fix: resource scope (#2280)
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
@@ -27,6 +27,9 @@ import (
|
||||
unionauth "k8s.io/apiserver/pkg/authentication/request/union"
|
||||
"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
|
||||
"k8s.io/klog"
|
||||
clusterv1alpha1 "kubesphere.io/kubesphere/pkg/apis/cluster/v1alpha1"
|
||||
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
||||
tenantv1alpha1 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
|
||||
audit "kubesphere.io/kubesphere/pkg/apiserver/auditing"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authentication/authenticators/basic"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authentication/authenticators/jwttoken"
|
||||
@@ -233,6 +236,16 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) {
|
||||
requestInfoResolver := &request.RequestInfoFactory{
|
||||
APIPrefixes: sets.NewString("api", "apis", "kapis", "kapi"),
|
||||
GrouplessAPIPrefixes: sets.NewString("api", "kapi"),
|
||||
GlobalResources: []schema.GroupResource{
|
||||
iamv1alpha2.Resource(iamv1alpha2.ResourcesPluralUser),
|
||||
iamv1alpha2.Resource(iamv1alpha2.ResourcesPluralGlobalRole),
|
||||
iamv1alpha2.Resource(iamv1alpha2.ResourcesPluralGlobalRoleBinding),
|
||||
tenantv1alpha1.Resource(tenantv1alpha1.ResourcePluralWorkspace),
|
||||
tenantv1alpha2.Resource(tenantv1alpha1.ResourcePluralWorkspace),
|
||||
tenantv1alpha2.Resource(clusterv1alpha1.ResourcesPluralCluster),
|
||||
clusterv1alpha1.Resource(clusterv1alpha1.ResourcesPluralCluster),
|
||||
resourcev1alpha3.Resource(clusterv1alpha1.ResourcesPluralCluster),
|
||||
},
|
||||
}
|
||||
|
||||
handler := s.Server.Handler
|
||||
|
||||
@@ -131,8 +131,8 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut
|
||||
scope = fmt.Sprintf("in namespace %q", ns)
|
||||
} else if ws := requestAttributes.GetWorkspace(); len(ws) > 0 {
|
||||
scope = fmt.Sprintf("in workspace %q", ws)
|
||||
} else if cluster := requestAttributes.GetWorkspace(); len(cluster) > 0 {
|
||||
scope = fmt.Sprintf("in cluster %q", cluster)
|
||||
} else if requestAttributes.GetResourceScope() == request.ClusterScope {
|
||||
scope = "cluster scope"
|
||||
} else {
|
||||
scope = "global-wide"
|
||||
}
|
||||
@@ -228,13 +228,15 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if requestAttributes.GetResourceScope() == request.GlobalScope {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
if requestAttributes.GetResourceScope() == request.WorkspaceScope || requestAttributes.GetResourceScope() == request.NamespaceScope {
|
||||
|
||||
var workspace string
|
||||
var err error
|
||||
|
||||
if requestAttributes.GetResourceScope() == request.NamespaceScope {
|
||||
if workspace, err = r.am.GetControlledWorkspace(requestAttributes.GetNamespace()); err != nil {
|
||||
if !visitor(nil, "", nil, err) {
|
||||
|
||||
@@ -26,6 +26,7 @@ import (
|
||||
metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
|
||||
metainternalversionscheme "k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/klog"
|
||||
"kubesphere.io/kubesphere/pkg/api"
|
||||
@@ -75,6 +76,7 @@ type RequestInfo struct {
|
||||
type RequestInfoFactory struct {
|
||||
APIPrefixes sets.String
|
||||
GrouplessAPIPrefixes sets.String
|
||||
GlobalResources []schema.GroupResource
|
||||
}
|
||||
|
||||
// NewRequestInfo returns the information from the http request. If error is not nil, RequestInfo holds the information as best it is known before the failure
|
||||
@@ -106,7 +108,6 @@ type RequestInfoFactory struct {
|
||||
// /kapis/clusters/{cluster}/{api-group}/{version}/namespaces/{namespace}/{resource}/{resourceName}
|
||||
//
|
||||
func (r *RequestInfoFactory) NewRequestInfo(req *http.Request) (*RequestInfo, error) {
|
||||
|
||||
requestInfo := RequestInfo{
|
||||
IsKubernetesRequest: false,
|
||||
RequestInfo: &k8srequest.RequestInfo{
|
||||
@@ -309,6 +310,9 @@ const (
|
||||
)
|
||||
|
||||
func (r *RequestInfoFactory) resolveResourceScope(request RequestInfo) string {
|
||||
if r.isGlobalScopeResource(request.APIGroup, request.Resource) {
|
||||
return GlobalScope
|
||||
}
|
||||
|
||||
if request.Namespace != "" {
|
||||
return NamespaceScope
|
||||
@@ -320,3 +324,12 @@ func (r *RequestInfoFactory) resolveResourceScope(request RequestInfo) string {
|
||||
|
||||
return ClusterScope
|
||||
}
|
||||
|
||||
func (r *RequestInfoFactory) isGlobalScopeResource(apiGroup, resource string) bool {
|
||||
for _, groupResource := range r.GlobalResources {
|
||||
if groupResource.Group == apiGroup && groupResource.Resource == resource {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
@@ -40,6 +40,10 @@ const (
|
||||
|
||||
var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha3"}
|
||||
|
||||
func Resource(resource string) schema.GroupResource {
|
||||
return GroupVersion.WithResource(resource).GroupResource()
|
||||
}
|
||||
|
||||
func AddToContainer(c *restful.Container, informerFactory informers.InformerFactory) error {
|
||||
|
||||
webservice := runtime.NewWebService(GroupVersion)
|
||||
|
||||
@@ -45,6 +45,10 @@ const (
|
||||
|
||||
var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
|
||||
|
||||
func Resource(resource string) schema.GroupResource {
|
||||
return GroupVersion.WithResource(resource).GroupResource()
|
||||
}
|
||||
|
||||
func AddToContainer(c *restful.Container, factory informers.InformerFactory, k8sclient kubernetes.Interface, ksclient kubesphere.Interface, evtsClient events.Client, loggingClient logging.Interface, auditingclient auditing.Client) error {
|
||||
mimePatch := []string{restful.MIME_JSON, runtime.MimeMergePatchJson, runtime.MimeJsonPatchJson}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user