admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refine iam policy rules

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2019-11-04 10:16:47 +08:00
parent 8b037cef3f
commit 636ace1b86
2 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/controller/workspace/workspace_controller.go
View File

@@ -574,10 +574,15 @@ func getWorkspaceAdmin(workspaceName string) *rbac.ClusterRole {
APIGroups: []string{"iam.kubesphere.io"}, APIGroups: []string{"iam.kubesphere.io"},
Resources: []string{"users"}, Resources: []string{"users"},
}, },
{
Verbs: []string{"get", "list"},
APIGroups: []string{"openpitrix.io"},
Resources: []string{"categories"},
},
{ {
Verbs: []string{"*"}, Verbs: []string{"*"},
APIGroups: []string{"openpitrix.io"}, APIGroups: []string{"openpitrix.io"},
Resources: []string{"applications", "apps", "apps/versions", "apps/events", "apps/action", "apps/audits", "repos", "repos/action", "categories", "attachments"}, Resources: []string{"applications", "apps", "apps/versions", "apps/events", "apps/action", "apps/audits", "repos", "repos/action", "attachments"},
}, },
} }
@@ -610,13 +615,13 @@ func getWorkspaceRegular(workspaceName string) *rbac.ClusterRole {
{ {
Verbs: []string{"get", "list"}, Verbs: []string{"get", "list"},
APIGroups: []string{"openpitrix.io"}, APIGroups: []string{"openpitrix.io"},
Resources: []string{"apps/events", "apps/action", "apps/audits"}, Resources: []string{"apps/events", "apps/action", "apps/audits", "categories"},
}, },
{ {
Verbs: []string{"*"}, Verbs: []string{"*"},
APIGroups: []string{"openpitrix.io"}, APIGroups: []string{"openpitrix.io"},
Resources: []string{"applications", "apps", "apps/versions", "repos", "repos/action", "categories", "attachments"}, Resources: []string{"applications", "apps", "apps/versions", "repos", "repos/action", "attachments"},
}, },
} }

12
pkg/models/iam/am.go
View File

@@ -481,7 +481,16 @@ func GetUserWorkspaceSimpleRules(workspace, username string) ([]models.SimpleRul
return nil, err return nil, err
} }
// workspace manager // cluster-admin
if RulesMatchesRequired(clusterRules, rbacv1.PolicyRule{
Verbs: []string{"*"},
APIGroups: []string{"*"},
Resources: []string{"*"},
}) {
return GetWorkspaceRoleSimpleRules(workspace, constants.WorkspaceAdmin), nil
}
// workspaces-manager
if RulesMatchesRequired(clusterRules, rbacv1.PolicyRule{ if RulesMatchesRequired(clusterRules, rbacv1.PolicyRule{
Verbs: []string{"*"}, Verbs: []string{"*"},
APIGroups: []string{"*"}, APIGroups: []string{"*"},
@@ -498,6 +507,7 @@ func GetUserWorkspaceSimpleRules(workspace, username string) ([]models.SimpleRul
} }
return nil, err return nil, err
} }
return GetWorkspaceRoleSimpleRules(workspace, workspaceRole.Annotations[constants.DisplayNameAnnotationKey]), nil return GetWorkspaceRoleSimpleRules(workspace, workspaceRole.Annotations[constants.DisplayNameAnnotationKey]), nil
} }