Merge pull request #81 from wansir/master
Load configuration from mounted folders
This commit is contained in:
不羁
@@ -18,9 +18,16 @@
|
|||||||
package iam
|
package iam
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"io/ioutil"
|
||||||
|
|
||||||
|
"github.com/golang/glog"
|
||||||
"k8s.io/api/rbac/v1"
|
"k8s.io/api/rbac/v1"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const rulesConfigPath = "/etc/kubesphere/rules.json"
|
||||||
|
const clusterRulesConfigPath = "/etc/kubesphere/clusterrules.json"
|
||||||
|
|
||||||
type roleList struct {
|
type roleList struct {
|
||||||
ClusterRoles []v1.ClusterRole `json:"clusterRoles" protobuf:"bytes,2,rep,name=clusterRoles"`
|
ClusterRoles []v1.ClusterRole `json:"clusterRoles" protobuf:"bytes,2,rep,name=clusterRoles"`
|
||||||
Roles []v1.Role `json:"roles" protobuf:"bytes,2,rep,name=roles"`
|
Roles []v1.Role `json:"roles" protobuf:"bytes,2,rep,name=roles"`
|
||||||
@@ -41,14 +48,35 @@ type userRuleList struct {
|
|||||||
Rules map[string][]rule `json:"rules"`
|
Rules map[string][]rule `json:"rules"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO stored in etcd, allow updates
|
func init() {
|
||||||
|
rulesConfig, err := ioutil.ReadFile(rulesConfigPath)
|
||||||
|
if err == nil {
|
||||||
|
config := &[]rule{}
|
||||||
|
json.Unmarshal(rulesConfig, config)
|
||||||
|
if len(*config) > 0 {
|
||||||
|
roleRuleGroup = *config
|
||||||
|
glog.Info("rules config load success")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
clusterRulesConfig, err := ioutil.ReadFile(clusterRulesConfigPath)
|
||||||
|
|
||||||
|
if err == nil {
|
||||||
|
config := &[]rule{}
|
||||||
|
json.Unmarshal(clusterRulesConfig, config)
|
||||||
|
if len(*config) > 0 {
|
||||||
|
clusterRoleRuleGroup = *config
|
||||||
|
glog.Info("cluster rules config load success")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
clusterRoleRuleGroup = []rule{projects, users, roles, images,
|
clusterRoleRuleGroup = []rule{projects, users, roles, images,
|
||||||
volumes, storageclasses, nodes, appCatalog, apps, components,
|
volumes, storageclasses, nodes, appCatalog, apps, components, deployments, statefulsets, daemonsets, pods, services, routes}
|
||||||
deployments, statefulsets, daemonsets, services, routes}
|
|
||||||
|
|
||||||
roleRuleGroup = []rule{project, deployments, statefulsets, daemonsets,
|
roleRuleGroup = []rule{project, deployments, statefulsets, daemonsets, pods,
|
||||||
services, routes}
|
services, routes, volumes}
|
||||||
|
|
||||||
components = rule{
|
components = rule{
|
||||||
Name: "components",
|
Name: "components",
|
||||||
@@ -86,6 +114,15 @@ var (
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{Name: "edit",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"update", "patch"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"namespaces"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
{Name: "delete",
|
{Name: "delete",
|
||||||
Rules: []v1.PolicyRule{
|
Rules: []v1.PolicyRule{
|
||||||
{
|
{
|
||||||
@@ -95,12 +132,6 @@ var (
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
project = rule{
|
|
||||||
Name: "project",
|
|
||||||
Actions: []action{
|
|
||||||
{Name: "members",
|
{Name: "members",
|
||||||
Rules: []v1.PolicyRule{
|
Rules: []v1.PolicyRule{
|
||||||
{
|
{
|
||||||
@@ -121,6 +152,48 @@ var (
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
project = rule{
|
||||||
|
Name: "projects",
|
||||||
|
Actions: []action{
|
||||||
|
{Name: "members",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"get", "list", "create", "delete"},
|
||||||
|
APIGroups: []string{"rbac.authorization.k8s.io"},
|
||||||
|
Resources: []string{"rolebindings"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{Name: "member_roles",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"get", "list", "create", "delete", "patch", "update"},
|
||||||
|
APIGroups: []string{"rbac.authorization.k8s.io"},
|
||||||
|
Resources: []string{"roles"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{Name: "edit",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"update", "patch"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"namespaces"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{Name: "delete",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"delete"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"namespaces"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
users = rule{
|
users = rule{
|
||||||
Name: "users",
|
Name: "users",
|
||||||
Actions: []action{
|
Actions: []action{
|
||||||
@@ -134,7 +207,7 @@ var (
|
|||||||
{
|
{
|
||||||
Verbs: []string{"get", "list"},
|
Verbs: []string{"get", "list"},
|
||||||
APIGroups: []string{"rbac.authorization.k8s.io"},
|
APIGroups: []string{"rbac.authorization.k8s.io"},
|
||||||
Resources: []string{"rolebindings", "clusterrolebindings"},
|
Resources: []string{"clusterrolebindings"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -145,6 +218,11 @@ var (
|
|||||||
APIGroups: []string{"kubesphere.io"},
|
APIGroups: []string{"kubesphere.io"},
|
||||||
Resources: []string{"users"},
|
Resources: []string{"users"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"create", "delete", "deletecollection"},
|
||||||
|
APIGroups: []string{"rbac.authorization.k8s.io"},
|
||||||
|
Resources: []string{"clusterrolebindings"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{Name: "edit",
|
{Name: "edit",
|
||||||
@@ -154,6 +232,11 @@ var (
|
|||||||
APIGroups: []string{"kubesphere.io"},
|
APIGroups: []string{"kubesphere.io"},
|
||||||
Resources: []string{"users"},
|
Resources: []string{"users"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"create", "delete", "deletecollection"},
|
||||||
|
APIGroups: []string{"rbac.authorization.k8s.io"},
|
||||||
|
Resources: []string{"clusterrolebindings"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{Name: "delete",
|
{Name: "delete",
|
||||||
@@ -176,7 +259,7 @@ var (
|
|||||||
{
|
{
|
||||||
Verbs: []string{"get", "list"},
|
Verbs: []string{"get", "list"},
|
||||||
APIGroups: []string{"rbac.authorization.k8s.io"},
|
APIGroups: []string{"rbac.authorization.k8s.io"},
|
||||||
Resources: []string{"roles", "clusterroles"},
|
Resources: []string{"clusterroles"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -186,7 +269,7 @@ var (
|
|||||||
{
|
{
|
||||||
Verbs: []string{"create"},
|
Verbs: []string{"create"},
|
||||||
APIGroups: []string{"rbac.authorization.k8s.io"},
|
APIGroups: []string{"rbac.authorization.k8s.io"},
|
||||||
Resources: []string{"roles", "clusterroles"},
|
Resources: []string{"clusterroles"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -195,7 +278,7 @@ var (
|
|||||||
{
|
{
|
||||||
Verbs: []string{"update", "patch"},
|
Verbs: []string{"update", "patch"},
|
||||||
APIGroups: []string{"rbac.authorization.k8s.io"},
|
APIGroups: []string{"rbac.authorization.k8s.io"},
|
||||||
Resources: []string{"roles", "clusterroles"},
|
Resources: []string{"clusterroles"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -204,16 +287,7 @@ var (
|
|||||||
{
|
{
|
||||||
Verbs: []string{"delete", "deletecollection"},
|
Verbs: []string{"delete", "deletecollection"},
|
||||||
APIGroups: []string{"rbac.authorization.k8s.io"},
|
APIGroups: []string{"rbac.authorization.k8s.io"},
|
||||||
Resources: []string{"roles", "clusterroles"},
|
Resources: []string{"clusterroles"},
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{Name: "role_binding",
|
|
||||||
Rules: []v1.PolicyRule{
|
|
||||||
{
|
|
||||||
Verbs: []string{"create", "delete", "deletecollection"},
|
|
||||||
APIGroups: []string{"rbac.authorization.k8s.io"},
|
|
||||||
Resources: []string{"rolebindings", "clusterrolebindings"},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -232,6 +306,24 @@ var (
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{Name: "edit",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"update", "patch"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"nodes"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{Name: "drain",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"*"},
|
||||||
|
APIGroups: []string{"kubesphere.io"},
|
||||||
|
Resources: []string{"nodes"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -245,18 +337,14 @@ var (
|
|||||||
APIGroups: []string{""},
|
APIGroups: []string{""},
|
||||||
Resources: []string{"persistentvolumes"},
|
Resources: []string{"persistentvolumes"},
|
||||||
},
|
},
|
||||||
},
|
|
||||||
},
|
|
||||||
{Name: "create",
|
|
||||||
Rules: []v1.PolicyRule{
|
|
||||||
{
|
{
|
||||||
Verbs: []string{"get", "list"},
|
Verbs: []string{"list"},
|
||||||
APIGroups: []string{""},
|
APIGroups: []string{""},
|
||||||
Resources: []string{"persistentvolumes"},
|
Resources: []string{"namespaces"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{Name: "delete",
|
{Name: "create",
|
||||||
Rules: []v1.PolicyRule{
|
Rules: []v1.PolicyRule{
|
||||||
{
|
{
|
||||||
Verbs: []string{"get", "list"},
|
Verbs: []string{"get", "list"},
|
||||||
@@ -274,6 +362,15 @@ var (
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{Name: "delete",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"get", "list"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"persistentvolumes"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -331,6 +428,11 @@ var (
|
|||||||
"secrets",
|
"secrets",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"list"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"namespaces"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{Name: "create",
|
{Name: "create",
|
||||||
@@ -436,6 +538,16 @@ var (
|
|||||||
APIGroups: []string{"apps"},
|
APIGroups: []string{"apps"},
|
||||||
Resources: []string{"statefulsets"},
|
Resources: []string{"statefulsets"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"list"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"namespaces"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"get", "list"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"pods", "pods/log", "pods/status"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{Name: "create",
|
{Name: "create",
|
||||||
@@ -478,6 +590,16 @@ var (
|
|||||||
APIGroups: []string{"apps", "extensions"},
|
APIGroups: []string{"apps", "extensions"},
|
||||||
Resources: []string{"daemonsets"},
|
Resources: []string{"daemonsets"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"list"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"namespaces"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"get", "list"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"pods", "pods/log", "pods/status"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{Name: "create",
|
{Name: "create",
|
||||||
@@ -520,6 +642,11 @@ var (
|
|||||||
APIGroups: []string{""},
|
APIGroups: []string{""},
|
||||||
Resources: []string{"services"},
|
Resources: []string{"services"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"list"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"namespaces"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{Name: "create",
|
{Name: "create",
|
||||||
@@ -563,6 +690,11 @@ var (
|
|||||||
APIGroups: []string{"extensions"},
|
APIGroups: []string{"extensions"},
|
||||||
Resources: []string{"ingresses"},
|
Resources: []string{"ingresses"},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"list"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"namespaces"},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{Name: "create",
|
{Name: "create",
|
||||||
@@ -603,11 +735,17 @@ var (
|
|||||||
{
|
{
|
||||||
Verbs: []string{"get", "list"},
|
Verbs: []string{"get", "list"},
|
||||||
APIGroups: []string{"apps", "extensions"},
|
APIGroups: []string{"apps", "extensions"},
|
||||||
Resources: []string{
|
Resources: []string{"deployments", "deployments/scale"},
|
||||||
"deployments",
|
},
|
||||||
"deployments/rollback",
|
{
|
||||||
"deployments/scale",
|
Verbs: []string{"list"},
|
||||||
},
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"namespaces"},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Verbs: []string{"get", "list"},
|
||||||
|
APIGroups: []string{""},
|
||||||
|
Resources: []string{"pods", "pods/log", "pods/status"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -651,4 +789,19 @@ var (
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pods = rule{
|
||||||
|
Name: "pods",
|
||||||
|
Actions: []action{
|
||||||
|
{Name: "terminal",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"*"},
|
||||||
|
APIGroups: []string{"kubesphere.io"},
|
||||||
|
Resources: []string{"terminal"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -21,6 +21,8 @@ import (
|
|||||||
|
|
||||||
"github.com/emicklei/go-restful"
|
"github.com/emicklei/go-restful"
|
||||||
|
|
||||||
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||||
|
|
||||||
"kubesphere.io/kubesphere/pkg/constants"
|
"kubesphere.io/kubesphere/pkg/constants"
|
||||||
"kubesphere.io/kubesphere/pkg/models"
|
"kubesphere.io/kubesphere/pkg/models"
|
||||||
)
|
)
|
||||||
@@ -60,13 +62,14 @@ func delUser(req *restful.Request, resp *restful.Response) {
|
|||||||
|
|
||||||
err := models.DelKubectlPod(user)
|
err := models.DelKubectlPod(user)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil && !apierrors.IsNotFound(err) {
|
||||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
|
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
err = models.DelKubeConfig(user)
|
err = models.DelKubeConfig(user)
|
||||||
if err != nil {
|
|
||||||
|
if err != nil && !apierrors.IsNotFound(err) {
|
||||||
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
|
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,12 +1,10 @@
|
|||||||
package models
|
package models
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"k8s.io/api/rbac/v1"
|
|
||||||
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
||||||
|
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
|
"k8s.io/api/rbac/v1"
|
||||||
|
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||||
|
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
|
||||||
"kubesphere.io/kubesphere/pkg/client"
|
"kubesphere.io/kubesphere/pkg/client"
|
||||||
)
|
)
|
||||||
@@ -143,7 +141,7 @@ func GetRoles(username string) ([]v1.Role, error) {
|
|||||||
role.Namespace = roleBinding.Namespace
|
role.Namespace = roleBinding.Namespace
|
||||||
roles = append(roles, role)
|
roles = append(roles, role)
|
||||||
break
|
break
|
||||||
} else if strings.HasSuffix(err.Error(), "not found") {
|
} else if apierrors.IsNotFound(err) {
|
||||||
glog.Infoln(err.Error())
|
glog.Infoln(err.Error())
|
||||||
break
|
break
|
||||||
} else {
|
} else {
|
||||||
@@ -156,7 +154,7 @@ func GetRoles(username string) ([]v1.Role, error) {
|
|||||||
if err == nil {
|
if err == nil {
|
||||||
roles = append(roles, *rule)
|
roles = append(roles, *rule)
|
||||||
break
|
break
|
||||||
} else if strings.HasSuffix(err.Error(), "not found") {
|
} else if apierrors.IsNotFound(err) {
|
||||||
glog.Infoln(err.Error())
|
glog.Infoln(err.Error())
|
||||||
break
|
break
|
||||||
} else {
|
} else {
|
||||||
@@ -193,7 +191,7 @@ func GetClusterRoles(username string) ([]v1.ClusterRole, error) {
|
|||||||
if err == nil {
|
if err == nil {
|
||||||
roles = append(roles, *rule)
|
roles = append(roles, *rule)
|
||||||
break
|
break
|
||||||
} else if strings.HasSuffix(err.Error(), "not found") {
|
} else if apierrors.IsNotFound(err) {
|
||||||
glog.Infoln(err.Error())
|
glog.Infoln(err.Error())
|
||||||
break
|
break
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
Reference in New Issue
Block a user