feat: authentication users with group's RoleBindings in API Server
Signed-off-by: Roland.Ma <rolandma@yunify.com>
This commit is contained in:
Roland.Ma
@@ -20,6 +20,10 @@ import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
rt "runtime"
|
||||
"time"
|
||||
|
||||
"github.com/emicklei/go-restful"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
urlruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||
@@ -77,9 +81,6 @@ import (
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/s3"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/sonarqube"
|
||||
utilnet "kubesphere.io/kubesphere/pkg/utils/net"
|
||||
"net/http"
|
||||
rt "runtime"
|
||||
"time"
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -290,7 +291,7 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) {
|
||||
// authenticators are unordered
|
||||
authn := unionauth.New(anonymous.NewAuthenticator(),
|
||||
basictoken.New(basic.NewBasicAuthenticator(im.NewPasswordAuthenticator(s.KubernetesClient.KubeSphere(), s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister(), s.Config.AuthenticationOptions))),
|
||||
bearertoken.New(jwttoken.NewTokenAuthenticator(im.NewTokenOperator(s.CacheClient, s.Config.AuthenticationOptions))))
|
||||
bearertoken.New(jwttoken.NewTokenAuthenticator(im.NewTokenOperator(s.CacheClient, s.Config.AuthenticationOptions), s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister())))
|
||||
handler = filters.WithAuthentication(handler, authn, loginRecorder)
|
||||
handler = filters.WithRequestInfo(handler, requestInfoResolver)
|
||||
s.Server.Handler = handler
|
||||
@@ -378,6 +379,8 @@ func (s *APIServer) waitForResourceSync(stopCh <-chan struct{}) error {
|
||||
{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "workspaceroles"},
|
||||
{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "workspacerolebindings"},
|
||||
{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "loginrecords"},
|
||||
{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "groups"},
|
||||
{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "groupbindings"},
|
||||
{Group: "cluster.kubesphere.io", Version: "v1alpha1", Resource: "clusters"},
|
||||
{Group: "devops.kubesphere.io", Version: "v1alpha3", Resource: "devopsprojects"},
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@ package basic
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"kubesphere.io/kubesphere/pkg/models/iam/im"
|
||||
@@ -50,7 +51,7 @@ func (t *basicAuthenticator) AuthenticatePassword(ctx context.Context, username,
|
||||
User: &user.DefaultInfo{
|
||||
Name: providedUser.GetName(),
|
||||
UID: providedUser.GetUID(),
|
||||
Groups: []string{user.AllAuthenticated},
|
||||
Groups: append(providedUser.GetGroups(), user.AllAuthenticated),
|
||||
},
|
||||
}, true, nil
|
||||
}
|
||||
|
||||
@@ -18,9 +18,11 @@ package jwttoken
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"k8s.io/apiserver/pkg/authentication/authenticator"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/klog"
|
||||
iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
|
||||
"kubesphere.io/kubesphere/pkg/models/iam/im"
|
||||
)
|
||||
|
||||
@@ -31,11 +33,13 @@ import (
|
||||
// because some resources are public accessible.
|
||||
type tokenAuthenticator struct {
|
||||
tokenOperator im.TokenManagementInterface
|
||||
userLister iamv1alpha2listers.UserLister
|
||||
}
|
||||
|
||||
func NewTokenAuthenticator(tokenOperator im.TokenManagementInterface) authenticator.Token {
|
||||
func NewTokenAuthenticator(tokenOperator im.TokenManagementInterface, userLister iamv1alpha2listers.UserLister) authenticator.Token {
|
||||
return &tokenAuthenticator{
|
||||
tokenOperator: tokenOperator,
|
||||
userLister: userLister,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -46,11 +50,16 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string
|
||||
return nil, false, err
|
||||
}
|
||||
|
||||
dbUser, err := t.userLister.Get(providedUser.GetName())
|
||||
if err != nil {
|
||||
return nil, false, err
|
||||
}
|
||||
|
||||
return &authenticator.Response{
|
||||
User: &user.DefaultInfo{
|
||||
Name: providedUser.GetName(),
|
||||
UID: providedUser.GetUID(),
|
||||
Groups: []string{user.AllAuthenticated},
|
||||
Groups: append(dbUser.Spec.Groups, user.AllAuthenticated),
|
||||
},
|
||||
}, true, nil
|
||||
}
|
||||
|
||||
@@ -22,6 +22,7 @@ import (
|
||||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
"github.com/open-policy-agent/opa/rego"
|
||||
"k8s.io/apiserver/pkg/authentication/serviceaccount"
|
||||
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
||||
@@ -259,7 +260,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
|
||||
workspace = requestAttributes.GetWorkspace()
|
||||
}
|
||||
|
||||
if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", workspace); err != nil {
|
||||
if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", nil, workspace); err != nil {
|
||||
if !visitor(nil, "", nil, err) {
|
||||
return
|
||||
}
|
||||
@@ -304,7 +305,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
|
||||
}
|
||||
}
|
||||
|
||||
if roleBindings, err := r.am.ListRoleBindings("", namespace); err != nil {
|
||||
if roleBindings, err := r.am.ListRoleBindings("", nil, namespace); err != nil {
|
||||
if !visitor(nil, "", nil, err) {
|
||||
return
|
||||
}
|
||||
|
||||
@@ -18,6 +18,8 @@ package v1alpha2
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/emicklei/go-restful"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
@@ -34,7 +36,6 @@ import (
|
||||
"kubesphere.io/kubesphere/pkg/models/iam/am"
|
||||
"kubesphere.io/kubesphere/pkg/models/iam/im"
|
||||
servererr "kubesphere.io/kubesphere/pkg/server/errors"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type iamHandler struct {
|
||||
@@ -141,7 +142,14 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo
|
||||
if strings.HasSuffix(request.Request.URL.Path, iamv1alpha2.ResourcesPluralWorkspaceRole) {
|
||||
workspace := request.PathParameter("workspace")
|
||||
username := request.PathParameter("workspacemember")
|
||||
workspaceRole, err := h.am.GetWorkspaceRoleOfUser(username, workspace)
|
||||
|
||||
user, err := h.im.DescribeUser(username)
|
||||
if err != nil {
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
}
|
||||
|
||||
workspaceRoles, err := h.am.GetWorkspaceRoleOfUser(username, user.Spec.Groups, workspace)
|
||||
if err != nil {
|
||||
// if role binding not exist return empty list
|
||||
if errors.IsNotFound(err) {
|
||||
@@ -151,19 +159,33 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
}
|
||||
templateRoles := make(map[string]*rbacv1.Role)
|
||||
for _, role := range workspaceRoles {
|
||||
// merge template Role
|
||||
result, err := h.am.ListWorkspaceRoles(&query.Query{
|
||||
Pagination: query.NoPagination,
|
||||
SortBy: "",
|
||||
Ascending: false,
|
||||
Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)},
|
||||
})
|
||||
|
||||
result, err := h.am.ListWorkspaceRoles(&query.Query{
|
||||
Pagination: query.NoPagination,
|
||||
SortBy: "",
|
||||
Ascending: false,
|
||||
Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(workspaceRole.Name)},
|
||||
})
|
||||
if err != nil {
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
if err != nil {
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
}
|
||||
|
||||
for _, obj := range result.Items {
|
||||
templateRole := obj.(*rbacv1.Role)
|
||||
templateRoles[templateRole.Name] = templateRole
|
||||
}
|
||||
}
|
||||
|
||||
response.WriteEntity(result.Items)
|
||||
results := make([]*rbacv1.Role, 0, len(templateRoles))
|
||||
for _, value := range templateRoles {
|
||||
results = append(results, value)
|
||||
}
|
||||
|
||||
response.WriteEntity(results)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -175,8 +197,13 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo
|
||||
return
|
||||
}
|
||||
|
||||
role, err := h.am.GetNamespaceRoleOfUser(username, namespace)
|
||||
user, err := h.im.DescribeUser(username)
|
||||
if err != nil {
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
}
|
||||
|
||||
roles, err := h.am.GetNamespaceRoleOfUser(username, user.Spec.Groups, namespace)
|
||||
if err != nil {
|
||||
// if role binding not exist return empty list
|
||||
if errors.IsNotFound(err) {
|
||||
@@ -187,19 +214,33 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo
|
||||
return
|
||||
}
|
||||
|
||||
result, err := h.am.ListRoles(namespace, &query.Query{
|
||||
Pagination: query.NoPagination,
|
||||
SortBy: "",
|
||||
Ascending: false,
|
||||
Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)},
|
||||
})
|
||||
templateRoles := make(map[string]*rbacv1.Role)
|
||||
for _, role := range roles {
|
||||
// merge template Role
|
||||
result, err := h.am.ListRoles(namespace, &query.Query{
|
||||
Pagination: query.NoPagination,
|
||||
SortBy: "",
|
||||
Ascending: false,
|
||||
Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)},
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
if err != nil {
|
||||
api.HandleInternalError(response, request, err)
|
||||
return
|
||||
}
|
||||
|
||||
for _, obj := range result.Items {
|
||||
templateRole := obj.(*rbacv1.Role)
|
||||
templateRoles[templateRole.Name] = templateRole
|
||||
}
|
||||
}
|
||||
|
||||
response.WriteEntity(result.Items)
|
||||
results := make([]*rbacv1.Role, 0, len(templateRoles))
|
||||
for _, value := range templateRoles {
|
||||
results = append(results, value)
|
||||
}
|
||||
|
||||
response.WriteEntity(results)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@ package am
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
rbacv1 "k8s.io/api/rbac/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
@@ -33,21 +34,22 @@ import (
|
||||
kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
|
||||
"kubesphere.io/kubesphere/pkg/informers"
|
||||
resourcev1alpha3 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource"
|
||||
"kubesphere.io/kubesphere/pkg/utils/sliceutil"
|
||||
)
|
||||
|
||||
type AccessManagementInterface interface {
|
||||
GetGlobalRoleOfUser(username string) (*iamv1alpha2.GlobalRole, error)
|
||||
GetWorkspaceRoleOfUser(username, workspace string) (*iamv1alpha2.WorkspaceRole, error)
|
||||
GetWorkspaceRoleOfUser(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRole, error)
|
||||
GetClusterRoleOfUser(username string) (*rbacv1.ClusterRole, error)
|
||||
GetNamespaceRoleOfUser(username, namespace string) (*rbacv1.Role, error)
|
||||
GetNamespaceRoleOfUser(username string, groups []string, namespace string) ([]*rbacv1.Role, error)
|
||||
ListRoles(namespace string, query *query.Query) (*api.ListResult, error)
|
||||
ListClusterRoles(query *query.Query) (*api.ListResult, error)
|
||||
ListWorkspaceRoles(query *query.Query) (*api.ListResult, error)
|
||||
ListGlobalRoles(query *query.Query) (*api.ListResult, error)
|
||||
ListGlobalRoleBindings(username string) ([]*iamv1alpha2.GlobalRoleBinding, error)
|
||||
ListClusterRoleBindings(username string) ([]*rbacv1.ClusterRoleBinding, error)
|
||||
ListWorkspaceRoleBindings(username, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error)
|
||||
ListRoleBindings(username, namespace string) ([]*rbacv1.RoleBinding, error)
|
||||
ListWorkspaceRoleBindings(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error)
|
||||
ListRoleBindings(username string, groups []string, namespace string) ([]*rbacv1.RoleBinding, error)
|
||||
GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) (string, []rbacv1.PolicyRule, error)
|
||||
GetGlobalRole(globalRole string) (*iamv1alpha2.GlobalRole, error)
|
||||
GetWorkspaceRole(workspace string, name string) (*iamv1alpha2.WorkspaceRole, error)
|
||||
@@ -124,9 +126,9 @@ func (am *amOperator) GetGlobalRoleOfUser(username string) (*iamv1alpha2.GlobalR
|
||||
return nil, err
|
||||
}
|
||||
|
||||
func (am *amOperator) GetWorkspaceRoleOfUser(username, workspace string) (*iamv1alpha2.WorkspaceRole, error) {
|
||||
func (am *amOperator) GetWorkspaceRoleOfUser(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRole, error) {
|
||||
|
||||
userRoleBindings, err := am.ListWorkspaceRoleBindings(username, workspace)
|
||||
userRoleBindings, err := am.ListWorkspaceRoleBindings(username, groups, workspace)
|
||||
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
@@ -134,23 +136,29 @@ func (am *amOperator) GetWorkspaceRoleOfUser(username, workspace string) (*iamv1
|
||||
}
|
||||
|
||||
if len(userRoleBindings) > 0 {
|
||||
role, err := am.GetWorkspaceRole(workspace, userRoleBindings[0].RoleRef.Name)
|
||||
roles := make([]*iamv1alpha2.WorkspaceRole, len(userRoleBindings))
|
||||
for i, roleBinding := range userRoleBindings {
|
||||
role, err := am.GetWorkspaceRole(workspace, roleBinding.RoleRef.Name)
|
||||
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
out := role.DeepCopy()
|
||||
if out.Annotations == nil {
|
||||
out.Annotations = make(map[string]string, 0)
|
||||
}
|
||||
out.Annotations[iamv1alpha2.WorkspaceRoleAnnotation] = role.Name
|
||||
|
||||
roles[i] = out
|
||||
}
|
||||
|
||||
if len(userRoleBindings) > 1 {
|
||||
klog.Warningf("conflict workspace role binding, username: %s", username)
|
||||
klog.Infof("conflict workspace role binding, username: %s", username)
|
||||
}
|
||||
|
||||
out := role.DeepCopy()
|
||||
if out.Annotations == nil {
|
||||
out.Annotations = make(map[string]string, 0)
|
||||
}
|
||||
out.Annotations[iamv1alpha2.WorkspaceRoleAnnotation] = role.Name
|
||||
return out, nil
|
||||
return roles, nil
|
||||
}
|
||||
|
||||
err = errors.NewNotFound(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularWorkspaceRoleBinding), username)
|
||||
@@ -158,8 +166,9 @@ func (am *amOperator) GetWorkspaceRoleOfUser(username, workspace string) (*iamv1
|
||||
return nil, err
|
||||
}
|
||||
|
||||
func (am *amOperator) GetNamespaceRoleOfUser(username, namespace string) (*rbacv1.Role, error) {
|
||||
userRoleBindings, err := am.ListRoleBindings(username, namespace)
|
||||
func (am *amOperator) GetNamespaceRoleOfUser(username string, groups []string, namespace string) ([]*rbacv1.Role, error) {
|
||||
|
||||
userRoleBindings, err := am.ListRoleBindings(username, groups, namespace)
|
||||
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
@@ -167,21 +176,27 @@ func (am *amOperator) GetNamespaceRoleOfUser(username, namespace string) (*rbacv
|
||||
}
|
||||
|
||||
if len(userRoleBindings) > 0 {
|
||||
role, err := am.GetNamespaceRole(namespace, userRoleBindings[0].RoleRef.Name)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
if len(userRoleBindings) > 1 {
|
||||
klog.Warningf("conflict role binding, username: %s", username)
|
||||
roles := make([]*rbacv1.Role, len(userRoleBindings))
|
||||
for i, roleBinding := range userRoleBindings {
|
||||
role, err := am.GetNamespaceRole(namespace, roleBinding.RoleRef.Name)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
out := role.DeepCopy()
|
||||
if out.Annotations == nil {
|
||||
out.Annotations = make(map[string]string, 0)
|
||||
}
|
||||
out.Annotations[iamv1alpha2.RoleAnnotation] = role.Name
|
||||
|
||||
roles[i] = out
|
||||
}
|
||||
|
||||
out := role.DeepCopy()
|
||||
if out.Annotations == nil {
|
||||
out.Annotations = make(map[string]string, 0)
|
||||
if len(userRoleBindings) > 1 {
|
||||
klog.Infof("conflict role binding, username: %s", username)
|
||||
}
|
||||
out.Annotations[iamv1alpha2.RoleAnnotation] = role.Name
|
||||
return out, nil
|
||||
return roles, nil
|
||||
}
|
||||
|
||||
err = errors.NewNotFound(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularRoleBinding), username)
|
||||
@@ -221,7 +236,7 @@ func (am *amOperator) GetClusterRoleOfUser(username string) (*rbacv1.ClusterRole
|
||||
return nil, err
|
||||
}
|
||||
|
||||
func (am *amOperator) ListWorkspaceRoleBindings(username, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) {
|
||||
func (am *amOperator) ListWorkspaceRoleBindings(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) {
|
||||
roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralWorkspaceRoleBinding, "", query.New())
|
||||
|
||||
if err != nil {
|
||||
@@ -233,7 +248,7 @@ func (am *amOperator) ListWorkspaceRoleBindings(username, workspace string) ([]*
|
||||
for _, obj := range roleBindings.Items {
|
||||
roleBinding := obj.(*iamv1alpha2.WorkspaceRoleBinding)
|
||||
inSpecifiedWorkspace := workspace == "" || roleBinding.Labels[tenantv1alpha1.WorkspaceLabel] == workspace
|
||||
if contains(roleBinding.Subjects, username) && inSpecifiedWorkspace {
|
||||
if contains(roleBinding.Subjects, username, groups) && inSpecifiedWorkspace {
|
||||
result = append(result, roleBinding)
|
||||
}
|
||||
}
|
||||
@@ -252,7 +267,7 @@ func (am *amOperator) ListClusterRoleBindings(username string) ([]*rbacv1.Cluste
|
||||
result := make([]*rbacv1.ClusterRoleBinding, 0)
|
||||
for _, obj := range roleBindings.Items {
|
||||
roleBinding := obj.(*rbacv1.ClusterRoleBinding)
|
||||
if contains(roleBinding.Subjects, username) {
|
||||
if contains(roleBinding.Subjects, username, nil) {
|
||||
result = append(result, roleBinding)
|
||||
}
|
||||
}
|
||||
@@ -271,7 +286,7 @@ func (am *amOperator) ListGlobalRoleBindings(username string) ([]*iamv1alpha2.Gl
|
||||
|
||||
for _, obj := range roleBindings.Items {
|
||||
roleBinding := obj.(*iamv1alpha2.GlobalRoleBinding)
|
||||
if contains(roleBinding.Subjects, username) {
|
||||
if contains(roleBinding.Subjects, username, nil) {
|
||||
result = append(result, roleBinding)
|
||||
}
|
||||
}
|
||||
@@ -279,7 +294,7 @@ func (am *amOperator) ListGlobalRoleBindings(username string) ([]*iamv1alpha2.Gl
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func (am *amOperator) ListRoleBindings(username, namespace string) ([]*rbacv1.RoleBinding, error) {
|
||||
func (am *amOperator) ListRoleBindings(username string, groups []string, namespace string) ([]*rbacv1.RoleBinding, error) {
|
||||
roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralRoleBinding, namespace, query.New())
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
@@ -289,14 +304,14 @@ func (am *amOperator) ListRoleBindings(username, namespace string) ([]*rbacv1.Ro
|
||||
result := make([]*rbacv1.RoleBinding, 0)
|
||||
for _, obj := range roleBindings.Items {
|
||||
roleBinding := obj.(*rbacv1.RoleBinding)
|
||||
if contains(roleBinding.Subjects, username) {
|
||||
if contains(roleBinding.Subjects, username, groups) {
|
||||
result = append(result, roleBinding)
|
||||
}
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
func contains(subjects []rbacv1.Subject, username string) bool {
|
||||
func contains(subjects []rbacv1.Subject, username string, groups []string) bool {
|
||||
// if username is nil means list all role bindings
|
||||
if username == "" {
|
||||
return true
|
||||
@@ -305,6 +320,9 @@ func contains(subjects []rbacv1.Subject, username string) bool {
|
||||
if subject.Kind == rbacv1.UserKind && subject.Name == username {
|
||||
return true
|
||||
}
|
||||
if subject.Kind == rbacv1.GroupKind && sliceutil.HasString(groups, subject.Name) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
@@ -557,7 +575,7 @@ func (am *amOperator) CreateWorkspaceRoleBinding(username string, workspace stri
|
||||
return err
|
||||
}
|
||||
|
||||
roleBindings, err := am.ListWorkspaceRoleBindings(username, workspace)
|
||||
roleBindings, err := am.ListWorkspaceRoleBindings(username, nil, workspace)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return err
|
||||
@@ -666,7 +684,8 @@ func (am *amOperator) CreateNamespaceRoleBinding(username string, namespace stri
|
||||
return err
|
||||
}
|
||||
|
||||
roleBindings, err := am.ListRoleBindings(username, namespace)
|
||||
// Don't pass user's groups.
|
||||
roleBindings, err := am.ListRoleBindings(username, nil, namespace)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return err
|
||||
@@ -714,7 +733,7 @@ func (am *amOperator) CreateNamespaceRoleBinding(username string, namespace stri
|
||||
|
||||
func (am *amOperator) RemoveUserFromWorkspace(username string, workspace string) error {
|
||||
|
||||
roleBindings, err := am.ListWorkspaceRoleBindings(username, workspace)
|
||||
roleBindings, err := am.ListWorkspaceRoleBindings(username, nil, workspace)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return err
|
||||
@@ -736,7 +755,7 @@ func (am *amOperator) RemoveUserFromWorkspace(username string, workspace string)
|
||||
|
||||
func (am *amOperator) RemoveUserFromNamespace(username string, namespace string) error {
|
||||
|
||||
roleBindings, err := am.ListRoleBindings(username, namespace)
|
||||
roleBindings, err := am.ListRoleBindings(username, nil, namespace)
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return err
|
||||
|
||||
@@ -20,6 +20,8 @@ package im
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/mail"
|
||||
|
||||
"github.com/go-ldap/ldap"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/labels"
|
||||
@@ -32,7 +34,6 @@ import (
|
||||
kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
|
||||
iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
|
||||
"kubesphere.io/kubesphere/pkg/constants"
|
||||
"net/mail"
|
||||
)
|
||||
|
||||
var (
|
||||
@@ -131,8 +132,9 @@ func (im *passwordAuthenticator) Authenticate(username, password string) (authus
|
||||
|
||||
if checkPasswordHash(password, user.Spec.EncryptedPassword) {
|
||||
return &authuser.DefaultInfo{
|
||||
Name: user.Name,
|
||||
UID: string(user.UID),
|
||||
Name: user.Name,
|
||||
UID: string(user.UID),
|
||||
Groups: user.Spec.Groups,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
||||
@@ -18,6 +18,7 @@ package tenant
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
@@ -66,7 +67,7 @@ func (t *tenantOperator) ListDevOpsProjects(user user.Info, workspace string, qu
|
||||
return result, nil
|
||||
}
|
||||
|
||||
roleBindings, err := t.am.ListRoleBindings(user.GetName(), "")
|
||||
roleBindings, err := t.am.ListRoleBindings(user.GetName(), user.GetGroups(), "")
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
|
||||
@@ -20,6 +20,9 @@ import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
@@ -53,8 +56,6 @@ import (
|
||||
eventsclient "kubesphere.io/kubesphere/pkg/simple/client/events"
|
||||
loggingclient "kubesphere.io/kubesphere/pkg/simple/client/logging"
|
||||
"kubesphere.io/kubesphere/pkg/utils/stringutils"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
type Interface interface {
|
||||
@@ -134,7 +135,7 @@ func (t *tenantOperator) ListWorkspaces(user user.Info, queryParam *query.Query)
|
||||
}
|
||||
|
||||
// retrieving associated resources through role binding
|
||||
workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), "")
|
||||
workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), user.GetGroups(), "")
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
@@ -205,7 +206,7 @@ func (t *tenantOperator) ListFederatedNamespaces(user user.Info, workspace strin
|
||||
}
|
||||
|
||||
// retrieving associated resources through role binding
|
||||
roleBindings, err := t.am.ListRoleBindings(user.GetName(), "")
|
||||
roleBindings, err := t.am.ListRoleBindings(user.GetName(), user.GetGroups(), "")
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
@@ -273,7 +274,7 @@ func (t *tenantOperator) ListNamespaces(user user.Info, workspace string, queryP
|
||||
}
|
||||
|
||||
// retrieving associated resources through role binding
|
||||
roleBindings, err := t.am.ListRoleBindings(user.GetName(), "")
|
||||
roleBindings, err := t.am.ListRoleBindings(user.GetName(), user.GetGroups(), "")
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
@@ -472,7 +473,7 @@ func (t *tenantOperator) ListClusters(user user.Info) (*api.ListResult, error) {
|
||||
return result, nil
|
||||
}
|
||||
|
||||
workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), "")
|
||||
workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), user.GetGroups(), "")
|
||||
|
||||
if err != nil {
|
||||
klog.Error(err)
|
||||
|
||||
Reference in New Issue
Block a user