nil
,
err
}
...
...
pkg/registry/rbac/escalation_check.go
View file @
7f4e5c56
...
...
@@ -85,7 +85,7 @@ func BindingAuthorized(ctx genericapirequest.Context, roleRef rbac.RoleRef, bind
if
err
!=
nil
{
utilruntime
.
HandleError
(
fmt
.
Errorf
(
"error authorizing user %#v to bind %#v in namespace %s: %v"
,
roleRef
,
bindingNamespace
,
user
,
err
,
user
,
roleRef
,
bindingNamespace
,
err
,
))
}
return
ok
...
...
pkg/registry/rbac/rolebinding/policybased/storage.go
View file @
7f4e5c56
...
...
@@ -47,12 +47,19 @@ func (s *Storage) Create(ctx genericapirequest.Context, obj runtime.Object) (run
return
s
.
StandardStorage
.
Create
(
ctx
,
obj
)
}
// Get the namespace from the context (populated from the URL).
// The namespace in the object can be empty until StandardStorage.Create()->BeforeCreate() populates it from the context.
namespace
,
ok
:=
genericapirequest
.
NamespaceFrom
(
ctx
)
if
!
ok
{
return
nil
,
errors
.
NewBadRequest
(
"namespace is required"
)
}
roleBinding
:=
obj
.
(
*
rbac
.
RoleBinding
)
if
rbacregistry
.
BindingAuthorized
(
ctx
,
roleBinding
.
RoleRef
,
roleBinding
.
N
amespace
,
s
.
authorizer
)
{
if
rbacregistry
.
BindingAuthorized
(
ctx
,
roleBinding
.
RoleRef
,
n
amespace
,
s
.
authorizer
)
{
return
s
.
StandardStorage
.
Create
(
ctx
,
obj
)
}
rules
,
err
:=
s
.
ruleResolver
.
GetRoleReferenceRules
(
roleBinding
.
RoleRef
,
roleBinding
.
N
amespace
)
rules
,
err
:=
s
.
ruleResolver
.
GetRoleReferenceRules
(
roleBinding
.
RoleRef
,
n
amespace
)
if
err
!=
nil
{
return
nil
,
err
}
...
...
@@ -68,15 +75,22 @@ func (s *Storage) Update(ctx genericapirequest.Context, name string, obj rest.Up
}
nonEscalatingInfo
:=
rest
.
WrapUpdatedObjectInfo
(
obj
,
func
(
ctx
genericapirequest
.
Context
,
obj
runtime
.
Object
,
oldObj
runtime
.
Object
)
(
runtime
.
Object
,
error
)
{
// Get the namespace from the context (populated from the URL).
// The namespace in the object can be empty until StandardStorage.Update()->BeforeUpdate() populates it from the context.
namespace
,
ok
:=
genericapirequest
.
NamespaceFrom
(
ctx
)
if
!
ok
{
return
nil
,
errors
.
NewBadRequest
(
"namespace is required"
)
}
roleBinding
:=
obj
.
(
*
rbac
.
RoleBinding
)
// if we're explicitly authorized to bind this role, return
if
rbacregistry
.
BindingAuthorized
(
ctx
,
roleBinding
.
RoleRef
,
roleBinding
.
N
amespace
,
s
.
authorizer
)
{
if
rbacregistry
.
BindingAuthorized
(
ctx
,
roleBinding
.
RoleRef
,
n
amespace
,
s
.
authorizer
)
{
return
obj
,
nil
}
// Otherwise, see if we already have all the permissions contained in the referenced role
rules
,
err
:=
s
.
ruleResolver
.
GetRoleReferenceRules
(
roleBinding
.
RoleRef
,
roleBinding
.
N
amespace
)
rules
,
err
:=
s
.
ruleResolver
.
GetRoleReferenceRules
(
roleBinding
.
RoleRef
,
n
amespace
)
if
err
!=
nil
{
return
nil
,
err
}
...
...
test/integration/auth/rbac_test.go
View file @
7f4e5c56
...
...
@@ -352,8 +352,16 @@ func TestRBAC(t *testing.T) {
},
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
"create-rolebindings"
,
Namespace
:
"job-namespace"
},
Subjects
:
[]
rbacapi
.
Subject
{{
Kind
:
"User"
,
Name
:
"job-writer-namespace"
}},
RoleRef
:
rbacapi
.
RoleRef
{
Kind
:
"ClusterRole"
,
Name
:
"create-rolebindings"
},
Subjects
:
[]
rbacapi
.
Subject
{
{
Kind
:
"User"
,
Name
:
"job-writer-namespace"
},
{
Kind
:
"User"
,
Name
:
"any-rolebinding-writer-namespace"
},
},
RoleRef
:
rbacapi
.
RoleRef
{
Kind
:
"ClusterRole"
,
Name
:
"create-rolebindings"
},
},
{
ObjectMeta
:
metav1
.
ObjectMeta
{
Name
:
"bind-any-clusterrole"
,
Namespace
:
"job-namespace"
},
Subjects
:
[]
rbacapi
.
Subject
{{
Kind
:
"User"
,
Name
:
"any-rolebinding-writer-namespace"
}},
RoleRef
:
rbacapi
.
RoleRef
{
Kind
:
"ClusterRole"
,
Name
:
"bind-any-clusterrole"
},
},
},
},
...
...
@@ -384,6 +392,8 @@ func TestRBAC(t *testing.T) {
// cannot bind role anywhere
{
"user-with-no-permissions"
,
"POST"
,
"rbac.authorization.k8s.io"
,
"rolebindings"
,
"job-namespace"
,
""
,
writeJobsRoleBinding
,
http
.
StatusForbidden
},
// can only bind role in namespace where they have explicit bind permission
{
"any-rolebinding-writer-namespace"
,
"POST"
,
"rbac.authorization.k8s.io"
,
"rolebindings"
,
"forbidden-namespace"
,
""
,
writeJobsRoleBinding
,
http
.
StatusForbidden
},
// can only bind role in namespace where they have covering permissions
{
"job-writer-namespace"
,
"POST"
,
"rbac.authorization.k8s.io"
,
"rolebindings"
,
"forbidden-namespace"
,
""
,
writeJobsRoleBinding
,
http
.
StatusForbidden
},
{
"job-writer-namespace"
,
"POST"
,
"rbac.authorization.k8s.io"
,
"rolebindings"
,
"job-namespace"
,
""
,
writeJobsRoleBinding
,
http
.
StatusCreated
},
...
...
@@ -396,6 +406,8 @@ func TestRBAC(t *testing.T) {
// can bind role because they have explicit bind permission
{
"any-rolebinding-writer"
,
"POST"
,
"rbac.authorization.k8s.io"
,
"rolebindings"
,
"job-namespace"
,
""
,
writeJobsRoleBinding
,
http
.
StatusCreated
},
{
superUser
,
"DELETE"
,
"rbac.authorization.k8s.io"
,
"rolebindings"
,
"job-namespace"
,
"pi"
,
""
,
http
.
StatusOK
},
{
"any-rolebinding-writer-namespace"
,
"POST"
,
"rbac.authorization.k8s.io"
,
"rolebindings"
,
"job-namespace"
,
""
,
writeJobsRoleBinding
,
http
.
StatusCreated
},
{
superUser
,
"DELETE"
,
"rbac.authorization.k8s.io"
,
"rolebindings"
,
"job-namespace"
,
"pi"
,
""
,
http
.
StatusOK
},
},
},
}
...
...
@@ -434,12 +446,6 @@ func TestRBAC(t *testing.T) {
sub
+=
fmt
.
Sprintf
(
",
\"
resourceVersion
\"
:
\"
%v
\"
"
,
resVersion
)
}
}
// For any creation requests, add the namespace to the object meta.
if
r
.
verb
==
"POST"
||
r
.
verb
==
"PUT"
{
if
r
.
namespace
!=
""
{
sub
+=
fmt
.
Sprintf
(
",
\"
namespace
\"
: %q"
,
r
.
namespace
)
}
}
body
=
strings
.
NewReader
(
fmt
.
Sprintf
(
r
.
body
,
sub
))
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment