admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

migrate legacy API

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-04-14 13:59:37 +08:00
parent d38e396e8c
commit 5f951508c5
45 changed files with 1475 additions and 1358 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
pkg/models/tenant/tenant.go
View File

@@ -21,63 +21,91 @@ import (
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/klog"
"kubesphere.io/kubesphere/pkg/api"
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
tenantv1alpha1 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory"
"kubesphere.io/kubesphere/pkg/informers"
"kubesphere.io/kubesphere/pkg/models/iam/am"
"kubesphere.io/kubesphere/pkg/simple/client/k8s"
)
type Interface interface {
ListWorkspaces(username string) (*api.ListResult, error)
ListNamespaces(username, workspace string) (*api.ListResult, error)
ListWorkspaces(user user.Info) (*api.ListResult, error)
ListNamespaces(user user.Info, workspace string) (*api.ListResult, error)
}
type tenantOperator struct {
informers informers.InformerFactory
am am.AccessManagementInterface
informers informers.InformerFactory
am am.AccessManagementInterface
authorizer authorizer.Authorizer
}
func New(k8sClient k8s.Client, informers informers.InformerFactory) Interface {
amOperator := am.NewAMOperator(k8sClient.KubeSphere(), informers.KubeSphereSharedInformerFactory())
opaAuthorizer := authorizerfactory.NewOPAAuthorizer(amOperator)
return &tenantOperator{
informers: informers,
am: am.NewAMOperator(k8sClient.KubeSphere(), informers.KubeSphereSharedInformerFactory()),
informers: informers,
am: amOperator,
authorizer: opaAuthorizer,
}
}
func (t *tenantOperator) ListWorkspaces(username string) (*api.ListResult, error) {
func (t *tenantOperator) ListWorkspaces(user user.Info) (*api.ListResult, error) {
workspaces := make([]*tenantv1alpha1.Workspace, 0)
listWS := authorizer.AttributesRecord{
User: user,
Verb: "list",
APIGroup: "tenant.kubesphere.io",
APIVersion: "v1alpha2",
Resource: "workspaces",
}
decision, _, err := t.authorizer.Authorize(listWS)
workspaceRoles, err := t.am.ListRolesOfUser(iamv1alpha2.WorkspaceScope, username)
if err != nil {
klog.Error(err)
return nil, err
}
workspaces := make([]*tenantv1alpha1.Workspace, 0)
if decision == authorizer.DecisionAllow {
workspaces, err = t.informers.KubeSphereSharedInformerFactory().
Tenant().V1alpha1().Workspaces().Lister().List(labels.Everything())
for _, role := range workspaceRoles {
// all workspaces are allowed
if role.Target.Name == iamv1alpha2.TargetAll {
workspaces, err = t.informers.KubeSphereSharedInformerFactory().
Tenant().V1alpha1().Workspaces().Lister().List(labels.Everything())
break
}
workspace, err := t.informers.KubeSphereSharedInformerFactory().
Tenant().V1alpha1().Workspaces().Lister().Get(role.Target.Name)
if errors.IsNotFound(err) {
klog.Warningf("workspace role: %s found but workspace not exist", role.Target)
continue
}
if err != nil {
klog.Error(err)
return nil, err
}
if !containsWorkspace(workspaces, workspace) {
workspaces = append(workspaces, workspace)
} else {
workspaceRoles, err := t.am.ListRolesOfUser(iamv1alpha2.WorkspaceScope, user.GetName())
if err != nil {
klog.Error(err)
return nil, err
}
for _, role := range workspaceRoles {
workspace, err := t.informers.KubeSphereSharedInformerFactory().
Tenant().V1alpha1().Workspaces().Lister().Get(role.Target.Name)
if errors.IsNotFound(err) {
klog.Warningf("workspace role: %s found but workspace not exist", role.Target)
continue
}
if err != nil {
klog.Error(err)
return nil, err
}
if !containsWorkspace(workspaces, workspace) {
workspaces = append(workspaces, workspace)
}
}
}
@@ -87,39 +115,59 @@ func (t *tenantOperator) ListWorkspaces(username string) (*api.ListResult, error
}, nil
}
func (t *tenantOperator) ListNamespaces(username, workspace string) (*api.ListResult, error) {
func (t *tenantOperator) ListNamespaces(user user.Info, workspace string) (*api.ListResult, error) {
namespaces := make([]*corev1.Namespace, 0)
namespaceRoles, err := t.am.ListRolesOfUser(iamv1alpha2.NamespaceScope, username)
listNSInWS := authorizer.AttributesRecord{
User: user,
Verb: "list",
APIGroup: "",
APIVersion: "v1",
Workspace: workspace,
Resource: "namespaces",
}
decision, _, err := t.authorizer.Authorize(listNSInWS)
if err != nil {
klog.Error(err)
return nil, err
}
namespaces := make([]*corev1.Namespace, 0)
if decision == authorizer.DecisionAllow {
namespaces, err = t.informers.KubernetesSharedInformerFactory().
Core().V1().Namespaces().Lister().List(labels.Everything())
for _, role := range namespaceRoles {
// all workspaces are allowed
if role.Target.Name == iamv1alpha2.TargetAll {
namespaces, err = t.informers.KubernetesSharedInformerFactory().
Core().V1().Namespaces().Lister().List(labels.Everything())
break
}
namespace, err := t.informers.KubernetesSharedInformerFactory().
Core().V1().Namespaces().Lister().Get(role.Target.Name)
if errors.IsNotFound(err) {
klog.Warningf("workspace role: %s found but workspace not exist", role.Target)
continue
}
if err != nil {
klog.Error(err)
return nil, err
}
if !containsNamespace(namespaces, namespace) {
namespaces = append(namespaces, namespace)
} else {
namespaceRoles, err := t.am.ListRolesOfUser(iamv1alpha2.NamespaceScope, workspace)
if err != nil {
klog.Error(err)
return nil, err
}
for _, role := range namespaceRoles {
namespace, err := t.informers.KubernetesSharedInformerFactory().
Core().V1().Namespaces().Lister().Get(role.Target.Name)
if errors.IsNotFound(err) {
klog.Warningf("workspace role: %s found but workspace not exist", role.Target)
continue
}
if err != nil {
klog.Error(err)
return nil, err
}
if !containsNamespace(namespaces, namespace) {
namespaces = append(namespaces, namespace)
}
}
}