zryfish
@@ -21,6 +21,7 @@ import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/golang/glog"
|
||||
"io/ioutil"
|
||||
"kubesphere.io/kubesphere/pkg/informers"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/k8s"
|
||||
@@ -174,7 +175,7 @@ func GetRoles(username string, namespace string) ([]*v1.Role, error) {
|
||||
func GetClusterRoles(username string) ([]*v1.ClusterRole, error) {
|
||||
clusterRoleLister := informers.SharedInformerFactory().Rbac().V1().ClusterRoles().Lister()
|
||||
clusterRoleBindingLister := informers.SharedInformerFactory().Rbac().V1().ClusterRoleBindings().Lister()
|
||||
clusterRoleBindings, err := clusterRoleBindingLister.List(labels.Everything())
|
||||
clusterRoleBindings, err := clusterRoleBindingLister.List(labels.SelectorFromSet(labels.Set{"": ""}))
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -204,7 +205,7 @@ func GetClusterRoles(username string) ([]*v1.ClusterRole, error) {
|
||||
roles = append(roles, role)
|
||||
break
|
||||
} else if apierrors.IsNotFound(err) {
|
||||
log.Println(err)
|
||||
glog.Warningln(err)
|
||||
break
|
||||
} else {
|
||||
return nil, err
|
||||
@@ -572,8 +573,10 @@ func GetRoleSimpleRules(roles []*v1.Role, namespace string) (map[string][]models
|
||||
return rulesMapping, nil
|
||||
}
|
||||
|
||||
//
|
||||
func CreateClusterRoleBinding(username string, clusterRoleName string) error {
|
||||
clusterRoleLister := informers.SharedInformerFactory().Rbac().V1().ClusterRoles().Lister()
|
||||
|
||||
_, err := clusterRoleLister.Get(clusterRoleName)
|
||||
|
||||
if err != nil {
|
||||
|
||||
@@ -18,19 +18,13 @@
|
||||
package iam
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"kubesphere.io/kubesphere/pkg/informers"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/ldap"
|
||||
|
||||
"k8s.io/api/rbac/v1"
|
||||
"k8s.io/kubernetes/pkg/util/slice"
|
||||
|
||||
"kubesphere.io/kubesphere/pkg/constants"
|
||||
kserr "kubesphere.io/kubesphere/pkg/errors"
|
||||
"kubesphere.io/kubesphere/pkg/models"
|
||||
)
|
||||
|
||||
@@ -75,27 +69,18 @@ func GetUsers(names []string) ([]models.User, error) {
|
||||
return make([]models.User, 0), nil
|
||||
}
|
||||
|
||||
result, err := http.Get(fmt.Sprintf("http://%s/apis/account.kubesphere.io/v1alpha1/users?name=%s", constants.AccountAPIServer, strings.Join(names, ",")))
|
||||
conn, err := ldap.Client()
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
defer result.Body.Close()
|
||||
data, err := ioutil.ReadAll(result.Body)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if result.StatusCode > 200 {
|
||||
return nil, kserr.Parse(data)
|
||||
}
|
||||
|
||||
err = json.Unmarshal(data, &users)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
for _, name := range names {
|
||||
user, err := UserDetail(name, conn)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
users = append(users, *user)
|
||||
}
|
||||
|
||||
return users, nil
|
||||
@@ -103,32 +88,19 @@ func GetUsers(names []string) ([]models.User, error) {
|
||||
|
||||
func GetUser(name string) (*models.User, error) {
|
||||
|
||||
result, err := http.Get(fmt.Sprintf("http://%s/apis/account.kubesphere.io/v1alpha1/users/%s", constants.AccountAPIServer, name))
|
||||
conn, err := ldap.Client()
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
defer result.Body.Close()
|
||||
data, err := ioutil.ReadAll(result.Body)
|
||||
user, err := UserDetail(name, conn)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if result.StatusCode > 200 {
|
||||
return nil, kserr.Parse(data)
|
||||
}
|
||||
|
||||
var user models.User
|
||||
|
||||
err = json.Unmarshal(data, &user)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &user, nil
|
||||
return user, nil
|
||||
}
|
||||
|
||||
func GetUserNamespaces(username string, requiredRule v1.PolicyRule) (allNamespace bool, namespaces []string, err error) {
|
||||
|
||||
@@ -24,7 +24,6 @@ import (
|
||||
"kubesphere.io/kubesphere/pkg/informers"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/k8s"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/redis"
|
||||
"os"
|
||||
"regexp"
|
||||
"strconv"
|
||||
"strings"
|
||||
@@ -42,27 +41,18 @@ import (
|
||||
jwtutils "kubesphere.io/kubesphere/pkg/utils/jwt"
|
||||
)
|
||||
|
||||
const (
|
||||
envAdminEmail = "ADMIN_EMAIL"
|
||||
envAdminPWD = "ADMIN_PWD"
|
||||
)
|
||||
|
||||
var (
|
||||
counter Counter
|
||||
AdminEmail = "admin@kubesphere.io"
|
||||
AdminPWD = "passw0rd"
|
||||
counter Counter
|
||||
adminEmail string
|
||||
adminPassword string
|
||||
tokenExpireTime time.Duration
|
||||
)
|
||||
|
||||
func init() {
|
||||
if env := os.Getenv(envAdminEmail); env != "" {
|
||||
AdminEmail = env
|
||||
}
|
||||
if env := os.Getenv(envAdminPWD); env != "" {
|
||||
AdminPWD = env
|
||||
}
|
||||
}
|
||||
func Init(email, password string, t time.Duration) error {
|
||||
adminEmail = email
|
||||
adminPassword = password
|
||||
tokenExpireTime = t
|
||||
|
||||
func DatabaseInit() error {
|
||||
conn, err := ldapclient.Client()
|
||||
|
||||
if err != nil {
|
||||
@@ -96,13 +86,16 @@ func checkAndCreateDefaultGroup(conn ldap.Client) error {
|
||||
|
||||
if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
|
||||
err = createGroupsBaseDN(conn)
|
||||
if err != nil {
|
||||
return fmt.Errorf("GroupBaseDN %s create failed: %s\n", ldapclient.GroupSearchBase, err)
|
||||
}
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("GroupBaseDN %s not exist: %s\n", ldapclient.GroupSearchBase, err)
|
||||
return fmt.Errorf("iam database init failed: %s\n", err)
|
||||
}
|
||||
|
||||
if len(groups.Entries) == 0 {
|
||||
if groups == nil || len(groups.Entries) == 0 {
|
||||
_, err = CreateGroup(models.Group{Path: constants.SystemWorkspace, Name: constants.SystemWorkspace, Creator: constants.AdminUserName, Description: "system workspace"})
|
||||
|
||||
if err != nil {
|
||||
@@ -127,21 +120,24 @@ func checkAndCreateDefaultUser(conn ldap.Client) error {
|
||||
|
||||
if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
|
||||
err = createUserBaseDN(conn)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("UserBaseDN %s not exist: %s\n", ldapclient.UserSearchBase, err)
|
||||
}
|
||||
|
||||
if len(users.Entries) == 0 {
|
||||
err := CreateUser(models.User{Username: constants.AdminUserName, Email: AdminEmail, Password: AdminPWD, Description: "Administrator account that was always created by default."})
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("admin create failed: %s\n", err)
|
||||
return fmt.Errorf("UserBaseDN %s create failed: %s\n", ldapclient.UserSearchBase, err)
|
||||
}
|
||||
}
|
||||
|
||||
counter = NewCounter(len(users.Entries))
|
||||
if err != nil {
|
||||
return fmt.Errorf("iam database init failed: %s\n", err)
|
||||
}
|
||||
|
||||
if users == nil || len(users.Entries) == 0 {
|
||||
counter = NewCounter(0)
|
||||
err := CreateUser(models.User{Username: constants.AdminUserName, Email: adminEmail, Password: adminPassword, Description: "Administrator account that was always created by default."})
|
||||
if err != nil {
|
||||
return fmt.Errorf("admin create failed: %s\n", err)
|
||||
}
|
||||
} else {
|
||||
counter = NewCounter(len(users.Entries))
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
@@ -200,8 +196,6 @@ func Login(username string, password string, ip string) (string, error) {
|
||||
email := result.Entries[0].GetAttributeValue("mail")
|
||||
dn := result.Entries[0].DN
|
||||
|
||||
user := models.User{Username: uid, Email: email}
|
||||
|
||||
// bind as the user to verify their password
|
||||
err = conn.Bind(dn, password)
|
||||
|
||||
@@ -209,25 +203,29 @@ func Login(username string, password string, ip string) (string, error) {
|
||||
return "", err
|
||||
}
|
||||
|
||||
if ip != "" {
|
||||
redisClient := redis.Client()
|
||||
redisClient.RPush(fmt.Sprintf("kubesphere:users:%s:login-log", uid), fmt.Sprintf("%s,%s", time.Now().UTC().Format("2006-01-02T15:04:05Z"), ip))
|
||||
redisClient.LTrim(fmt.Sprintf("kubesphere:users:%s:login-log", uid), -10, -1)
|
||||
}
|
||||
|
||||
claims := jwt.MapClaims{}
|
||||
|
||||
claims["exp"] = time.Now().Add(time.Hour * 24).Unix()
|
||||
claims["username"] = user.Username
|
||||
claims["email"] = user.Email
|
||||
claims["exp"] = time.Now().Add(tokenExpireTime).Unix()
|
||||
claims["username"] = uid
|
||||
claims["email"] = email
|
||||
|
||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||
|
||||
uToken, _ := token.SignedString(jwtutils.Secret)
|
||||
|
||||
loginLog(uid, ip)
|
||||
|
||||
return uToken, nil
|
||||
}
|
||||
|
||||
func loginLog(uid, ip string) {
|
||||
if ip != "" {
|
||||
redisClient := redis.Client()
|
||||
redisClient.RPush(fmt.Sprintf("kubesphere:users:%s:login-log", uid), fmt.Sprintf("%s,%s", time.Now().UTC().Format("2006-01-02T15:04:05Z"), ip))
|
||||
redisClient.LTrim(fmt.Sprintf("kubesphere:users:%s:login-log", uid), -10, -1)
|
||||
}
|
||||
}
|
||||
|
||||
func UserList(limit int, offset int) (int, []models.User, error) {
|
||||
|
||||
conn, err := ldapclient.Client()
|
||||
@@ -668,7 +666,7 @@ func CreateUser(user models.User) error {
|
||||
}
|
||||
|
||||
if len(result.Entries) > 0 {
|
||||
return errors.New("username or email already exists")
|
||||
return ldap.NewError(ldap.LDAPResultEntryAlreadyExists, fmt.Errorf("username or email already exists"))
|
||||
}
|
||||
|
||||
maxUid, err := getMaxUid(conn)
|
||||
|
||||
Reference in New Issue
Block a user