admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add IAM API

Browse Source
This commit is contained in:
hongming
2018-05-31 21:15:08 +08:00
parent 5c223fced9
commit 85f3a83e8f
5 changed files with 1026 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

436
pkg/apis/v1alpha/iam/policy.go Normal file
View File

@@ -0,0 +1,436 @@
/*
Copyright 2018 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package iam
import (
"k8s.io/api/rbac/v1"
)
type roleList struct {
ClusterRoles []v1.ClusterRole `json:"clusterRoles" protobuf:"bytes,2,rep,name=clusterRoles"`
Roles []v1.Role `json:"roles" protobuf:"bytes,2,rep,name=roles"`
}
type action struct {
Name string `json:"name"`
Rules []v1.PolicyRule `json:"rules"`
}
type rule struct {
Name string `json:"name"`
Actions []action `json:"actions"`
}
type userRuleList struct {
ClusterRules []rule `json:"clusterRules"`
Rules map[string][]rule `json:"rules"`
}
// TODO design all frontend-facing rules
var (
clusterRoleRuleGroup = []rule{projectsManagement, userManagement, roleManagement, registryManagement,
volumeManagement, storageclassManagement, nodeManagement, appCatalogManagement, appManagement}
roleRuleGroup = []rule{deploymentManagement, projectManagement, statefulsetManagement, daemonsetManagement,
serviceManagement, routeManagement, pvcManagement}
projectsManagement = rule{
Name: "projectsManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
},
},
},
}
userManagement = rule{
Name: "userManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"iam.kubesphere.io"},
Resources: []string{"users"},
},
{
Verbs: []string{"get", "list"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"rolebindings", "clusterrolebindings"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"iam.kubesphere.io"},
Resources: []string{"users"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"iam.kubesphere.io"},
Resources: []string{"users"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"iam.kubesphere.io"},
Resources: []string{"users"},
},
},
},
},
}
roleManagement = rule{
Name: "roleManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles", "clusterroles"},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles", "clusterroles"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles", "clusterroles"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles", "clusterroles"},
},
},
},
{Name: "roleBinding",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create", "delete", "deletecollection"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"rolebindings", "clusterrolebindings"},
},
},
},
},
}
nodeManagement = rule{
Name: "nodeManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{""},
Resources: []string{"nodes"},
},
},
},
},
}
volumeManagement = rule{
Name: "volumeManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{""},
Resources: []string{"persistentvolumes"},
},
},
},
},
}
storageclassManagement = rule{
Name: "storageclassManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"storage.k8s.io"},
Resources: []string{"storageclasses"},
},
},
},
},
}
registryManagement = rule{
Name: "registryManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"extend.kubesphere.io"},
Resources: []string{
"registries",
},
},
},
},
},
}
appCatalogManagement = rule{
Name: "appCatalogManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"extend.kubesphere.io"},
Resources: []string{"appcatalog"},
},
},
},
},
}
appManagement = rule{
Name: "appManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"extend.kubesphere.io"},
Resources: []string{"apps"},
},
},
},
},
}
statefulsetManagement = rule{
Name: "statefulsetManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"apps"},
Resources: []string{"statefulsets"},
},
},
},
},
}
daemonsetManagement = rule{
Name: "daemonsetManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"daemonsets"},
},
},
},
},
}
serviceManagement = rule{
Name: "serviceManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{""},
Resources: []string{"services"},
},
},
},
},
}
routeManagement = rule{
Name: "routeManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"extensions"},
Resources: []string{"ingresses"},
},
},
},
},
}
pvcManagement = rule{
Name: "pvcManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{""},
Resources: []string{"persistentvolumeclaims"},
},
},
},
},
}
deploymentManagement = rule{
Name: "deploymentManagement",
Actions: []action{
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{
"deployments",
"deployments/rollback",
"deployments/scale",
},
},
},
},
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete", "deletecollection"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments"},
},
},
},
{Name: "edit",
Rules: []v1.PolicyRule{
{
Verbs: []string{"update", "patch"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments", "deployments/rollback"},
},
},
},
{Name: "scale",
Rules: []v1.PolicyRule{
{
Verbs: []string{"create", "update", "patch", "delete"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments/scale"},
},
},
},
},
}
projectManagement = rule{
Name: "projectManagement",
Actions: []action{
{Name: "memberManagement",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list", "create", "delete"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"rolebindings"},
},
},
},
{Name: "memberRoleManagement",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list", "create", "delete"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles"},
},
},
},
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"delete"},
APIGroups: []string{"extend.kubesphere.io"},
Resources: []string{"namespace"},
},
},
},
},
}
)