admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

code refactor (#1923)

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-02-25 20:47:59 +08:00
committed by GitHub
parent 0664eeb559
commit 570ef8b60a
8 changed files with 98 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/kapis/iam/v1alpha2/register.go
View File

@@ -126,14 +126,14 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, ldapClient ldapp
To(handler.ListClusterRoleRules). To(handler.ListClusterRoleRules).
Doc("List all policy rules of the specified cluster role."). Doc("List all policy rules of the specified cluster role.").
Param(ws.PathParameter("clusterrole", "cluster role name")). Param(ws.PathParameter("clusterrole", "cluster role name")).
Returns(http.StatusOK, api.StatusOK, []iam.SimpleRule{}). Returns(http.StatusOK, api.StatusOK, []policy.SimpleRule{}).
Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag})) Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
ws.Route(ws.GET("/namespaces/{namespace}/roles/{role}/rules"). ws.Route(ws.GET("/namespaces/{namespace}/roles/{role}/rules").
To(handler.ListRoleRules). To(handler.ListRoleRules).
Doc("List all policy rules of the specified role in the given namespace."). Doc("List all policy rules of the specified role in the given namespace.").
Param(ws.PathParameter("namespace", "kubernetes namespace")). Param(ws.PathParameter("namespace", "kubernetes namespace")).
Param(ws.PathParameter("role", "role name")). Param(ws.PathParameter("role", "role name")).
Returns(http.StatusOK, api.StatusOK, []iam.SimpleRule{}). Returns(http.StatusOK, api.StatusOK, []policy.SimpleRule{}).
Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag})) Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
ws.Route(ws.GET("/rulesmapping/clusterroles"). ws.Route(ws.GET("/rulesmapping/clusterroles").
To(handler.ClusterRulesMapping). To(handler.ClusterRulesMapping).

8
pkg/kapis/tenant/v1alpha2/register.go
View File

@@ -29,7 +29,7 @@ import (
"kubesphere.io/kubesphere/pkg/apiserver/runtime" "kubesphere.io/kubesphere/pkg/apiserver/runtime"
"kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/models" "kubesphere.io/kubesphere/pkg/models"
"kubesphere.io/kubesphere/pkg/models/iam" "kubesphere.io/kubesphere/pkg/models/iam/policy"
"kubesphere.io/kubesphere/pkg/server/errors" "kubesphere.io/kubesphere/pkg/server/errors"
"kubesphere.io/kubesphere/pkg/server/params" "kubesphere.io/kubesphere/pkg/server/params"
"kubesphere.io/kubesphere/pkg/simple/client/k8s" "kubesphere.io/kubesphere/pkg/simple/client/k8s"
@@ -63,19 +63,19 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, db *mysql.Databa
To(handler.ListWorkspaceRules). To(handler.ListWorkspaceRules).
Param(ws.PathParameter("workspace", "workspace name")). Param(ws.PathParameter("workspace", "workspace name")).
Doc("List the rules of the specified workspace for the current user"). Doc("List the rules of the specified workspace for the current user").
Returns(http.StatusOK, api.StatusOK, iam.SimpleRule{}). Returns(http.StatusOK, api.StatusOK, policy.SimpleRule{}).
Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag})) Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag}))
ws.Route(ws.GET("/namespaces/{namespace}/rules"). ws.Route(ws.GET("/namespaces/{namespace}/rules").
To(handler.ListNamespaceRules). To(handler.ListNamespaceRules).
Param(ws.PathParameter("namespace", "the name of the namespace")). Param(ws.PathParameter("namespace", "the name of the namespace")).
Doc("List the rules of the specified namespace for the current user"). Doc("List the rules of the specified namespace for the current user").
Returns(http.StatusOK, api.StatusOK, iam.SimpleRule{}). Returns(http.StatusOK, api.StatusOK, policy.SimpleRule{}).
Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag})) Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag}))
ws.Route(ws.GET("/devops/{devops}/rules"). ws.Route(ws.GET("/devops/{devops}/rules").
To(handler.ListDevopsRules). To(handler.ListDevopsRules).
Param(ws.PathParameter("devops", "devops project ID")). Param(ws.PathParameter("devops", "devops project ID")).
Doc("List the rules of the specified DevOps project for the current user"). Doc("List the rules of the specified DevOps project for the current user").
Returns(http.StatusOK, api.StatusOK, iam.SimpleRule{}). Returns(http.StatusOK, api.StatusOK, policy.SimpleRule{}).
Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag})) Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag}))
ws.Route(ws.GET("/workspaces/{workspace}/namespaces"). ws.Route(ws.GET("/workspaces/{workspace}/namespaces").
To(handler.ListNamespaces). To(handler.ListNamespaces).

48
pkg/models/iam/am.go
View File

@@ -51,12 +51,12 @@ type AccessManagementInterface interface {
ListRoles(namespace string, conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error) ListRoles(namespace string, conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error)
ListClusterRoles(conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error) ListClusterRoles(conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error)
ListClusterRoleBindings(clusterRole string) ([]*rbacv1.ClusterRoleBinding, error) ListClusterRoleBindings(clusterRole string) ([]*rbacv1.ClusterRoleBinding, error)
GetClusterRoleSimpleRules(clusterRole string) ([]SimpleRule, error) GetClusterRoleSimpleRules(clusterRole string) ([]policy.SimpleRule, error)
GetRoleSimpleRules(namespace string, role string) ([]SimpleRule, error) GetRoleSimpleRules(namespace string, role string) ([]policy.SimpleRule, error)
GetRoles(namespace, username string) ([]*rbacv1.Role, error) GetRoles(namespace, username string) ([]*rbacv1.Role, error)
GetClusterPolicyRules(username string) ([]rbacv1.PolicyRule, error) GetClusterPolicyRules(username string) ([]rbacv1.PolicyRule, error)
GetPolicyRules(namespace, username string) ([]rbacv1.PolicyRule, error) GetPolicyRules(namespace, username string) ([]rbacv1.PolicyRule, error)
GetWorkspaceRoleSimpleRules(workspace, roleName string) []SimpleRule GetWorkspaceRoleSimpleRules(workspace, roleName string) []policy.SimpleRule
GetWorkspaceRole(workspace, username string) (*rbacv1.ClusterRole, error) GetWorkspaceRole(workspace, username string) (*rbacv1.ClusterRole, error)
GetWorkspaceRoleMap(username string) (map[string]string, error) GetWorkspaceRoleMap(username string) (map[string]string, error)
} }
@@ -97,12 +97,12 @@ func NewAMOperator(informers informers.SharedInformerFactory) *amOperator {
return &amOperator{informers: informers, resources: resourceGetter} return &amOperator{informers: informers, resources: resourceGetter}
} }
func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule { func (am *amOperator) GetDevopsRoleSimpleRules(role string) []policy.SimpleRule {
var rules []SimpleRule var rules []policy.SimpleRule
switch role { switch role {
case "developer": case "developer":
rules = []SimpleRule{ rules = []policy.SimpleRule{
{Name: "pipelines", Actions: []string{"view", "trigger"}}, {Name: "pipelines", Actions: []string{"view", "trigger"}},
{Name: "roles", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}},
{Name: "members", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}},
@@ -110,7 +110,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
} }
break break
case "owner": case "owner":
rules = []SimpleRule{ rules = []policy.SimpleRule{
{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
{Name: "roles", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}},
{Name: "members", Actions: []string{"create", "edit", "view", "delete"}}, {Name: "members", Actions: []string{"create", "edit", "view", "delete"}},
@@ -119,7 +119,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
} }
break break
case "maintainer": case "maintainer":
rules = []SimpleRule{ rules = []policy.SimpleRule{
{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
{Name: "roles", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}},
{Name: "members", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}},
@@ -130,7 +130,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
case "reporter": case "reporter":
fallthrough fallthrough
default: default:
rules = []SimpleRule{ rules = []policy.SimpleRule{
{Name: "pipelines", Actions: []string{"view"}}, {Name: "pipelines", Actions: []string{"view"}},
{Name: "roles", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}},
{Name: "members", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}},
@@ -412,13 +412,13 @@ func (am *amOperator) ListClusterRoles(conditions *params.Conditions, orderBy st
return am.resources.ListResources("", v1alpha2.ClusterRoles, conditions, orderBy, reverse, limit, offset) return am.resources.ListResources("", v1alpha2.ClusterRoles, conditions, orderBy, reverse, limit, offset)
} }
func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []SimpleRule { func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []policy.SimpleRule {
workspaceRules := make([]SimpleRule, 0) workspaceRules := make([]policy.SimpleRule, 0)
switch roleName { switch roleName {
case constants.WorkspaceAdmin: case constants.WorkspaceAdmin:
workspaceRules = []SimpleRule{ workspaceRules = []policy.SimpleRule{
{Name: "workspaces", Actions: []string{"edit", "delete", "view"}}, {Name: "workspaces", Actions: []string{"edit", "delete", "view"}},
{Name: "members", Actions: []string{"edit", "delete", "create", "view"}}, {Name: "members", Actions: []string{"edit", "delete", "create", "view"}},
{Name: "devops", Actions: []string{"edit", "delete", "create", "view"}}, {Name: "devops", Actions: []string{"edit", "delete", "create", "view"}},
@@ -428,7 +428,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
{Name: "repos", Actions: []string{"view", "manage"}}, {Name: "repos", Actions: []string{"view", "manage"}},
} }
case constants.WorkspaceRegular: case constants.WorkspaceRegular:
workspaceRules = []SimpleRule{ workspaceRules = []policy.SimpleRule{
{Name: "members", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}},
{Name: "devops", Actions: []string{"view", "create"}}, {Name: "devops", Actions: []string{"view", "create"}},
{Name: "projects", Actions: []string{"view", "create"}}, {Name: "projects", Actions: []string{"view", "create"}},
@@ -436,7 +436,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
{Name: "repos", Actions: []string{"view"}}, {Name: "repos", Actions: []string{"view"}},
} }
case constants.WorkspaceViewer: case constants.WorkspaceViewer:
workspaceRules = []SimpleRule{ workspaceRules = []policy.SimpleRule{
{Name: "workspaces", Actions: []string{"view"}}, {Name: "workspaces", Actions: []string{"view"}},
{Name: "members", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}},
{Name: "devops", Actions: []string{"view"}}, {Name: "devops", Actions: []string{"view"}},
@@ -446,7 +446,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
{Name: "repos", Actions: []string{"view"}}, {Name: "repos", Actions: []string{"view"}},
} }
case constants.WorkspacesManager: case constants.WorkspacesManager:
workspaceRules = []SimpleRule{ workspaceRules = []policy.SimpleRule{
{Name: "workspaces", Actions: []string{"edit", "delete", "view"}}, {Name: "workspaces", Actions: []string{"edit", "delete", "view"}},
{Name: "members", Actions: []string{"edit", "delete", "create", "view"}}, {Name: "members", Actions: []string{"edit", "delete", "create", "view"}},
{Name: "roles", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}},
@@ -457,7 +457,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
} }
// Convert cluster role to rules // Convert cluster role to rules
func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]SimpleRule, error) { func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]policy.SimpleRule, error) {
clusterRoleLister := am.informers.Rbac().V1().ClusterRoles().Lister() clusterRoleLister := am.informers.Rbac().V1().ClusterRoles().Lister()
clusterRole, err := clusterRoleLister.Get(clusterRoleName) clusterRole, err := clusterRoleLister.Get(clusterRoleName)
@@ -470,7 +470,7 @@ func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]Simpl
return getClusterSimpleRule(clusterRole.Rules), nil return getClusterSimpleRule(clusterRole.Rules), nil
} }
func (am *amOperator) GetUserClusterSimpleRules(username string) ([]SimpleRule, error) { func (am *amOperator) GetUserClusterSimpleRules(username string) ([]policy.SimpleRule, error) {
clusterRules, err := am.GetUserClusterRules(username) clusterRules, err := am.GetUserClusterRules(username)
if err != nil { if err != nil {
return nil, err return nil, err
@@ -479,7 +479,7 @@ func (am *amOperator) GetUserClusterSimpleRules(username string) ([]SimpleRule,
} }
// Convert roles to rules // Convert roles to rules
func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]SimpleRule, error) { func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]policy.SimpleRule, error) {
roleLister := am.informers.Rbac().V1().Roles().Lister() roleLister := am.informers.Rbac().V1().Roles().Lister()
role, err := roleLister.Roles(namespace).Get(roleName) role, err := roleLister.Roles(namespace).Get(roleName)
@@ -492,8 +492,8 @@ func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]S
return ConvertToSimpleRule(role.Rules), nil return ConvertToSimpleRule(role.Rules), nil
} }
func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule { func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []policy.SimpleRule {
rules := make([]SimpleRule, 0) rules := make([]policy.SimpleRule, 0)
for i := 0; i < len(policy.ClusterRoleRuleMapping); i++ { for i := 0; i < len(policy.ClusterRoleRuleMapping); i++ {
validActions := make([]string, 0) validActions := make([]string, 0)
@@ -503,17 +503,17 @@ func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule {
} }
} }
if len(validActions) > 0 { if len(validActions) > 0 {
rules = append(rules, SimpleRule{Name: policy.ClusterRoleRuleMapping[i].Name, Actions: validActions}) rules = append(rules, policy.SimpleRule{Name: policy.ClusterRoleRuleMapping[i].Name, Actions: validActions})
} }
} }
return rules return rules
} }
func ConvertToSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule { func ConvertToSimpleRule(policyRules []rbacv1.PolicyRule) []policy.SimpleRule {
simpleRules := make([]SimpleRule, 0) simpleRules := make([]policy.SimpleRule, 0)
for i := 0; i < len(policy.RoleRuleMapping); i++ { for i := 0; i < len(policy.RoleRuleMapping); i++ {
rule := SimpleRule{Name: policy.RoleRuleMapping[i].Name} rule := policy.SimpleRule{Name: policy.RoleRuleMapping[i].Name}
rule.Actions = make([]string, 0) rule.Actions = make([]string, 0)
for j := 0; j < len(policy.RoleRuleMapping[i].Actions); j++ { for j := 0; j < len(policy.RoleRuleMapping[i].Actions); j++ {
if rulesMatchesAction(policyRules, policy.RoleRuleMapping[i].Actions[j]) { if rulesMatchesAction(policyRules, policy.RoleRuleMapping[i].Actions[j]) {

88
pkg/models/iam/policy/policy.go
View File

@@ -21,21 +21,20 @@ package policy
import ( import (
"encoding/json" "encoding/json"
"io/ioutil" "io/ioutil"
"kubesphere.io/kubesphere/pkg/models/iam"
"k8s.io/api/rbac/v1" "k8s.io/api/rbac/v1"
) )
const ( const (
rulesConfigPath = iam.ConfigPath + "/rules.json" configPath = "/etc/kubesphere/iam"
clusterRulesConfigPath = iam.ConfigPath + "/clusterrules.json" rulesConfigPath = configPath + "/rules.json"
clusterRulesConfigPath = configPath + "/clusterrules.json"
) )
func init() { func init() {
rulesConfig, err := ioutil.ReadFile(rulesConfigPath) rulesConfig, err := ioutil.ReadFile(rulesConfigPath)
if err == nil { if err == nil {
config := &[]iam.Rule{} config := &[]Rule{}
json.Unmarshal(rulesConfig, config) json.Unmarshal(rulesConfig, config)
if len(*config) > 0 { if len(*config) > 0 {
RoleRuleMapping = *config RoleRuleMapping = *config
@@ -45,7 +44,7 @@ func init() {
clusterRulesConfig, err := ioutil.ReadFile(clusterRulesConfigPath) clusterRulesConfig, err := ioutil.ReadFile(clusterRulesConfigPath)
if err == nil { if err == nil {
config := &[]iam.Rule{} config := &[]Rule{}
json.Unmarshal(clusterRulesConfig, config) json.Unmarshal(clusterRulesConfig, config)
if len(*config) > 0 { if len(*config) > 0 {
ClusterRoleRuleMapping = *config ClusterRoleRuleMapping = *config
@@ -54,9 +53,9 @@ func init() {
} }
var ( var (
ClusterRoleRuleMapping = []iam.Rule{ ClusterRoleRuleMapping = []Rule{
{Name: "workspaces", {Name: "workspaces",
Actions: []iam.Action{ Actions: []Action{
{ {
Name: "manage", Name: "manage",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
@@ -71,7 +70,7 @@ var (
}, },
{ {
Name: "monitoring", Name: "monitoring",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{{ Rules: []v1.PolicyRule{{
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
@@ -87,7 +86,7 @@ var (
}, },
{ {
Name: "alerting", Name: "alerting",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{{ Rules: []v1.PolicyRule{{
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
@@ -113,7 +112,7 @@ var (
}, },
{ {
Name: "logging", Name: "logging",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{{ Rules: []v1.PolicyRule{{
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
@@ -125,7 +124,7 @@ var (
}, },
{ {
Name: "accounts", Name: "accounts",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -192,7 +191,7 @@ var (
}, },
}, { }, {
Name: "roles", Name: "roles",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -238,7 +237,7 @@ var (
}, },
}, { }, {
Name: "storageclasses", Name: "storageclasses",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -282,7 +281,7 @@ var (
}, },
}, { }, {
Name: "nodes", Name: "nodes",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -313,7 +312,7 @@ var (
}, },
}, { }, {
Name: "repos", Name: "repos",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -353,7 +352,7 @@ var (
}, },
}, { }, {
Name: "apps", Name: "apps",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -366,7 +365,7 @@ var (
}, },
}, { }, {
Name: "components", Name: "components",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -379,9 +378,9 @@ var (
}, },
}} }}
RoleRuleMapping = []iam.Rule{{ RoleRuleMapping = []Rule{{
Name: "projects", Name: "projects",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -418,7 +417,7 @@ var (
}, },
{ {
Name: "monitoring", Name: "monitoring",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{{ Rules: []v1.PolicyRule{{
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
@@ -435,7 +434,7 @@ var (
{ {
Name: "alerting", Name: "alerting",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{{ Rules: []v1.PolicyRule{{
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
@@ -461,7 +460,7 @@ var (
}, },
{ {
Name: "members", Name: "members",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -507,7 +506,7 @@ var (
}, },
{ {
Name: "roles", Name: "roles",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -548,7 +547,7 @@ var (
}, },
{ {
Name: "deployments", Name: "deployments",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -604,7 +603,7 @@ var (
}, },
}, { }, {
Name: "statefulsets", Name: "statefulsets",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -658,7 +657,7 @@ var (
}, },
}, { }, {
Name: "daemonsets", Name: "daemonsets",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -703,7 +702,7 @@ var (
}, },
}, { }, {
Name: "pods", Name: "pods",
Actions: []iam.Action{ Actions: []Action{
{Name: "terminal", {Name: "terminal",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -735,7 +734,7 @@ var (
}, },
{ {
Name: "services", Name: "services",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -777,7 +776,7 @@ var (
}, },
{ {
Name: "internet", Name: "internet",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -819,7 +818,7 @@ var (
{ {
Name: "routes", Name: "routes",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -859,7 +858,7 @@ var (
}, },
}, { }, {
Name: "volumes", Name: "volumes",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -899,7 +898,7 @@ var (
}, },
}, { }, {
Name: "applications", Name: "applications",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", {Name: "view",
Rules: []v1.PolicyRule{ Rules: []v1.PolicyRule{
{ {
@@ -953,7 +952,7 @@ var (
}, },
{ {
Name: "jobs", Name: "jobs",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", Rules: []v1.PolicyRule{ {Name: "view", Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
@@ -986,7 +985,7 @@ var (
}, },
{ {
Name: "cronjobs", Name: "cronjobs",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", Rules: []v1.PolicyRule{ {Name: "view", Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
@@ -1019,7 +1018,7 @@ var (
}, },
{ {
Name: "secrets", Name: "secrets",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", Rules: []v1.PolicyRule{ {Name: "view", Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
@@ -1052,7 +1051,7 @@ var (
}, },
{ {
Name: "configmaps", Name: "configmaps",
Actions: []iam.Action{ Actions: []Action{
{Name: "view", Rules: []v1.PolicyRule{ {Name: "view", Rules: []v1.PolicyRule{
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
@@ -1085,3 +1084,18 @@ var (
}, },
} }
) )
type Action struct {
Name string `json:"name"`
Rules []v1.PolicyRule `json:"rules"`
}
type Rule struct {
Name string `json:"name"`
Actions []Action `json:"actions"`
}
type SimpleRule struct {
Name string `json:"name" description:"rule name"`
Actions []string `json:"actions" description:"actions"`
}

22
pkg/models/iam/types.go
View File

@@ -19,12 +19,10 @@
package iam package iam
import ( import (
"k8s.io/api/rbac/v1"
"time" "time"
) )
const ( const (
ConfigPath = "/etc/kubesphere/iam"
KindTokenReview = "TokenReview" KindTokenReview = "TokenReview"
) )
@@ -37,23 +35,3 @@ type User struct {
Groups []string `json:"groups,omitempty"` Groups []string `json:"groups,omitempty"`
Password string `json:"password,omitempty"` Password string `json:"password,omitempty"`
} }
type Action struct {
Name string `json:"name"`
Rules []v1.PolicyRule `json:"rules"`
}
type Rule struct {
Name string `json:"name"`
Actions []Action `json:"actions"`
}
type SimpleRule struct {
Name string `json:"name" description:"rule name"`
Actions []string `json:"actions" description:"actions"`
}
type RoleList struct {
ClusterRoles []*v1.ClusterRole `json:"clusterRole" description:"cluster role list"`
Roles []*v1.Role `json:"roles" description:"role list"`
}

3
pkg/models/iam/utils.go
View File

@@ -20,6 +20,7 @@ package iam
import ( import (
rbacv1 "k8s.io/api/rbac/v1" rbacv1 "k8s.io/api/rbac/v1"
"kubesphere.io/kubesphere/pkg/models/iam/policy"
"strings" "strings"
) )
@@ -32,7 +33,7 @@ func RulesMatchesRequired(rules []rbacv1.PolicyRule, required rbacv1.PolicyRule)
return false return false
} }
func rulesMatchesAction(rules []rbacv1.PolicyRule, action Action) bool { func rulesMatchesAction(rules []rbacv1.PolicyRule, action policy.Action) bool {
for _, required := range action.Rules { for _, required := range action.Rules {
if !RulesMatchesRequired(rules, required) { if !RulesMatchesRequired(rules, required) {

18
pkg/models/tenant/devops.go
View File

@@ -26,7 +26,7 @@ import (
"kubesphere.io/kubesphere/pkg/db" "kubesphere.io/kubesphere/pkg/db"
"kubesphere.io/kubesphere/pkg/models" "kubesphere.io/kubesphere/pkg/models"
"kubesphere.io/kubesphere/pkg/models/devops" "kubesphere.io/kubesphere/pkg/models/devops"
"kubesphere.io/kubesphere/pkg/models/iam" "kubesphere.io/kubesphere/pkg/models/iam/policy"
"kubesphere.io/kubesphere/pkg/server/params" "kubesphere.io/kubesphere/pkg/server/params"
dsClient "kubesphere.io/kubesphere/pkg/simple/client/devops" dsClient "kubesphere.io/kubesphere/pkg/simple/client/devops"
"kubesphere.io/kubesphere/pkg/simple/client/mysql" "kubesphere.io/kubesphere/pkg/simple/client/mysql"
@@ -38,7 +38,7 @@ type DevOpsProjectOperator interface {
CreateDevOpsProject(username string, workspace string, req *v1alpha2.DevOpsProject) (*v1alpha2.DevOpsProject, error) CreateDevOpsProject(username string, workspace string, req *v1alpha2.DevOpsProject) (*v1alpha2.DevOpsProject, error)
GetDevOpsProjectsCount(username string) (uint32, error) GetDevOpsProjectsCount(username string) (uint32, error)
DeleteDevOpsProject(projectId, username string) error DeleteDevOpsProject(projectId, username string) error
GetUserDevOpsSimpleRules(username, projectId string) ([]iam.SimpleRule, error) GetUserDevOpsSimpleRules(username, projectId string) ([]policy.SimpleRule, error)
} }
type devopsProjectOperator struct { type devopsProjectOperator struct {
@@ -208,7 +208,7 @@ func (o *devopsProjectOperator) CreateDevOpsProject(username string, workspace s
return project, nil return project, nil
} }
func (o *devopsProjectOperator) GetUserDevOpsSimpleRules(username, projectId string) ([]iam.SimpleRule, error) { func (o *devopsProjectOperator) GetUserDevOpsSimpleRules(username, projectId string) ([]policy.SimpleRule, error) {
role, err := o.getProjectUserRole(username, projectId) role, err := o.getProjectUserRole(username, projectId)
if err != nil { if err != nil {
@@ -236,12 +236,12 @@ func (o *devopsProjectOperator) getProjectUserRole(username, projectId string) (
return membership.Role, nil return membership.Role, nil
} }
func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule { func GetDevopsRoleSimpleRules(role string) []policy.SimpleRule {
var rules []iam.SimpleRule var rules []policy.SimpleRule
switch role { switch role {
case "developer": case "developer":
rules = []iam.SimpleRule{ rules = []policy.SimpleRule{
{Name: "pipelines", Actions: []string{"view", "trigger"}}, {Name: "pipelines", Actions: []string{"view", "trigger"}},
{Name: "roles", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}},
{Name: "members", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}},
@@ -249,7 +249,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
} }
break break
case "owner": case "owner":
rules = []iam.SimpleRule{ rules = []policy.SimpleRule{
{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
{Name: "roles", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}},
{Name: "members", Actions: []string{"create", "edit", "view", "delete"}}, {Name: "members", Actions: []string{"create", "edit", "view", "delete"}},
@@ -258,7 +258,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
} }
break break
case "maintainer": case "maintainer":
rules = []iam.SimpleRule{ rules = []policy.SimpleRule{
{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
{Name: "roles", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}},
{Name: "members", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}},
@@ -269,7 +269,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
case "reporter": case "reporter":
fallthrough fallthrough
default: default:
rules = []iam.SimpleRule{ rules = []policy.SimpleRule{
{Name: "pipelines", Actions: []string{"view"}}, {Name: "pipelines", Actions: []string{"view"}},
{Name: "roles", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}},
{Name: "members", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}},

11
pkg/models/tenant/tenant.go
View File

@@ -29,6 +29,7 @@ import (
"kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/models" "kubesphere.io/kubesphere/pkg/models"
"kubesphere.io/kubesphere/pkg/models/iam" "kubesphere.io/kubesphere/pkg/models/iam"
"kubesphere.io/kubesphere/pkg/models/iam/policy"
"kubesphere.io/kubesphere/pkg/server/params" "kubesphere.io/kubesphere/pkg/server/params"
"kubesphere.io/kubesphere/pkg/simple/client/mysql" "kubesphere.io/kubesphere/pkg/simple/client/mysql"
"strconv" "strconv"
@@ -41,8 +42,8 @@ type Interface interface {
ListWorkspaces(username string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error) ListWorkspaces(username string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error)
ListNamespaces(username string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error) ListNamespaces(username string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error)
ListDevopsProjects(username string, conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error) ListDevopsProjects(username string, conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error)
GetWorkspaceSimpleRules(workspace, username string) ([]iam.SimpleRule, error) GetWorkspaceSimpleRules(workspace, username string) ([]policy.SimpleRule, error)
GetNamespaceSimpleRules(namespace, username string) ([]iam.SimpleRule, error) GetNamespaceSimpleRules(namespace, username string) ([]policy.SimpleRule, error)
CountDevOpsProjects(username string) (uint32, error) CountDevOpsProjects(username string) (uint32, error)
DeleteDevOpsProject(username, projectId string) error DeleteDevOpsProject(username, projectId string) error
GetUserDevopsSimpleRules(username string, devops string) (interface{}, error) GetUserDevopsSimpleRules(username string, devops string) (interface{}, error)
@@ -122,7 +123,7 @@ func (t *tenantOperator) ListWorkspaces(username string, conditions *params.Cond
return &models.PageableResponse{Items: result, TotalCount: len(workspaces)}, nil return &models.PageableResponse{Items: result, TotalCount: len(workspaces)}, nil
} }
func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]iam.SimpleRule, error) { func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]policy.SimpleRule, error) {
clusterRules, err := t.am.GetClusterPolicyRules(username) clusterRules, err := t.am.GetClusterPolicyRules(username)
if err != nil { if err != nil {
return nil, err return nil, err
@@ -150,7 +151,7 @@ func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]
if err != nil { if err != nil {
if apierrors.IsNotFound(err) { if apierrors.IsNotFound(err) {
return []iam.SimpleRule{}, nil return []policy.SimpleRule{}, nil
} }
klog.Error(err) klog.Error(err)
@@ -160,7 +161,7 @@ func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]
return t.am.GetWorkspaceRoleSimpleRules(workspace, workspaceRole.Annotations[constants.DisplayNameAnnotationKey]), nil return t.am.GetWorkspaceRoleSimpleRules(workspace, workspaceRole.Annotations[constants.DisplayNameAnnotationKey]), nil
} }
func (t *tenantOperator) GetNamespaceSimpleRules(namespace, username string) ([]iam.SimpleRule, error) { func (t *tenantOperator) GetNamespaceSimpleRules(namespace, username string) ([]policy.SimpleRule, error) {
clusterRules, err := t.am.GetClusterPolicyRules(username) clusterRules, err := t.am.GetClusterPolicyRules(username)
if err != nil { if err != nil {
return nil, err return nil, err