admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed role definition.

Browse Source
This commit is contained in:
hongming
2018-06-25 22:39:26 +08:00
parent 471c5d7b48
commit a1d8edc8d9
3 changed files with 35 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
pkg/apis/v1alpha/iam/policy.go
View File

@@ -86,7 +86,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"kubsphere.io"},
Resources: []string{"components"},
},
@@ -101,7 +101,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"namespaces"},
},
@@ -137,7 +137,7 @@ var (
{Name: "members",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list", "create", "delete"},
Verbs: []string{"get", "watch", "list", "create", "delete"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"rolebindings"},
},
@@ -146,7 +146,7 @@ var (
{Name: "member_roles",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list", "create", "delete", "patch", "update"},
Verbs: []string{"get", "watch", "list", "create", "delete", "patch", "update"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles"},
},
@@ -161,7 +161,7 @@ var (
{Name: "members",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list", "create", "delete"},
Verbs: []string{"get", "watch", "list", "create", "delete"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"rolebindings"},
},
@@ -170,7 +170,7 @@ var (
{Name: "member_roles",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list", "create", "delete", "patch", "update"},
Verbs: []string{"get", "watch", "list", "create", "delete", "patch", "update"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"roles"},
},
@@ -202,12 +202,12 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"kubesphere.io"},
Resources: []string{"users"},
},
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterrolebindings"},
},
@@ -259,7 +259,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"rbac.authorization.k8s.io"},
Resources: []string{"clusterroles"},
},
@@ -302,7 +302,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"nodes"},
},
@@ -335,7 +335,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"persistentvolumes"},
},
@@ -349,7 +349,7 @@ var (
{Name: "create",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"persistentvolumes"},
},
@@ -367,7 +367,7 @@ var (
{Name: "delete",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"persistentvolumes"},
},
@@ -382,7 +382,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"storage.k8s.io"},
Resources: []string{"storageclasses"},
},
@@ -424,7 +424,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{
"secrets",
@@ -479,7 +479,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"openpitrix.io"},
Resources: []string{"appcatalog"},
},
@@ -521,7 +521,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"openpitrix.io"},
Resources: []string{"apps"},
},
@@ -536,7 +536,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"apps"},
Resources: []string{"statefulsets"},
},
@@ -546,7 +546,7 @@ var (
Resources: []string{"namespaces"},
},
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"pods", "pods/log", "pods/status"},
},
@@ -597,7 +597,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"daemonsets"},
},
@@ -607,7 +607,7 @@ var (
Resources: []string{"namespaces"},
},
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"pods", "pods/log", "pods/status"},
},
@@ -649,7 +649,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"services"},
},
@@ -697,7 +697,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"extensions"},
Resources: []string{"ingresses"},
},
@@ -744,7 +744,7 @@ var (
{Name: "view",
Rules: []v1.PolicyRule{
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{"apps", "extensions"},
Resources: []string{"deployments", "deployments/scale"},
},
@@ -754,7 +754,7 @@ var (
Resources: []string{"namespaces"},
},
{
Verbs: []string{"get", "list"},
Verbs: []string{"get", "watch", "list"},
APIGroups: []string{""},
Resources: []string{"pods", "pods/log", "pods/status"},
},

8
pkg/models/controllers/namespaces.go
View File

@@ -48,8 +48,8 @@ const (
)
var adminRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"*"}, Resources: []string{"*"}}}
var editorRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}}
var viewerRules = []rbac.PolicyRule{{Verbs: []string{"list", "get"}, APIGroups: []string{"", "apps", "extensions"}, Resources: []string{"*"}}}
var editorRules = []rbac.PolicyRule{{Verbs: []string{"*"}, APIGroups: []string{"", "apps", "extensions", "batch"}, Resources: []string{"*"}}}
var viewerRules = []rbac.PolicyRule{{Verbs: []string{"list", "get", "watch"}, APIGroups: []string{"", "apps", "extensions", "batch"}, Resources: []string{"*"}}}
type runTime struct {
RuntimeId string `json:"runtime_id"`
@@ -200,13 +200,13 @@ func (ctl *NamespaceCtl) createRoleAndRuntime(item v1.Namespace) {
return
}
err = ctl.createDefaultRoleBinding(ns, user)
resp, err := ctl.createOpRuntime(ns)
if err != nil {
glog.Error(err)
return
}
resp, err := ctl.createOpRuntime(ns)
err = ctl.createDefaultRoleBinding(ns, user)
if err != nil {
glog.Error(err)
return

8
pkg/models/roles.go
View File

@@ -187,9 +187,13 @@ func GetClusterRoles(username string) ([]v1.ClusterRole, error) {
for _, subject := range roleBinding.Subjects {
if subject.Kind == v1.UserKind && subject.Name == username {
if roleBinding.RoleRef.Kind == ClusterRoleKind {
rule, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{})
role, err := k8s.RbacV1().ClusterRoles().Get(roleBinding.RoleRef.Name, meta_v1.GetOptions{})
if err == nil {
roles = append(roles, *rule)
if role.Annotations == nil {
role.Annotations = make(map[string]string, 0)
}
role.Annotations["rbac.authorization.k8s.io/clusterrolebinding"] = roleBinding.Name
roles = append(roles, *role)
break
} else if apierrors.IsNotFound(err) {
glog.Infoln(err.Error())