Refine rules definition
This commit is contained in:
hongming
@@ -44,10 +44,26 @@ type userRuleList struct {
|
|||||||
// TODO stored in etcd, allow updates
|
// TODO stored in etcd, allow updates
|
||||||
var (
|
var (
|
||||||
clusterRoleRuleGroup = []rule{projects, users, roles, images,
|
clusterRoleRuleGroup = []rule{projects, users, roles, images,
|
||||||
volumes, storageclasses, nodes, appCatalog, apps}
|
volumes, storageclasses, nodes, appCatalog, apps, components,
|
||||||
|
deployments, statefulsets, daemonsets, services, routes}
|
||||||
|
|
||||||
roleRuleGroup = []rule{deployments, project, statefulsets, daemonsets,
|
roleRuleGroup = []rule{project, deployments, statefulsets, daemonsets,
|
||||||
services, routes, pvc}
|
services, routes}
|
||||||
|
|
||||||
|
components = rule{
|
||||||
|
Name: "components",
|
||||||
|
Actions: []action{
|
||||||
|
{Name: "view",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"get", "list"},
|
||||||
|
APIGroups: []string{"kubsphere.io"},
|
||||||
|
Resources: []string{"components"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
projects = rule{
|
projects = rule{
|
||||||
Name: "projects",
|
Name: "projects",
|
||||||
@@ -112,7 +128,7 @@ var (
|
|||||||
Rules: []v1.PolicyRule{
|
Rules: []v1.PolicyRule{
|
||||||
{
|
{
|
||||||
Verbs: []string{"get", "list"},
|
Verbs: []string{"get", "list"},
|
||||||
APIGroups: []string{"iam.kubesphere.io"},
|
APIGroups: []string{"kubesphere.io"},
|
||||||
Resources: []string{"users"},
|
Resources: []string{"users"},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@@ -126,7 +142,7 @@ var (
|
|||||||
Rules: []v1.PolicyRule{
|
Rules: []v1.PolicyRule{
|
||||||
{
|
{
|
||||||
Verbs: []string{"create"},
|
Verbs: []string{"create"},
|
||||||
APIGroups: []string{"iam.kubesphere.io"},
|
APIGroups: []string{"kubesphere.io"},
|
||||||
Resources: []string{"users"},
|
Resources: []string{"users"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -135,7 +151,7 @@ var (
|
|||||||
Rules: []v1.PolicyRule{
|
Rules: []v1.PolicyRule{
|
||||||
{
|
{
|
||||||
Verbs: []string{"update", "patch"},
|
Verbs: []string{"update", "patch"},
|
||||||
APIGroups: []string{"iam.kubesphere.io"},
|
APIGroups: []string{"kubesphere.io"},
|
||||||
Resources: []string{"users"},
|
Resources: []string{"users"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -144,7 +160,7 @@ var (
|
|||||||
Rules: []v1.PolicyRule{
|
Rules: []v1.PolicyRule{
|
||||||
{
|
{
|
||||||
Verbs: []string{"delete", "deletecollection"},
|
Verbs: []string{"delete", "deletecollection"},
|
||||||
APIGroups: []string{"iam.kubesphere.io"},
|
APIGroups: []string{"kubesphere.io"},
|
||||||
Resources: []string{"users"},
|
Resources: []string{"users"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -360,7 +376,34 @@ var (
|
|||||||
Rules: []v1.PolicyRule{
|
Rules: []v1.PolicyRule{
|
||||||
{
|
{
|
||||||
Verbs: []string{"get", "list"},
|
Verbs: []string{"get", "list"},
|
||||||
APIGroups: []string{"extend.kubesphere.io"},
|
APIGroups: []string{"openpitrix.io"},
|
||||||
|
Resources: []string{"appcatalog"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{Name: "create",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"create"},
|
||||||
|
APIGroups: []string{"openpitrix.io"},
|
||||||
|
Resources: []string{"appcatalog"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{Name: "edit",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"update", "patch"},
|
||||||
|
APIGroups: []string{"openpitrix.io"},
|
||||||
|
Resources: []string{"appcatalog"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{Name: "delete",
|
||||||
|
Rules: []v1.PolicyRule{
|
||||||
|
{
|
||||||
|
Verbs: []string{"delete", "deletecollection"},
|
||||||
|
APIGroups: []string{"openpitrix.io"},
|
||||||
Resources: []string{"appcatalog"},
|
Resources: []string{"appcatalog"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -375,7 +418,7 @@ var (
|
|||||||
Rules: []v1.PolicyRule{
|
Rules: []v1.PolicyRule{
|
||||||
{
|
{
|
||||||
Verbs: []string{"get", "list"},
|
Verbs: []string{"get", "list"},
|
||||||
APIGroups: []string{"extend.kubesphere.io"},
|
APIGroups: []string{"openpitrix.io"},
|
||||||
Resources: []string{"apps"},
|
Resources: []string{"apps"},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@@ -551,47 +594,6 @@ var (
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
pvc = rule{
|
|
||||||
Name: "persistentvolumeclaims",
|
|
||||||
Actions: []action{
|
|
||||||
{Name: "view",
|
|
||||||
Rules: []v1.PolicyRule{
|
|
||||||
{
|
|
||||||
Verbs: []string{"get", "list"},
|
|
||||||
APIGroups: []string{""},
|
|
||||||
Resources: []string{"persistentvolumeclaims"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{Name: "create",
|
|
||||||
Rules: []v1.PolicyRule{
|
|
||||||
{
|
|
||||||
Verbs: []string{"create"},
|
|
||||||
APIGroups: []string{""},
|
|
||||||
Resources: []string{"persistentvolumeclaims"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{Name: "edit",
|
|
||||||
Rules: []v1.PolicyRule{
|
|
||||||
{
|
|
||||||
Verbs: []string{"update", "patch"},
|
|
||||||
APIGroups: []string{""},
|
|
||||||
Resources: []string{"persistentvolumeclaims"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
{Name: "delete",
|
|
||||||
Rules: []v1.PolicyRule{
|
|
||||||
{
|
|
||||||
Verbs: []string{"delete", "deletecollection"},
|
|
||||||
APIGroups: []string{""},
|
|
||||||
Resources: []string{"persistentvolumeclaims"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
deployments = rule{
|
deployments = rule{
|
||||||
Name: "deployments",
|
Name: "deployments",
|
||||||
|
|||||||
@@ -71,6 +71,13 @@ func delUser(req *restful.Request, resp *restful.Response) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = models.DeleteRoleBindings(user)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
resp.WriteHeaderAndEntity(http.StatusInternalServerError, constants.MessageResponse{Message: err.Error()})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
resp.WriteEntity(constants.MessageResponse{Message: "successfully deleted"})
|
resp.WriteEntity(constants.MessageResponse{Message: "successfully deleted"})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -4,11 +4,67 @@ import (
|
|||||||
"k8s.io/api/rbac/v1"
|
"k8s.io/api/rbac/v1"
|
||||||
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
|
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
"github.com/golang/glog"
|
||||||
|
|
||||||
"kubesphere.io/kubesphere/pkg/client"
|
"kubesphere.io/kubesphere/pkg/client"
|
||||||
)
|
)
|
||||||
|
|
||||||
const ClusterRoleKind = "ClusterRole"
|
const ClusterRoleKind = "ClusterRole"
|
||||||
|
|
||||||
|
func DeleteRoleBindings(username string) error {
|
||||||
|
k8s := client.NewK8sClient()
|
||||||
|
|
||||||
|
roleBindings, err := k8s.RbacV1().RoleBindings("").List(meta_v1.ListOptions{})
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, roleBinding := range roleBindings.Items {
|
||||||
|
|
||||||
|
length1 := len(roleBinding.Subjects)
|
||||||
|
|
||||||
|
for index, subject := range roleBinding.Subjects {
|
||||||
|
if subject.Kind == v1.UserKind && subject.Name == username {
|
||||||
|
roleBinding.Subjects = append(roleBinding.Subjects[:index], roleBinding.Subjects[index+1:]...)
|
||||||
|
index--
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
length2 := len(roleBinding.Subjects)
|
||||||
|
|
||||||
|
if length2 == 0 {
|
||||||
|
k8s.RbacV1().RoleBindings(roleBinding.Namespace).Delete(roleBinding.Name, &meta_v1.DeleteOptions{})
|
||||||
|
} else if length2 < length1 {
|
||||||
|
k8s.RbacV1().RoleBindings(roleBinding.Namespace).Update(&roleBinding)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
clusterRoleBindingList, err := k8s.RbacV1().ClusterRoleBindings().List(meta_v1.ListOptions{})
|
||||||
|
|
||||||
|
for _, roleBinding := range clusterRoleBindingList.Items {
|
||||||
|
length1 := len(roleBinding.Subjects)
|
||||||
|
|
||||||
|
for index, subject := range roleBinding.Subjects {
|
||||||
|
if subject.Kind == v1.UserKind && subject.Name == username {
|
||||||
|
roleBinding.Subjects = append(roleBinding.Subjects[:index], roleBinding.Subjects[index+1:]...)
|
||||||
|
index--
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
length2 := len(roleBinding.Subjects)
|
||||||
|
if length2 == 0 {
|
||||||
|
k8s.RbacV1().ClusterRoleBindings().Delete(roleBinding.Name, &meta_v1.DeleteOptions{})
|
||||||
|
} else if length2 < length1 {
|
||||||
|
k8s.RbacV1().ClusterRoleBindings().Update(&roleBinding)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
func GetRole(namespace string, name string) (*v1.Role, error) {
|
func GetRole(namespace string, name string) (*v1.Role, error) {
|
||||||
k8s := client.NewK8sClient()
|
k8s := client.NewK8sClient()
|
||||||
role, err := k8s.RbacV1().Roles(namespace).Get(name, meta_v1.GetOptions{})
|
role, err := k8s.RbacV1().Roles(namespace).Get(name, meta_v1.GetOptions{})
|
||||||
@@ -77,32 +133,42 @@ func GetRoles(username string) ([]v1.Role, error) {
|
|||||||
roles := make([]v1.Role, 0)
|
roles := make([]v1.Role, 0)
|
||||||
|
|
||||||
for _, roleBinding := range roleBindings.Items {
|
for _, roleBinding := range roleBindings.Items {
|
||||||
|
|
||||||
for _, subject := range roleBinding.Subjects {
|
for _, subject := range roleBinding.Subjects {
|
||||||
if subject.Kind == v1.UserKind && subject.Name == username {
|
if subject.Kind == v1.UserKind && subject.Name == username {
|
||||||
if roleBinding.RoleRef.Kind == ClusterRoleKind {
|
if roleBinding.RoleRef.Kind == ClusterRoleKind {
|
||||||
|
|
||||||
clusterRole, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{})
|
clusterRole, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{})
|
||||||
|
if err == nil {
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
var role = v1.Role(*clusterRole)
|
var role = v1.Role(*clusterRole)
|
||||||
role.Namespace = roleBinding.Namespace
|
role.Namespace = roleBinding.Namespace
|
||||||
|
|
||||||
roles = append(roles, role)
|
roles = append(roles, role)
|
||||||
|
break
|
||||||
|
} else if strings.HasSuffix(err.Error(), "not found") {
|
||||||
|
glog.Infoln(err.Error())
|
||||||
|
break
|
||||||
} else {
|
} else {
|
||||||
rule, err := k8s.RbacV1().Roles(roleBinding.Namespace).Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{})
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
} else {
|
||||||
|
if subject.Kind == v1.UserKind && subject.Name == username {
|
||||||
|
rule, err := k8s.RbacV1().Roles(roleBinding.Namespace).Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{})
|
||||||
|
if err == nil {
|
||||||
roles = append(roles, *rule)
|
roles = append(roles, *rule)
|
||||||
|
break
|
||||||
|
} else if strings.HasSuffix(err.Error(), "not found") {
|
||||||
|
glog.Infoln(err.Error())
|
||||||
|
break
|
||||||
|
} else {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return roles, nil
|
return roles, nil
|
||||||
@@ -123,14 +189,16 @@ func GetClusterRoles(username string) ([]v1.ClusterRole, error) {
|
|||||||
for _, subject := range roleBinding.Subjects {
|
for _, subject := range roleBinding.Subjects {
|
||||||
if subject.Kind == v1.UserKind && subject.Name == username {
|
if subject.Kind == v1.UserKind && subject.Name == username {
|
||||||
if roleBinding.RoleRef.Kind == ClusterRoleKind {
|
if roleBinding.RoleRef.Kind == ClusterRoleKind {
|
||||||
|
|
||||||
rule, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{})
|
rule, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{})
|
||||||
|
if err == nil {
|
||||||
if err != nil {
|
roles = append(roles, *rule)
|
||||||
|
break
|
||||||
|
} else if strings.HasSuffix(err.Error(), "not found") {
|
||||||
|
glog.Infoln(err.Error())
|
||||||
|
break
|
||||||
|
} else {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
roles = append(roles, *rule)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user