diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go index 141482110..ec45754c1 100644 --- a/pkg/apiserver/apiserver.go +++ b/pkg/apiserver/apiserver.go @@ -20,6 +20,10 @@ import ( "bytes" "context" "fmt" + "net/http" + rt "runtime" + "time" + "github.com/emicklei/go-restful" "k8s.io/apimachinery/pkg/runtime/schema" urlruntime "k8s.io/apimachinery/pkg/util/runtime" @@ -77,9 +81,6 @@ import ( "kubesphere.io/kubesphere/pkg/simple/client/s3" "kubesphere.io/kubesphere/pkg/simple/client/sonarqube" utilnet "kubesphere.io/kubesphere/pkg/utils/net" - "net/http" - rt "runtime" - "time" ) const ( @@ -290,7 +291,7 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) { // authenticators are unordered authn := unionauth.New(anonymous.NewAuthenticator(), basictoken.New(basic.NewBasicAuthenticator(im.NewPasswordAuthenticator(s.KubernetesClient.KubeSphere(), s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister(), s.Config.AuthenticationOptions))), - bearertoken.New(jwttoken.NewTokenAuthenticator(im.NewTokenOperator(s.CacheClient, s.Config.AuthenticationOptions)))) + bearertoken.New(jwttoken.NewTokenAuthenticator(im.NewTokenOperator(s.CacheClient, s.Config.AuthenticationOptions), s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister()))) handler = filters.WithAuthentication(handler, authn, loginRecorder) handler = filters.WithRequestInfo(handler, requestInfoResolver) s.Server.Handler = handler @@ -378,6 +379,8 @@ func (s *APIServer) waitForResourceSync(stopCh <-chan struct{}) error { {Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "workspaceroles"}, {Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "workspacerolebindings"}, {Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "loginrecords"}, + {Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "groups"}, + {Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "groupbindings"}, {Group: "cluster.kubesphere.io", Version: "v1alpha1", Resource: "clusters"}, {Group: "devops.kubesphere.io", Version: "v1alpha3", Resource: "devopsprojects"}, } diff --git a/pkg/apiserver/authentication/authenticators/basic/basic.go b/pkg/apiserver/authentication/authenticators/basic/basic.go index 2ad09dc43..7f40efc2d 100644 --- a/pkg/apiserver/authentication/authenticators/basic/basic.go +++ b/pkg/apiserver/authentication/authenticators/basic/basic.go @@ -18,6 +18,7 @@ package basic import ( "context" + "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" "kubesphere.io/kubesphere/pkg/models/iam/im" @@ -50,7 +51,7 @@ func (t *basicAuthenticator) AuthenticatePassword(ctx context.Context, username, User: &user.DefaultInfo{ Name: providedUser.GetName(), UID: providedUser.GetUID(), - Groups: []string{user.AllAuthenticated}, + Groups: append(providedUser.GetGroups(), user.AllAuthenticated), }, }, true, nil } diff --git a/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go b/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go index fdc827bdf..a75734fd7 100644 --- a/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go +++ b/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go @@ -18,9 +18,11 @@ package jwttoken import ( "context" + "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/klog" + iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2" "kubesphere.io/kubesphere/pkg/models/iam/im" ) @@ -31,11 +33,13 @@ import ( // because some resources are public accessible. type tokenAuthenticator struct { tokenOperator im.TokenManagementInterface + userLister iamv1alpha2listers.UserLister } -func NewTokenAuthenticator(tokenOperator im.TokenManagementInterface) authenticator.Token { +func NewTokenAuthenticator(tokenOperator im.TokenManagementInterface, userLister iamv1alpha2listers.UserLister) authenticator.Token { return &tokenAuthenticator{ tokenOperator: tokenOperator, + userLister: userLister, } } @@ -46,11 +50,16 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string return nil, false, err } + dbUser, err := t.userLister.Get(providedUser.GetName()) + if err != nil { + return nil, false, err + } + return &authenticator.Response{ User: &user.DefaultInfo{ Name: providedUser.GetName(), UID: providedUser.GetUID(), - Groups: []string{user.AllAuthenticated}, + Groups: append(dbUser.Spec.Groups, user.AllAuthenticated), }, }, true, nil } diff --git a/pkg/apiserver/authorization/authorizerfactory/rbac.go b/pkg/apiserver/authorization/authorizerfactory/rbac.go index 9d7bbabff..b845136bb 100644 --- a/pkg/apiserver/authorization/authorizerfactory/rbac.go +++ b/pkg/apiserver/authorization/authorizerfactory/rbac.go @@ -22,6 +22,7 @@ import ( "bytes" "context" "fmt" + "github.com/open-policy-agent/opa/rego" "k8s.io/apiserver/pkg/authentication/serviceaccount" iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" @@ -259,7 +260,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes, workspace = requestAttributes.GetWorkspace() } - if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", workspace); err != nil { + if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", nil, workspace); err != nil { if !visitor(nil, "", nil, err) { return } @@ -304,7 +305,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes, } } - if roleBindings, err := r.am.ListRoleBindings("", namespace); err != nil { + if roleBindings, err := r.am.ListRoleBindings("", nil, namespace); err != nil { if !visitor(nil, "", nil, err) { return } diff --git a/pkg/kapis/iam/v1alpha2/handler.go b/pkg/kapis/iam/v1alpha2/handler.go index 8f18a69ba..d4cde88d1 100644 --- a/pkg/kapis/iam/v1alpha2/handler.go +++ b/pkg/kapis/iam/v1alpha2/handler.go @@ -18,6 +18,8 @@ package v1alpha2 import ( "fmt" + "strings" + "github.com/emicklei/go-restful" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -34,7 +36,6 @@ import ( "kubesphere.io/kubesphere/pkg/models/iam/am" "kubesphere.io/kubesphere/pkg/models/iam/im" servererr "kubesphere.io/kubesphere/pkg/server/errors" - "strings" ) type iamHandler struct { @@ -141,7 +142,14 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo if strings.HasSuffix(request.Request.URL.Path, iamv1alpha2.ResourcesPluralWorkspaceRole) { workspace := request.PathParameter("workspace") username := request.PathParameter("workspacemember") - workspaceRole, err := h.am.GetWorkspaceRoleOfUser(username, workspace) + + user, err := h.im.DescribeUser(username) + if err != nil { + api.HandleInternalError(response, request, err) + return + } + + workspaceRoles, err := h.am.GetWorkspaceRoleOfUser(username, user.Spec.Groups, workspace) if err != nil { // if role binding not exist return empty list if errors.IsNotFound(err) { @@ -151,19 +159,33 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo api.HandleInternalError(response, request, err) return } + templateRoles := make(map[string]*rbacv1.Role) + for _, role := range workspaceRoles { + // merge template Role + result, err := h.am.ListWorkspaceRoles(&query.Query{ + Pagination: query.NoPagination, + SortBy: "", + Ascending: false, + Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)}, + }) - result, err := h.am.ListWorkspaceRoles(&query.Query{ - Pagination: query.NoPagination, - SortBy: "", - Ascending: false, - Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(workspaceRole.Name)}, - }) - if err != nil { - api.HandleInternalError(response, request, err) - return + if err != nil { + api.HandleInternalError(response, request, err) + return + } + + for _, obj := range result.Items { + templateRole := obj.(*rbacv1.Role) + templateRoles[templateRole.Name] = templateRole + } } - response.WriteEntity(result.Items) + results := make([]*rbacv1.Role, 0, len(templateRoles)) + for _, value := range templateRoles { + results = append(results, value) + } + + response.WriteEntity(results) return } @@ -175,8 +197,13 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo return } - role, err := h.am.GetNamespaceRoleOfUser(username, namespace) + user, err := h.im.DescribeUser(username) + if err != nil { + api.HandleInternalError(response, request, err) + return + } + roles, err := h.am.GetNamespaceRoleOfUser(username, user.Spec.Groups, namespace) if err != nil { // if role binding not exist return empty list if errors.IsNotFound(err) { @@ -187,19 +214,33 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo return } - result, err := h.am.ListRoles(namespace, &query.Query{ - Pagination: query.NoPagination, - SortBy: "", - Ascending: false, - Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)}, - }) + templateRoles := make(map[string]*rbacv1.Role) + for _, role := range roles { + // merge template Role + result, err := h.am.ListRoles(namespace, &query.Query{ + Pagination: query.NoPagination, + SortBy: "", + Ascending: false, + Filters: map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)}, + }) - if err != nil { - api.HandleInternalError(response, request, err) - return + if err != nil { + api.HandleInternalError(response, request, err) + return + } + + for _, obj := range result.Items { + templateRole := obj.(*rbacv1.Role) + templateRoles[templateRole.Name] = templateRole + } } - response.WriteEntity(result.Items) + results := make([]*rbacv1.Role, 0, len(templateRoles)) + for _, value := range templateRoles { + results = append(results, value) + } + + response.WriteEntity(results) return } } diff --git a/pkg/models/iam/am/am.go b/pkg/models/iam/am/am.go index 2a78981d2..4ad733ee2 100644 --- a/pkg/models/iam/am/am.go +++ b/pkg/models/iam/am/am.go @@ -18,6 +18,7 @@ package am import ( "encoding/json" "fmt" + corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -33,21 +34,22 @@ import ( kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned" "kubesphere.io/kubesphere/pkg/informers" resourcev1alpha3 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource" + "kubesphere.io/kubesphere/pkg/utils/sliceutil" ) type AccessManagementInterface interface { GetGlobalRoleOfUser(username string) (*iamv1alpha2.GlobalRole, error) - GetWorkspaceRoleOfUser(username, workspace string) (*iamv1alpha2.WorkspaceRole, error) + GetWorkspaceRoleOfUser(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRole, error) GetClusterRoleOfUser(username string) (*rbacv1.ClusterRole, error) - GetNamespaceRoleOfUser(username, namespace string) (*rbacv1.Role, error) + GetNamespaceRoleOfUser(username string, groups []string, namespace string) ([]*rbacv1.Role, error) ListRoles(namespace string, query *query.Query) (*api.ListResult, error) ListClusterRoles(query *query.Query) (*api.ListResult, error) ListWorkspaceRoles(query *query.Query) (*api.ListResult, error) ListGlobalRoles(query *query.Query) (*api.ListResult, error) ListGlobalRoleBindings(username string) ([]*iamv1alpha2.GlobalRoleBinding, error) ListClusterRoleBindings(username string) ([]*rbacv1.ClusterRoleBinding, error) - ListWorkspaceRoleBindings(username, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) - ListRoleBindings(username, namespace string) ([]*rbacv1.RoleBinding, error) + ListWorkspaceRoleBindings(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) + ListRoleBindings(username string, groups []string, namespace string) ([]*rbacv1.RoleBinding, error) GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) (string, []rbacv1.PolicyRule, error) GetGlobalRole(globalRole string) (*iamv1alpha2.GlobalRole, error) GetWorkspaceRole(workspace string, name string) (*iamv1alpha2.WorkspaceRole, error) @@ -124,9 +126,9 @@ func (am *amOperator) GetGlobalRoleOfUser(username string) (*iamv1alpha2.GlobalR return nil, err } -func (am *amOperator) GetWorkspaceRoleOfUser(username, workspace string) (*iamv1alpha2.WorkspaceRole, error) { +func (am *amOperator) GetWorkspaceRoleOfUser(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRole, error) { - userRoleBindings, err := am.ListWorkspaceRoleBindings(username, workspace) + userRoleBindings, err := am.ListWorkspaceRoleBindings(username, groups, workspace) if err != nil { klog.Error(err) @@ -134,23 +136,29 @@ func (am *amOperator) GetWorkspaceRoleOfUser(username, workspace string) (*iamv1 } if len(userRoleBindings) > 0 { - role, err := am.GetWorkspaceRole(workspace, userRoleBindings[0].RoleRef.Name) + roles := make([]*iamv1alpha2.WorkspaceRole, len(userRoleBindings)) + for i, roleBinding := range userRoleBindings { + role, err := am.GetWorkspaceRole(workspace, roleBinding.RoleRef.Name) - if err != nil { - klog.Error(err) - return nil, err + if err != nil { + klog.Error(err) + return nil, err + } + + out := role.DeepCopy() + if out.Annotations == nil { + out.Annotations = make(map[string]string, 0) + } + out.Annotations[iamv1alpha2.WorkspaceRoleAnnotation] = role.Name + + roles[i] = out } if len(userRoleBindings) > 1 { - klog.Warningf("conflict workspace role binding, username: %s", username) + klog.Infof("conflict workspace role binding, username: %s", username) } - out := role.DeepCopy() - if out.Annotations == nil { - out.Annotations = make(map[string]string, 0) - } - out.Annotations[iamv1alpha2.WorkspaceRoleAnnotation] = role.Name - return out, nil + return roles, nil } err = errors.NewNotFound(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularWorkspaceRoleBinding), username) @@ -158,8 +166,9 @@ func (am *amOperator) GetWorkspaceRoleOfUser(username, workspace string) (*iamv1 return nil, err } -func (am *amOperator) GetNamespaceRoleOfUser(username, namespace string) (*rbacv1.Role, error) { - userRoleBindings, err := am.ListRoleBindings(username, namespace) +func (am *amOperator) GetNamespaceRoleOfUser(username string, groups []string, namespace string) ([]*rbacv1.Role, error) { + + userRoleBindings, err := am.ListRoleBindings(username, groups, namespace) if err != nil { klog.Error(err) @@ -167,21 +176,27 @@ func (am *amOperator) GetNamespaceRoleOfUser(username, namespace string) (*rbacv } if len(userRoleBindings) > 0 { - role, err := am.GetNamespaceRole(namespace, userRoleBindings[0].RoleRef.Name) - if err != nil { - klog.Error(err) - return nil, err - } - if len(userRoleBindings) > 1 { - klog.Warningf("conflict role binding, username: %s", username) + roles := make([]*rbacv1.Role, len(userRoleBindings)) + for i, roleBinding := range userRoleBindings { + role, err := am.GetNamespaceRole(namespace, roleBinding.RoleRef.Name) + if err != nil { + klog.Error(err) + return nil, err + } + + out := role.DeepCopy() + if out.Annotations == nil { + out.Annotations = make(map[string]string, 0) + } + out.Annotations[iamv1alpha2.RoleAnnotation] = role.Name + + roles[i] = out } - out := role.DeepCopy() - if out.Annotations == nil { - out.Annotations = make(map[string]string, 0) + if len(userRoleBindings) > 1 { + klog.Infof("conflict role binding, username: %s", username) } - out.Annotations[iamv1alpha2.RoleAnnotation] = role.Name - return out, nil + return roles, nil } err = errors.NewNotFound(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularRoleBinding), username) @@ -221,7 +236,7 @@ func (am *amOperator) GetClusterRoleOfUser(username string) (*rbacv1.ClusterRole return nil, err } -func (am *amOperator) ListWorkspaceRoleBindings(username, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) { +func (am *amOperator) ListWorkspaceRoleBindings(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) { roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralWorkspaceRoleBinding, "", query.New()) if err != nil { @@ -233,7 +248,7 @@ func (am *amOperator) ListWorkspaceRoleBindings(username, workspace string) ([]* for _, obj := range roleBindings.Items { roleBinding := obj.(*iamv1alpha2.WorkspaceRoleBinding) inSpecifiedWorkspace := workspace == "" || roleBinding.Labels[tenantv1alpha1.WorkspaceLabel] == workspace - if contains(roleBinding.Subjects, username) && inSpecifiedWorkspace { + if contains(roleBinding.Subjects, username, groups) && inSpecifiedWorkspace { result = append(result, roleBinding) } } @@ -252,7 +267,7 @@ func (am *amOperator) ListClusterRoleBindings(username string) ([]*rbacv1.Cluste result := make([]*rbacv1.ClusterRoleBinding, 0) for _, obj := range roleBindings.Items { roleBinding := obj.(*rbacv1.ClusterRoleBinding) - if contains(roleBinding.Subjects, username) { + if contains(roleBinding.Subjects, username, nil) { result = append(result, roleBinding) } } @@ -271,7 +286,7 @@ func (am *amOperator) ListGlobalRoleBindings(username string) ([]*iamv1alpha2.Gl for _, obj := range roleBindings.Items { roleBinding := obj.(*iamv1alpha2.GlobalRoleBinding) - if contains(roleBinding.Subjects, username) { + if contains(roleBinding.Subjects, username, nil) { result = append(result, roleBinding) } } @@ -279,7 +294,7 @@ func (am *amOperator) ListGlobalRoleBindings(username string) ([]*iamv1alpha2.Gl return result, nil } -func (am *amOperator) ListRoleBindings(username, namespace string) ([]*rbacv1.RoleBinding, error) { +func (am *amOperator) ListRoleBindings(username string, groups []string, namespace string) ([]*rbacv1.RoleBinding, error) { roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralRoleBinding, namespace, query.New()) if err != nil { klog.Error(err) @@ -289,14 +304,14 @@ func (am *amOperator) ListRoleBindings(username, namespace string) ([]*rbacv1.Ro result := make([]*rbacv1.RoleBinding, 0) for _, obj := range roleBindings.Items { roleBinding := obj.(*rbacv1.RoleBinding) - if contains(roleBinding.Subjects, username) { + if contains(roleBinding.Subjects, username, groups) { result = append(result, roleBinding) } } return result, nil } -func contains(subjects []rbacv1.Subject, username string) bool { +func contains(subjects []rbacv1.Subject, username string, groups []string) bool { // if username is nil means list all role bindings if username == "" { return true @@ -305,6 +320,9 @@ func contains(subjects []rbacv1.Subject, username string) bool { if subject.Kind == rbacv1.UserKind && subject.Name == username { return true } + if subject.Kind == rbacv1.GroupKind && sliceutil.HasString(groups, subject.Name) { + return true + } } return false } @@ -557,7 +575,7 @@ func (am *amOperator) CreateWorkspaceRoleBinding(username string, workspace stri return err } - roleBindings, err := am.ListWorkspaceRoleBindings(username, workspace) + roleBindings, err := am.ListWorkspaceRoleBindings(username, nil, workspace) if err != nil { klog.Error(err) return err @@ -666,7 +684,8 @@ func (am *amOperator) CreateNamespaceRoleBinding(username string, namespace stri return err } - roleBindings, err := am.ListRoleBindings(username, namespace) + // Don't pass user's groups. + roleBindings, err := am.ListRoleBindings(username, nil, namespace) if err != nil { klog.Error(err) return err @@ -714,7 +733,7 @@ func (am *amOperator) CreateNamespaceRoleBinding(username string, namespace stri func (am *amOperator) RemoveUserFromWorkspace(username string, workspace string) error { - roleBindings, err := am.ListWorkspaceRoleBindings(username, workspace) + roleBindings, err := am.ListWorkspaceRoleBindings(username, nil, workspace) if err != nil { klog.Error(err) return err @@ -736,7 +755,7 @@ func (am *amOperator) RemoveUserFromWorkspace(username string, workspace string) func (am *amOperator) RemoveUserFromNamespace(username string, namespace string) error { - roleBindings, err := am.ListRoleBindings(username, namespace) + roleBindings, err := am.ListRoleBindings(username, nil, namespace) if err != nil { klog.Error(err) return err diff --git a/pkg/models/iam/im/authenticator.go b/pkg/models/iam/im/authenticator.go index 8c4e69422..f528bb02b 100644 --- a/pkg/models/iam/im/authenticator.go +++ b/pkg/models/iam/im/authenticator.go @@ -20,6 +20,8 @@ package im import ( "fmt" + "net/mail" + "github.com/go-ldap/ldap" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/labels" @@ -32,7 +34,6 @@ import ( kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned" iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2" "kubesphere.io/kubesphere/pkg/constants" - "net/mail" ) var ( @@ -131,8 +132,9 @@ func (im *passwordAuthenticator) Authenticate(username, password string) (authus if checkPasswordHash(password, user.Spec.EncryptedPassword) { return &authuser.DefaultInfo{ - Name: user.Name, - UID: string(user.UID), + Name: user.Name, + UID: string(user.UID), + Groups: user.Spec.Groups, }, nil } diff --git a/pkg/models/tenant/devops.go b/pkg/models/tenant/devops.go index dc235e7cb..3c3f92a0f 100644 --- a/pkg/models/tenant/devops.go +++ b/pkg/models/tenant/devops.go @@ -18,6 +18,7 @@ package tenant import ( "fmt" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" @@ -66,7 +67,7 @@ func (t *tenantOperator) ListDevOpsProjects(user user.Info, workspace string, qu return result, nil } - roleBindings, err := t.am.ListRoleBindings(user.GetName(), "") + roleBindings, err := t.am.ListRoleBindings(user.GetName(), user.GetGroups(), "") if err != nil { klog.Error(err) return nil, err diff --git a/pkg/models/tenant/tenant.go b/pkg/models/tenant/tenant.go index aaba90f2f..55c5dfd7a 100644 --- a/pkg/models/tenant/tenant.go +++ b/pkg/models/tenant/tenant.go @@ -20,6 +20,9 @@ import ( "encoding/json" "fmt" "io" + "strings" + "time" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -53,8 +56,6 @@ import ( eventsclient "kubesphere.io/kubesphere/pkg/simple/client/events" loggingclient "kubesphere.io/kubesphere/pkg/simple/client/logging" "kubesphere.io/kubesphere/pkg/utils/stringutils" - "strings" - "time" ) type Interface interface { @@ -134,7 +135,7 @@ func (t *tenantOperator) ListWorkspaces(user user.Info, queryParam *query.Query) } // retrieving associated resources through role binding - workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), "") + workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), user.GetGroups(), "") if err != nil { klog.Error(err) return nil, err @@ -205,7 +206,7 @@ func (t *tenantOperator) ListFederatedNamespaces(user user.Info, workspace strin } // retrieving associated resources through role binding - roleBindings, err := t.am.ListRoleBindings(user.GetName(), "") + roleBindings, err := t.am.ListRoleBindings(user.GetName(), user.GetGroups(), "") if err != nil { klog.Error(err) return nil, err @@ -273,7 +274,7 @@ func (t *tenantOperator) ListNamespaces(user user.Info, workspace string, queryP } // retrieving associated resources through role binding - roleBindings, err := t.am.ListRoleBindings(user.GetName(), "") + roleBindings, err := t.am.ListRoleBindings(user.GetName(), user.GetGroups(), "") if err != nil { klog.Error(err) return nil, err @@ -472,7 +473,7 @@ func (t *tenantOperator) ListClusters(user user.Info) (*api.ListResult, error) { return result, nil } - workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), "") + workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), user.GetGroups(), "") if err != nil { klog.Error(err)