feat: authentication users with group's RoleBindings in API Server

Signed-off-by: Roland.Ma <rolandma@yunify.com>
2020-10-23 03:34:29 +00:00
parent 447a5a562f
commit 80f3db3d42
9 changed files with 162 additions and 84 deletions
--- a/pkg/apiserver/authorization/authorizerfactory/rbac.go
+++ b/pkg/apiserver/authorization/authorizerfactory/rbac.go
@@ -22,6 +22,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+
 	"github.com/open-policy-agent/opa/rego"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
@@ -259,7 +260,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 			workspace = requestAttributes.GetWorkspace()
 		}

-		if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", workspace); err != nil {
+		if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", nil, workspace); err != nil {
 			if !visitor(nil, "", nil, err) {
 				return
 			}
@@ -304,7 +305,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 			}
 		}

-		if roleBindings, err := r.am.ListRoleBindings("", namespace); err != nil {
+		if roleBindings, err := r.am.ListRoleBindings("", nil, namespace); err != nil {
 			if !visitor(nil, "", nil, err) {
 				return
 			}