From 54576548be62f601267e909d04209932d2659575 Mon Sep 17 00:00:00 2001 From: hongming Date: Mon, 11 Jun 2018 10:38:15 +0800 Subject: [PATCH] Refine rules definition --- pkg/apis/v1alpha/iam/policy.go | 102 +++++++++++++++++---------------- pkg/apis/v1alpha/users/user.go | 7 +++ pkg/models/roles.go | 102 +++++++++++++++++++++++++++------ 3 files changed, 144 insertions(+), 67 deletions(-) diff --git a/pkg/apis/v1alpha/iam/policy.go b/pkg/apis/v1alpha/iam/policy.go index f27248e58..f65a93e13 100644 --- a/pkg/apis/v1alpha/iam/policy.go +++ b/pkg/apis/v1alpha/iam/policy.go @@ -44,10 +44,26 @@ type userRuleList struct { // TODO stored in etcd, allow updates var ( clusterRoleRuleGroup = []rule{projects, users, roles, images, - volumes, storageclasses, nodes, appCatalog, apps} + volumes, storageclasses, nodes, appCatalog, apps, components, + deployments, statefulsets, daemonsets, services, routes} - roleRuleGroup = []rule{deployments, project, statefulsets, daemonsets, - services, routes, pvc} + roleRuleGroup = []rule{project, deployments, statefulsets, daemonsets, + services, routes} + + components = rule{ + Name: "components", + Actions: []action{ + {Name: "view", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"get", "list"}, + APIGroups: []string{"kubsphere.io"}, + Resources: []string{"components"}, + }, + }, + }, + }, + } projects = rule{ Name: "projects", @@ -112,7 +128,7 @@ var ( Rules: []v1.PolicyRule{ { Verbs: []string{"get", "list"}, - APIGroups: []string{"iam.kubesphere.io"}, + APIGroups: []string{"kubesphere.io"}, Resources: []string{"users"}, }, { @@ -126,7 +142,7 @@ var ( Rules: []v1.PolicyRule{ { Verbs: []string{"create"}, - APIGroups: []string{"iam.kubesphere.io"}, + APIGroups: []string{"kubesphere.io"}, Resources: []string{"users"}, }, }, @@ -135,7 +151,7 @@ var ( Rules: []v1.PolicyRule{ { Verbs: []string{"update", "patch"}, - APIGroups: []string{"iam.kubesphere.io"}, + APIGroups: []string{"kubesphere.io"}, Resources: []string{"users"}, }, }, @@ -144,7 +160,7 @@ var ( Rules: []v1.PolicyRule{ { Verbs: []string{"delete", "deletecollection"}, - APIGroups: []string{"iam.kubesphere.io"}, + APIGroups: []string{"kubesphere.io"}, Resources: []string{"users"}, }, }, @@ -360,7 +376,34 @@ var ( Rules: []v1.PolicyRule{ { Verbs: []string{"get", "list"}, - APIGroups: []string{"extend.kubesphere.io"}, + APIGroups: []string{"openpitrix.io"}, + Resources: []string{"appcatalog"}, + }, + }, + }, + {Name: "create", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"create"}, + APIGroups: []string{"openpitrix.io"}, + Resources: []string{"appcatalog"}, + }, + }, + }, + {Name: "edit", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"update", "patch"}, + APIGroups: []string{"openpitrix.io"}, + Resources: []string{"appcatalog"}, + }, + }, + }, + {Name: "delete", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"delete", "deletecollection"}, + APIGroups: []string{"openpitrix.io"}, Resources: []string{"appcatalog"}, }, }, @@ -375,7 +418,7 @@ var ( Rules: []v1.PolicyRule{ { Verbs: []string{"get", "list"}, - APIGroups: []string{"extend.kubesphere.io"}, + APIGroups: []string{"openpitrix.io"}, Resources: []string{"apps"}, }, }, @@ -551,47 +594,6 @@ var ( }, }, } - pvc = rule{ - Name: "persistentvolumeclaims", - Actions: []action{ - {Name: "view", - Rules: []v1.PolicyRule{ - { - Verbs: []string{"get", "list"}, - APIGroups: []string{""}, - Resources: []string{"persistentvolumeclaims"}, - }, - }, - }, - {Name: "create", - Rules: []v1.PolicyRule{ - { - Verbs: []string{"create"}, - APIGroups: []string{""}, - Resources: []string{"persistentvolumeclaims"}, - }, - }, - }, - {Name: "edit", - Rules: []v1.PolicyRule{ - { - Verbs: []string{"update", "patch"}, - APIGroups: []string{""}, - Resources: []string{"persistentvolumeclaims"}, - }, - }, - }, - {Name: "delete", - Rules: []v1.PolicyRule{ - { - Verbs: []string{"delete", "deletecollection"}, - APIGroups: []string{""}, - Resources: []string{"persistentvolumeclaims"}, - }, - }, - }, - }, - } deployments = rule{ Name: "deployments", diff --git a/pkg/apis/v1alpha/users/user.go b/pkg/apis/v1alpha/users/user.go index 442a8f091..d62d1e544 100644 --- a/pkg/apis/v1alpha/users/user.go +++ b/pkg/apis/v1alpha/users/user.go @@ -71,6 +71,13 @@ func delUser(req *restful.Request, resp *restful.Response) { return } + err = models.DeleteRoleBindings(user) + + if err != nil { + resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()}) + return + } + resp.WriteEntity(constants.MessageResponse{Message: "successfully deleted"}) } diff --git a/pkg/models/roles.go b/pkg/models/roles.go index 96ec3052b..4940959ec 100644 --- a/pkg/models/roles.go +++ b/pkg/models/roles.go @@ -4,11 +4,67 @@ import ( "k8s.io/api/rbac/v1" meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "strings" + + "github.com/golang/glog" + "kubesphere.io/kubesphere/pkg/client" ) const ClusterRoleKind = "ClusterRole" +func DeleteRoleBindings(username string) error { + k8s := client.NewK8sClient() + + roleBindings, err := k8s.RbacV1().RoleBindings("").List(meta_v1.ListOptions{}) + + if err != nil { + return err + } + + for _, roleBinding := range roleBindings.Items { + + length1 := len(roleBinding.Subjects) + + for index, subject := range roleBinding.Subjects { + if subject.Kind == v1.UserKind && subject.Name == username { + roleBinding.Subjects = append(roleBinding.Subjects[:index], roleBinding.Subjects[index+1:]...) + index-- + } + } + + length2 := len(roleBinding.Subjects) + + if length2 == 0 { + k8s.RbacV1().RoleBindings(roleBinding.Namespace).Delete(roleBinding.Name, &meta_v1.DeleteOptions{}) + } else if length2 < length1 { + k8s.RbacV1().RoleBindings(roleBinding.Namespace).Update(&roleBinding) + } + } + + clusterRoleBindingList, err := k8s.RbacV1().ClusterRoleBindings().List(meta_v1.ListOptions{}) + + for _, roleBinding := range clusterRoleBindingList.Items { + length1 := len(roleBinding.Subjects) + + for index, subject := range roleBinding.Subjects { + if subject.Kind == v1.UserKind && subject.Name == username { + roleBinding.Subjects = append(roleBinding.Subjects[:index], roleBinding.Subjects[index+1:]...) + index-- + } + } + + length2 := len(roleBinding.Subjects) + if length2 == 0 { + k8s.RbacV1().ClusterRoleBindings().Delete(roleBinding.Name, &meta_v1.DeleteOptions{}) + } else if length2 < length1 { + k8s.RbacV1().ClusterRoleBindings().Update(&roleBinding) + } + } + + return nil +} + func GetRole(namespace string, name string) (*v1.Role, error) { k8s := client.NewK8sClient() role, err := k8s.RbacV1().Roles(namespace).Get(name, meta_v1.GetOptions{}) @@ -77,32 +133,42 @@ func GetRoles(username string) ([]v1.Role, error) { roles := make([]v1.Role, 0) for _, roleBinding := range roleBindings.Items { + for _, subject := range roleBinding.Subjects { if subject.Kind == v1.UserKind && subject.Name == username { if roleBinding.RoleRef.Kind == ClusterRoleKind { - clusterRole, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{}) - - if err != nil { + if err == nil { + var role = v1.Role(*clusterRole) + role.Namespace = roleBinding.Namespace + roles = append(roles, role) + break + } else if strings.HasSuffix(err.Error(), "not found") { + glog.Infoln(err.Error()) + break + } else { return nil, err } - var role = v1.Role(*clusterRole) - role.Namespace = roleBinding.Namespace - - roles = append(roles, role) - } else { - rule, err := k8s.RbacV1().Roles(roleBinding.Namespace).Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{}) + if subject.Kind == v1.UserKind && subject.Name == username { + rule, err := k8s.RbacV1().Roles(roleBinding.Namespace).Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{}) + if err == nil { + roles = append(roles, *rule) + break + } else if strings.HasSuffix(err.Error(), "not found") { + glog.Infoln(err.Error()) + break + } else { + return nil, err + } - if err != nil { - return nil, err } - roles = append(roles, *rule) } } } + } return roles, nil @@ -123,14 +189,16 @@ func GetClusterRoles(username string) ([]v1.ClusterRole, error) { for _, subject := range roleBinding.Subjects { if subject.Kind == v1.UserKind && subject.Name == username { if roleBinding.RoleRef.Kind == ClusterRoleKind { - rule, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{}) - - if err != nil { + if err == nil { + roles = append(roles, *rule) + break + } else if strings.HasSuffix(err.Error(), "not found") { + glog.Infoln(err.Error()) + break + } else { return nil, err } - - roles = append(roles, *rule) } } }