Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
f6f1ab34
Commit
f6f1ab34
authored
Jul 12, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
authorize based on user.Info
parent
7823c577
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
35 additions
and
37 deletions
+35
-37
abac.go
pkg/auth/authorizer/abac/abac.go
+9
-2
interfaces.go
pkg/auth/authorizer/interfaces.go
+4
-14
rbac.go
plugin/pkg/auth/authorizer/rbac/rbac.go
+2
-8
rbac_test.go
plugin/pkg/auth/authorizer/rbac/rbac_test.go
+3
-2
webhook.go
plugin/pkg/auth/authorizer/webhook/webhook.go
+8
-5
auth_test.go
test/integration/auth/auth_test.go
+5
-5
service_account_test.go
test/integration/serviceaccount/service_account_test.go
+4
-1
No files found.
pkg/auth/authorizer/abac/abac.go
View file @
f6f1ab34
...
...
@@ -133,12 +133,19 @@ func matches(p api.Policy, a authorizer.Attributes) bool {
func
subjectMatches
(
p
api
.
Policy
,
a
authorizer
.
Attributes
)
bool
{
matched
:=
false
username
:=
""
groups
:=
[]
string
{}
if
user
:=
a
.
GetUser
();
user
!=
nil
{
username
=
user
.
GetName
()
groups
=
user
.
GetGroups
()
}
// If the policy specified a user, ensure it matches
if
len
(
p
.
Spec
.
User
)
>
0
{
if
p
.
Spec
.
User
==
"*"
{
matched
=
true
}
else
{
matched
=
p
.
Spec
.
User
==
a
.
GetUserName
()
matched
=
p
.
Spec
.
User
==
username
if
!
matched
{
return
false
}
...
...
@@ -151,7 +158,7 @@ func subjectMatches(p api.Policy, a authorizer.Attributes) bool {
matched
=
true
}
else
{
matched
=
false
for
_
,
group
:=
range
a
.
GetGroups
()
{
for
_
,
group
:=
range
groups
{
if
p
.
Spec
.
Group
==
group
{
matched
=
true
}
...
...
pkg/auth/authorizer/interfaces.go
View file @
f6f1ab34
...
...
@@ -25,14 +25,8 @@ import (
// Attributes is an interface used by an Authorizer to get information about a request
// that is used to make an authorization decision.
type
Attributes
interface
{
// The user string which the request was authenticated as, or empty if
// no authentication occurred and the request was allowed to proceed.
GetUserName
()
string
// The list of group names the authenticated user is a member of. Can be
// empty if the authenticated user is not in any groups, or if no
// authentication occurred.
GetGroups
()
[]
string
// GetUser returns the user.Info object to authorize
GetUser
()
user
.
Info
// GetVerb returns the kube verb associated with API requests (this includes get, list, watch, create, update, patch, delete, and proxy),
// or the lowercased HTTP verb associated with non-API requests (this includes get, put, post, patch, and delete)
...
...
@@ -101,12 +95,8 @@ type AttributesRecord struct {
Path
string
}
func
(
a
AttributesRecord
)
GetUserName
()
string
{
return
a
.
User
.
GetName
()
}
func
(
a
AttributesRecord
)
GetGroups
()
[]
string
{
return
a
.
User
.
GetGroups
()
func
(
a
AttributesRecord
)
GetUser
()
user
.
Info
{
return
a
.
User
}
func
(
a
AttributesRecord
)
GetVerb
()
string
{
...
...
plugin/pkg/auth/authorizer/rbac/rbac.go
View file @
f6f1ab34
...
...
@@ -22,7 +22,6 @@ import (
"k8s.io/kubernetes/pkg/apis/rbac"
"k8s.io/kubernetes/pkg/apis/rbac/validation"
"k8s.io/kubernetes/pkg/auth/authorizer"
"k8s.io/kubernetes/pkg/auth/user"
"k8s.io/kubernetes/pkg/registry/clusterrole"
"k8s.io/kubernetes/pkg/registry/clusterrolebinding"
"k8s.io/kubernetes/pkg/registry/role"
...
...
@@ -36,16 +35,11 @@ type RBACAuthorizer struct {
}
func
(
r
*
RBACAuthorizer
)
Authorize
(
attr
authorizer
.
Attributes
)
error
{
if
r
.
superUser
!=
""
&&
attr
.
GetUserName
()
==
r
.
superUser
{
if
r
.
superUser
!=
""
&&
attr
.
GetUser
()
!=
nil
&&
attr
.
GetUser
()
.
Get
Name
()
==
r
.
superUser
{
return
nil
}
userInfo
:=
&
user
.
DefaultInfo
{
Name
:
attr
.
GetUserName
(),
Groups
:
attr
.
GetGroups
(),
}
ctx
:=
api
.
WithNamespace
(
api
.
WithUser
(
api
.
NewContext
(),
userInfo
),
attr
.
GetNamespace
())
ctx
:=
api
.
WithNamespace
(
api
.
WithUser
(
api
.
NewContext
(),
attr
.
GetUser
()),
attr
.
GetNamespace
())
// Frame the authorization request as a privilege escalation check.
var
requestedRule
rbac
.
PolicyRule
...
...
plugin/pkg/auth/authorizer/rbac/rbac_test.go
View file @
f6f1ab34
...
...
@@ -99,8 +99,9 @@ func (d *defaultAttributes) String() string {
d
.
user
,
strings
.
Split
(
d
.
groups
,
","
),
d
.
verb
,
d
.
resource
,
d
.
namespace
,
d
.
apiGroup
)
}
func
(
d
*
defaultAttributes
)
GetUserName
()
string
{
return
d
.
user
}
func
(
d
*
defaultAttributes
)
GetGroups
()
[]
string
{
return
strings
.
Split
(
d
.
groups
,
","
)
}
func
(
d
*
defaultAttributes
)
GetUser
()
user
.
Info
{
return
&
user
.
DefaultInfo
{
Name
:
d
.
user
,
Groups
:
strings
.
Split
(
d
.
groups
,
","
)}
}
func
(
d
*
defaultAttributes
)
GetVerb
()
string
{
return
d
.
verb
}
func
(
d
*
defaultAttributes
)
IsReadOnly
()
bool
{
return
d
.
verb
==
"get"
||
d
.
verb
==
"watch"
}
func
(
d
*
defaultAttributes
)
GetNamespace
()
string
{
return
d
.
namespace
}
...
...
plugin/pkg/auth/authorizer/webhook/webhook.go
View file @
f6f1ab34
...
...
@@ -129,12 +129,15 @@ func newWithBackoff(kubeConfigFile string, authorizedTTL, unauthorizedTTL, initi
// }
//
func
(
w
*
WebhookAuthorizer
)
Authorize
(
attr
authorizer
.
Attributes
)
(
err
error
)
{
r
:=
&
v1beta1
.
SubjectAccessReview
{
Spec
:
v1beta1
.
SubjectAccessReviewSpec
{
User
:
attr
.
GetUserName
(),
Groups
:
attr
.
GetGroups
(),
},
r
:=
&
v1beta1
.
SubjectAccessReview
{}
if
user
:=
attr
.
GetUser
();
user
!=
nil
{
r
.
Spec
=
v1beta1
.
SubjectAccessReviewSpec
{
User
:
user
.
GetName
(),
Groups
:
user
.
GetGroups
(),
Extra
:
user
.
GetExtra
(),
}
}
if
attr
.
IsResourceRequest
()
{
r
.
Spec
.
ResourceAttributes
=
&
v1beta1
.
ResourceAttributes
{
Namespace
:
attr
.
GetNamespace
(),
...
...
test/integration/auth/auth_test.go
View file @
f6f1ab34
...
...
@@ -537,7 +537,7 @@ func TestAuthModeAlwaysDeny(t *testing.T) {
type
allowAliceAuthorizer
struct
{}
func
(
allowAliceAuthorizer
)
Authorize
(
a
authorizer
.
Attributes
)
error
{
if
a
.
GetUserName
()
==
"alice"
{
if
a
.
GetUser
()
!=
nil
&&
a
.
GetUser
()
.
Get
Name
()
==
"alice"
{
return
nil
}
return
errors
.
New
(
"I can't allow that. Go ask alice."
)
...
...
@@ -705,18 +705,18 @@ type impersonateAuthorizer struct{}
// alice can't act as anyone and bob can't do anything but act-as someone
func
(
impersonateAuthorizer
)
Authorize
(
a
authorizer
.
Attributes
)
error
{
// alice can impersonate service accounts and do other actions
if
a
.
GetUserName
()
==
"alice"
&&
a
.
GetVerb
()
==
"impersonate"
&&
a
.
GetResource
()
==
"serviceaccounts"
{
if
a
.
GetUser
()
!=
nil
&&
a
.
GetUser
()
.
Get
Name
()
==
"alice"
&&
a
.
GetVerb
()
==
"impersonate"
&&
a
.
GetResource
()
==
"serviceaccounts"
{
return
nil
}
if
a
.
GetUserName
()
==
"alice"
&&
a
.
GetVerb
()
!=
"impersonate"
{
if
a
.
GetUser
()
!=
nil
&&
a
.
GetUser
()
.
Get
Name
()
==
"alice"
&&
a
.
GetVerb
()
!=
"impersonate"
{
return
nil
}
// bob can impersonate anyone, but that it
if
a
.
GetUserName
()
==
"bob"
&&
a
.
GetVerb
()
==
"impersonate"
{
if
a
.
GetUser
()
!=
nil
&&
a
.
GetUser
()
.
Get
Name
()
==
"bob"
&&
a
.
GetVerb
()
==
"impersonate"
{
return
nil
}
// service accounts can do everything
if
strings
.
HasPrefix
(
a
.
GetUser
Name
(),
serviceaccount
.
ServiceAccountUsernamePrefix
)
{
if
a
.
GetUser
()
!=
nil
&&
strings
.
HasPrefix
(
a
.
GetUser
()
.
Get
Name
(),
serviceaccount
.
ServiceAccountUsernamePrefix
)
{
return
nil
}
...
...
test/integration/serviceaccount/service_account_test.go
View file @
f6f1ab34
...
...
@@ -370,7 +370,10 @@ func startServiceAccountTestServer(t *testing.T) (*clientset.Clientset, restclie
// 2. ServiceAccounts named "ro" are allowed read-only operations in their namespace
// 3. ServiceAccounts named "rw" are allowed any operation in their namespace
authorizer
:=
authorizer
.
AuthorizerFunc
(
func
(
attrs
authorizer
.
Attributes
)
error
{
username
:=
attrs
.
GetUserName
()
username
:=
""
if
user
:=
attrs
.
GetUser
();
user
!=
nil
{
username
=
user
.
GetName
()
}
ns
:=
attrs
.
GetNamespace
()
// If the user is "root"...
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment