From 26fcdb6d3e6bd95ec5fcd79c78f2ccfe68223b5f Mon Sep 17 00:00:00 2001 From: hongming Date: Thu, 14 Jun 2018 13:59:04 +0800 Subject: [PATCH] Load configuration from mounted folders --- pkg/apis/v1alpha/iam/policy.go | 227 +++++++++++++++++++++++++++------ pkg/apis/v1alpha/users/user.go | 7 +- pkg/models/roles.go | 14 +- 3 files changed, 201 insertions(+), 47 deletions(-) diff --git a/pkg/apis/v1alpha/iam/policy.go b/pkg/apis/v1alpha/iam/policy.go index f65a93e13..b4529edff 100644 --- a/pkg/apis/v1alpha/iam/policy.go +++ b/pkg/apis/v1alpha/iam/policy.go @@ -18,9 +18,16 @@ package iam import ( + "encoding/json" + "io/ioutil" + + "github.com/golang/glog" "k8s.io/api/rbac/v1" ) +const rulesConfigPath = "/etc/kubesphere/rules.json" +const clusterRulesConfigPath = "/etc/kubesphere/clusterrules.json" + type roleList struct { ClusterRoles []v1.ClusterRole `json:"clusterRoles" protobuf:"bytes,2,rep,name=clusterRoles"` Roles []v1.Role `json:"roles" protobuf:"bytes,2,rep,name=roles"` @@ -41,14 +48,35 @@ type userRuleList struct { Rules map[string][]rule `json:"rules"` } -// TODO stored in etcd, allow updates +func init() { + rulesConfig, err := ioutil.ReadFile(rulesConfigPath) + if err == nil { + config := &[]rule{} + json.Unmarshal(rulesConfig, config) + if len(*config) > 0 { + roleRuleGroup = *config + glog.Info("rules config load success") + } + } + + clusterRulesConfig, err := ioutil.ReadFile(clusterRulesConfigPath) + + if err == nil { + config := &[]rule{} + json.Unmarshal(clusterRulesConfig, config) + if len(*config) > 0 { + clusterRoleRuleGroup = *config + glog.Info("cluster rules config load success") + } + } +} + var ( clusterRoleRuleGroup = []rule{projects, users, roles, images, - volumes, storageclasses, nodes, appCatalog, apps, components, - deployments, statefulsets, daemonsets, services, routes} + volumes, storageclasses, nodes, appCatalog, apps, components, deployments, statefulsets, daemonsets, pods, services, routes} - roleRuleGroup = []rule{project, deployments, statefulsets, daemonsets, - services, routes} + roleRuleGroup = []rule{project, deployments, statefulsets, daemonsets, pods, + services, routes, volumes} components = rule{ Name: "components", @@ -86,6 +114,15 @@ var ( }, }, }, + {Name: "edit", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"update", "patch"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + }, + }, {Name: "delete", Rules: []v1.PolicyRule{ { @@ -95,12 +132,6 @@ var ( }, }, }, - }, - } - - project = rule{ - Name: "project", - Actions: []action{ {Name: "members", Rules: []v1.PolicyRule{ { @@ -121,6 +152,48 @@ var ( }, }, } + + project = rule{ + Name: "projects", + Actions: []action{ + {Name: "members", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"get", "list", "create", "delete"}, + APIGroups: []string{"rbac.authorization.k8s.io"}, + Resources: []string{"rolebindings"}, + }, + }, + }, + {Name: "member_roles", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"get", "list", "create", "delete", "patch", "update"}, + APIGroups: []string{"rbac.authorization.k8s.io"}, + Resources: []string{"roles"}, + }, + }, + }, + {Name: "edit", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"update", "patch"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + }, + }, + {Name: "delete", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"delete"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + }, + }, + }, + } users = rule{ Name: "users", Actions: []action{ @@ -134,7 +207,7 @@ var ( { Verbs: []string{"get", "list"}, APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings", "clusterrolebindings"}, + Resources: []string{"clusterrolebindings"}, }, }, }, @@ -145,6 +218,11 @@ var ( APIGroups: []string{"kubesphere.io"}, Resources: []string{"users"}, }, + { + Verbs: []string{"create", "delete", "deletecollection"}, + APIGroups: []string{"rbac.authorization.k8s.io"}, + Resources: []string{"clusterrolebindings"}, + }, }, }, {Name: "edit", @@ -154,6 +232,11 @@ var ( APIGroups: []string{"kubesphere.io"}, Resources: []string{"users"}, }, + { + Verbs: []string{"create", "delete", "deletecollection"}, + APIGroups: []string{"rbac.authorization.k8s.io"}, + Resources: []string{"clusterrolebindings"}, + }, }, }, {Name: "delete", @@ -176,7 +259,7 @@ var ( { Verbs: []string{"get", "list"}, APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles", "clusterroles"}, + Resources: []string{"clusterroles"}, }, }, }, @@ -186,7 +269,7 @@ var ( { Verbs: []string{"create"}, APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles", "clusterroles"}, + Resources: []string{"clusterroles"}, }, }, }, @@ -195,7 +278,7 @@ var ( { Verbs: []string{"update", "patch"}, APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles", "clusterroles"}, + Resources: []string{"clusterroles"}, }, }, }, @@ -204,16 +287,7 @@ var ( { Verbs: []string{"delete", "deletecollection"}, APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"roles", "clusterroles"}, - }, - }, - }, - {Name: "role_binding", - Rules: []v1.PolicyRule{ - { - Verbs: []string{"create", "delete", "deletecollection"}, - APIGroups: []string{"rbac.authorization.k8s.io"}, - Resources: []string{"rolebindings", "clusterrolebindings"}, + Resources: []string{"clusterroles"}, }, }, }, @@ -232,6 +306,24 @@ var ( }, }, }, + {Name: "edit", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"update", "patch"}, + APIGroups: []string{""}, + Resources: []string{"nodes"}, + }, + }, + }, + {Name: "drain", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"*"}, + APIGroups: []string{"kubesphere.io"}, + Resources: []string{"nodes"}, + }, + }, + }, }, } @@ -245,18 +337,14 @@ var ( APIGroups: []string{""}, Resources: []string{"persistentvolumes"}, }, - }, - }, - {Name: "create", - Rules: []v1.PolicyRule{ { - Verbs: []string{"get", "list"}, + Verbs: []string{"list"}, APIGroups: []string{""}, - Resources: []string{"persistentvolumes"}, + Resources: []string{"namespaces"}, }, }, }, - {Name: "delete", + {Name: "create", Rules: []v1.PolicyRule{ { Verbs: []string{"get", "list"}, @@ -274,6 +362,15 @@ var ( }, }, }, + {Name: "delete", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"get", "list"}, + APIGroups: []string{""}, + Resources: []string{"persistentvolumes"}, + }, + }, + }, }, } @@ -331,6 +428,11 @@ var ( "secrets", }, }, + { + Verbs: []string{"list"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, }, }, {Name: "create", @@ -436,6 +538,16 @@ var ( APIGroups: []string{"apps"}, Resources: []string{"statefulsets"}, }, + { + Verbs: []string{"list"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + { + Verbs: []string{"get", "list"}, + APIGroups: []string{""}, + Resources: []string{"pods", "pods/log", "pods/status"}, + }, }, }, {Name: "create", @@ -478,6 +590,16 @@ var ( APIGroups: []string{"apps", "extensions"}, Resources: []string{"daemonsets"}, }, + { + Verbs: []string{"list"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + { + Verbs: []string{"get", "list"}, + APIGroups: []string{""}, + Resources: []string{"pods", "pods/log", "pods/status"}, + }, }, }, {Name: "create", @@ -520,6 +642,11 @@ var ( APIGroups: []string{""}, Resources: []string{"services"}, }, + { + Verbs: []string{"list"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, }, }, {Name: "create", @@ -563,6 +690,11 @@ var ( APIGroups: []string{"extensions"}, Resources: []string{"ingresses"}, }, + { + Verbs: []string{"list"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, }, }, {Name: "create", @@ -603,11 +735,17 @@ var ( { Verbs: []string{"get", "list"}, APIGroups: []string{"apps", "extensions"}, - Resources: []string{ - "deployments", - "deployments/rollback", - "deployments/scale", - }, + Resources: []string{"deployments", "deployments/scale"}, + }, + { + Verbs: []string{"list"}, + APIGroups: []string{""}, + Resources: []string{"namespaces"}, + }, + { + Verbs: []string{"get", "list"}, + APIGroups: []string{""}, + Resources: []string{"pods", "pods/log", "pods/status"}, }, }, }, @@ -651,4 +789,19 @@ var ( }, }, } + + pods = rule{ + Name: "pods", + Actions: []action{ + {Name: "terminal", + Rules: []v1.PolicyRule{ + { + Verbs: []string{"*"}, + APIGroups: []string{"kubesphere.io"}, + Resources: []string{"terminal"}, + }, + }, + }, + }, + } ) diff --git a/pkg/apis/v1alpha/users/user.go b/pkg/apis/v1alpha/users/user.go index d62d1e544..23ea8766a 100644 --- a/pkg/apis/v1alpha/users/user.go +++ b/pkg/apis/v1alpha/users/user.go @@ -21,6 +21,8 @@ import ( "github.com/emicklei/go-restful" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/models" ) @@ -60,13 +62,14 @@ func delUser(req *restful.Request, resp *restful.Response) { err := models.DelKubectlPod(user) - if err != nil { + if err != nil && !apierrors.IsNotFound(err) { resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()}) return } err = models.DelKubeConfig(user) - if err != nil { + + if err != nil && !apierrors.IsNotFound(err) { resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()}) return } diff --git a/pkg/models/roles.go b/pkg/models/roles.go index 544a5bf01..c9cd8aaaf 100644 --- a/pkg/models/roles.go +++ b/pkg/models/roles.go @@ -1,12 +1,10 @@ package models import ( - "k8s.io/api/rbac/v1" - meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "strings" - "github.com/golang/glog" + "k8s.io/api/rbac/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "kubesphere.io/kubesphere/pkg/client" ) @@ -143,7 +141,7 @@ func GetRoles(username string) ([]v1.Role, error) { role.Namespace = roleBinding.Namespace roles = append(roles, role) break - } else if strings.HasSuffix(err.Error(), "not found") { + } else if apierrors.IsNotFound(err) { glog.Infoln(err.Error()) break } else { @@ -156,7 +154,7 @@ func GetRoles(username string) ([]v1.Role, error) { if err == nil { roles = append(roles, *rule) break - } else if strings.HasSuffix(err.Error(), "not found") { + } else if apierrors.IsNotFound(err) { glog.Infoln(err.Error()) break } else { @@ -193,7 +191,7 @@ func GetClusterRoles(username string) ([]v1.ClusterRole, error) { if err == nil { roles = append(roles, *rule) break - } else if strings.HasSuffix(err.Error(), "not found") { + } else if apierrors.IsNotFound(err) { glog.Infoln(err.Error()) break } else {