fix: resource scope (#2280)

Signed-off-by: hongming <talonwan@yunify.com>

pkg/apiserver/apiserver.go

@@ -27,6 +27,9 @@ import (
 	unionauth "k8s.io/apiserver/pkg/authentication/request/union"
 	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
 	"k8s.io/klog"
+	clusterv1alpha1 "kubesphere.io/kubesphere/pkg/apis/cluster/v1alpha1"
+	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
+	tenantv1alpha1 "kubesphere.io/kubesphere/pkg/apis/tenant/v1alpha1"
 	audit "kubesphere.io/kubesphere/pkg/apiserver/auditing"
 	"kubesphere.io/kubesphere/pkg/apiserver/authentication/authenticators/basic"
 	"kubesphere.io/kubesphere/pkg/apiserver/authentication/authenticators/jwttoken"
@@ -233,6 +236,16 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) {
 	requestInfoResolver := &request.RequestInfoFactory{
 		APIPrefixes:          sets.NewString("api", "apis", "kapis", "kapi"),
 		GrouplessAPIPrefixes: sets.NewString("api", "kapi"),
+		GlobalResources: []schema.GroupResource{
+			iamv1alpha2.Resource(iamv1alpha2.ResourcesPluralUser),
+			iamv1alpha2.Resource(iamv1alpha2.ResourcesPluralGlobalRole),
+			iamv1alpha2.Resource(iamv1alpha2.ResourcesPluralGlobalRoleBinding),
+			tenantv1alpha1.Resource(tenantv1alpha1.ResourcePluralWorkspace),
+			tenantv1alpha2.Resource(tenantv1alpha1.ResourcePluralWorkspace),
+			tenantv1alpha2.Resource(clusterv1alpha1.ResourcesPluralCluster),
+			clusterv1alpha1.Resource(clusterv1alpha1.ResourcesPluralCluster),
+			resourcev1alpha3.Resource(clusterv1alpha1.ResourcesPluralCluster),
+		},
 	}
 
 	handler := s.Server.Handler

pkg/apiserver/authorization/authorizerfactory/rbac.go

@@ -131,8 +131,8 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut
 			scope = fmt.Sprintf("in namespace %q", ns)
 		} else if ws := requestAttributes.GetWorkspace(); len(ws) > 0 {
 			scope = fmt.Sprintf("in workspace %q", ws)
-		} else if cluster := requestAttributes.GetWorkspace(); len(cluster) > 0 {
+		} else if requestAttributes.GetResourceScope() == request.ClusterScope {
-			scope = fmt.Sprintf("in cluster %q", cluster)
+			scope = "cluster scope"
 		} else {
 			scope = "global-wide"
 		}
@@ -228,13 +228,15 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 				}
 			}
 		}
+
+		if requestAttributes.GetResourceScope() == request.GlobalScope {
+			return
+		}
 	}
 
 	if requestAttributes.GetResourceScope() == request.WorkspaceScope || requestAttributes.GetResourceScope() == request.NamespaceScope {
-
 		var workspace string
 		var err error
-
 		if requestAttributes.GetResourceScope() == request.NamespaceScope {
 			if workspace, err = r.am.GetControlledWorkspace(requestAttributes.GetNamespace()); err != nil {
 				if !visitor(nil, "", nil, err) {

pkg/apiserver/request/requestinfo.go

@@ -26,6 +26,7 @@ import (
 	metainternalversion "k8s.io/apimachinery/pkg/apis/meta/internalversion"
 	metainternalversionscheme "k8s.io/apimachinery/pkg/apis/meta/internalversion/scheme"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog"
 	"kubesphere.io/kubesphere/pkg/api"
@@ -75,6 +76,7 @@ type RequestInfo struct {
 type RequestInfoFactory struct {
 	APIPrefixes          sets.String
 	GrouplessAPIPrefixes sets.String
+	GlobalResources      []schema.GroupResource
 }
 
 // NewRequestInfo returns the information from the http request.  If error is not nil, RequestInfo holds the information as best it is known before the failure
@@ -106,7 +108,6 @@ type RequestInfoFactory struct {
 // /kapis/clusters/{cluster}/{api-group}/{version}/namespaces/{namespace}/{resource}/{resourceName}
 //
 func (r *RequestInfoFactory) NewRequestInfo(req *http.Request) (*RequestInfo, error) {
-
 	requestInfo := RequestInfo{
 		IsKubernetesRequest: false,
 		RequestInfo: &k8srequest.RequestInfo{
@@ -309,6 +310,9 @@ const (
 )
 
 func (r *RequestInfoFactory) resolveResourceScope(request RequestInfo) string {
+	if r.isGlobalScopeResource(request.APIGroup, request.Resource) {
+		return GlobalScope
+	}
 
 	if request.Namespace != "" {
 		return NamespaceScope
@@ -320,3 +324,12 @@ func (r *RequestInfoFactory) resolveResourceScope(request RequestInfo) string {
 
 	return ClusterScope
 }
+
+func (r *RequestInfoFactory) isGlobalScopeResource(apiGroup, resource string) bool {
+	for _, groupResource := range r.GlobalResources {
+		if groupResource.Group == apiGroup && groupResource.Resource == resource {
+			return true
+		}
+	}
+	return false
+}

pkg/kapis/resources/v1alpha3/register.go

@@ -40,6 +40,10 @@ const (
 
 var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha3"}
 
+func Resource(resource string) schema.GroupResource {
+	return GroupVersion.WithResource(resource).GroupResource()
+}
+
 func AddToContainer(c *restful.Container, informerFactory informers.InformerFactory) error {
 
 	webservice := runtime.NewWebService(GroupVersion)

pkg/kapis/tenant/v1alpha2/register.go

@@ -45,6 +45,10 @@ const (
 
 var GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
 
+func Resource(resource string) schema.GroupResource {
+	return GroupVersion.WithResource(resource).GroupResource()
+}
+
 func AddToContainer(c *restful.Container, factory informers.InformerFactory, k8sclient kubernetes.Interface, ksclient kubesphere.Interface, evtsClient events.Client, loggingClient logging.Interface, auditingclient auditing.Client) error {
 	mimePatch := []string{restful.MIME_JSON, runtime.MimeMergePatchJson, runtime.MimeJsonPatchJson}