hongming
@@ -144,7 +144,10 @@ func (s *APIServer) installKubeSphereAPIs() {
|
||||
urlruntime.Must(resourcesv1alpha2.AddToContainer(s.container, s.KubernetesClient.Kubernetes(), s.InformerFactory))
|
||||
//urlruntime.Must(tenantv1alpha2.AddToContainer(s.container, s.KubernetesClient, s.InformerFactory, s.DBClient.Database()))
|
||||
urlruntime.Must(terminalv1alpha2.AddToContainer(s.container, s.KubernetesClient.Kubernetes(), s.KubernetesClient.Config()))
|
||||
urlruntime.Must(iamv1alpha2.AddToContainer(s.container, s.KubernetesClient, s.InformerFactory, s.LdapClient, s.CacheClient, s.Config.AuthenticationOptions))
|
||||
urlruntime.Must(iamv1alpha2.AddToContainer(s.container, im.NewOperator(s.KubernetesClient.KubeSphere(),
|
||||
s.InformerFactory.KubeSphereSharedInformerFactory()),
|
||||
am.NewAMOperator(s.KubernetesClient.KubeSphere(), s.InformerFactory.KubeSphereSharedInformerFactory()),
|
||||
s.Config.AuthenticationOptions))
|
||||
urlruntime.Must(oauth.AddToContainer(s.container, token.NewJwtTokenIssuer(token.DefaultIssuerName, s.Config.AuthenticationOptions, s.CacheClient), s.Config.AuthenticationOptions))
|
||||
urlruntime.Must(servicemeshv1alpha2.AddToContainer(s.container))
|
||||
}
|
||||
@@ -188,7 +191,7 @@ func (s *APIServer) buildHandlerChain() {
|
||||
pathAuthorizer, _ := path.NewAuthorizer(excludedPaths)
|
||||
|
||||
// union authorizers are ordered, don't change the order here
|
||||
authorizers := unionauthorizer.New(pathAuthorizer, authorizerfactory.NewOPAAuthorizer(am.NewFakeAMOperator()))
|
||||
authorizers := unionauthorizer.New(pathAuthorizer, authorizerfactory.NewOPAAuthorizer(am.NewAMOperator(s.KubernetesClient.KubeSphere(), s.InformerFactory.KubeSphereSharedInformerFactory())))
|
||||
handler = filters.WithAuthorization(handler, authorizers)
|
||||
|
||||
// authenticators are unordered
|
||||
@@ -274,6 +277,9 @@ func (s *APIServer) waitForResourceSync(stopCh <-chan struct{}) error {
|
||||
ksGVRs := []schema.GroupVersionResource{
|
||||
{Group: "tenant.kubesphere.io", Version: "v1alpha1", Resource: "workspaces"},
|
||||
{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "users"},
|
||||
{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "roles"},
|
||||
{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "rolebindings"},
|
||||
{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "policyrules"},
|
||||
{Group: "tower.kubesphere.io", Version: "v1alpha1", Resource: "agents"},
|
||||
}
|
||||
|
||||
|
||||
@@ -21,6 +21,9 @@ package authorizerfactory
|
||||
import (
|
||||
"context"
|
||||
"github.com/open-policy-agent/opa/rego"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
"k8s.io/klog"
|
||||
iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
|
||||
"kubesphere.io/kubesphere/pkg/models/iam/am"
|
||||
)
|
||||
@@ -33,13 +36,16 @@ type opaAuthorizer struct {
|
||||
func (o *opaAuthorizer) Authorize(attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
|
||||
|
||||
// Make decisions based on the authorization policy of different levels of roles
|
||||
platformRole, err := o.am.GetPlatformRole(attr.GetUser().GetName())
|
||||
globalRole, err := o.am.GetRoleOfUserInTargetScope(iamv1alpha2.GlobalScope, "", attr.GetUser().GetName())
|
||||
if err != nil {
|
||||
if errors.IsNotFound(err) {
|
||||
return authorizer.DecisionDeny, err.Error(), nil
|
||||
}
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
|
||||
// check platform role policy rules
|
||||
if authorized, reason, err = makeDecision(platformRole, attr); authorized == authorizer.DecisionAllow {
|
||||
if authorized, reason, err = o.makeDecision(globalRole, attr); authorized == authorizer.DecisionAllow {
|
||||
return authorized, reason, err
|
||||
}
|
||||
|
||||
@@ -48,13 +54,16 @@ func (o *opaAuthorizer) Authorize(attr authorizer.Attributes) (authorized author
|
||||
return authorizer.DecisionDeny, "permission undefined", nil
|
||||
}
|
||||
|
||||
clusterRole, err := o.am.GetClusterRole(attr.GetCluster(), attr.GetUser().GetName())
|
||||
clusterRole, err := o.am.GetRoleOfUserInTargetScope(iamv1alpha2.ClusterScope, attr.GetCluster(), attr.GetUser().GetName())
|
||||
if err != nil {
|
||||
if errors.IsNotFound(err) {
|
||||
return authorizer.DecisionDeny, err.Error(), nil
|
||||
}
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
|
||||
// check cluster role policy rules
|
||||
if a, r, e := makeDecision(clusterRole, attr); a == authorizer.DecisionAllow {
|
||||
if a, r, e := o.makeDecision(clusterRole, attr); a == authorizer.DecisionAllow {
|
||||
return a, r, e
|
||||
}
|
||||
|
||||
@@ -63,13 +72,16 @@ func (o *opaAuthorizer) Authorize(attr authorizer.Attributes) (authorized author
|
||||
return authorizer.DecisionDeny, "permission undefined", nil
|
||||
}
|
||||
|
||||
workspaceRole, err := o.am.GetWorkspaceRole(attr.GetWorkspace(), attr.GetUser().GetName())
|
||||
workspaceRole, err := o.am.GetRoleOfUserInTargetScope(iamv1alpha2.WorkspaceScope, attr.GetWorkspace(), attr.GetUser().GetName())
|
||||
if err != nil {
|
||||
if errors.IsNotFound(err) {
|
||||
return authorizer.DecisionDeny, err.Error(), nil
|
||||
}
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
|
||||
// check workspace role policy rules
|
||||
if a, r, e := makeDecision(workspaceRole, attr); a == authorizer.DecisionAllow {
|
||||
if a, r, e := o.makeDecision(workspaceRole, attr); a == authorizer.DecisionAllow {
|
||||
return a, r, e
|
||||
}
|
||||
|
||||
@@ -79,12 +91,15 @@ func (o *opaAuthorizer) Authorize(attr authorizer.Attributes) (authorized author
|
||||
}
|
||||
|
||||
if attr.GetNamespace() != "" {
|
||||
namespaceRole, err := o.am.GetNamespaceRole(attr.GetCluster(), attr.GetNamespace(), attr.GetUser().GetName())
|
||||
namespaceRole, err := o.am.GetRoleOfUserInTargetScope(iamv1alpha2.NamespaceScope, attr.GetNamespace(), attr.GetUser().GetName())
|
||||
if err != nil {
|
||||
if errors.IsNotFound(err) {
|
||||
return authorizer.DecisionDeny, err.Error(), nil
|
||||
}
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
// check namespace role policy rules
|
||||
if a, r, e := makeDecision(namespaceRole, attr); a == authorizer.DecisionAllow {
|
||||
if a, r, e := o.makeDecision(namespaceRole, attr); a == authorizer.DecisionAllow {
|
||||
return a, r, e
|
||||
}
|
||||
}
|
||||
@@ -93,48 +108,36 @@ func (o *opaAuthorizer) Authorize(attr authorizer.Attributes) (authorized author
|
||||
}
|
||||
|
||||
// Make decision base on role
|
||||
func makeDecision(role am.Role, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
|
||||
func (o *opaAuthorizer) makeDecision(role *iamv1alpha2.Role, a authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
|
||||
|
||||
// Call the rego.New function to create an object that can be prepared or evaluated
|
||||
// After constructing a new rego.Rego object you can call PrepareForEval() to obtain an executable query
|
||||
query, err := rego.New(rego.Query("data.authz.allow"), rego.Module("authz.rego", role.GetRego())).PrepareForEval(context.Background())
|
||||
for _, ruleRef := range role.Rules {
|
||||
rule, err := o.am.GetPolicyRule(ruleRef.Name)
|
||||
if err != nil {
|
||||
if errors.IsNotFound(err) {
|
||||
continue
|
||||
}
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
// Call the rego.New function to create an object that can be prepared or evaluated
|
||||
// After constructing a new rego.Rego object you can call PrepareForEval() to obtain an executable query
|
||||
query, err := rego.New(rego.Query("data.authz.allow"), rego.Module("authz.rego", rule.Rego)).PrepareForEval(context.Background())
|
||||
|
||||
if err != nil {
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
if err != nil {
|
||||
klog.Errorf("rule syntax error:%s", err)
|
||||
continue
|
||||
}
|
||||
|
||||
// data example
|
||||
//{
|
||||
// "User": {
|
||||
// "Name": "admin",
|
||||
// "UID": "0",
|
||||
// "Groups": [
|
||||
// "admin"
|
||||
// ],
|
||||
// "Extra": null
|
||||
// },
|
||||
// "Verb": "list",
|
||||
// "Cluster": "cluster1",
|
||||
// "Workspace": "",
|
||||
// "Namespace": "",
|
||||
// "APIGroup": "",
|
||||
// "APIVersion": "v1",
|
||||
// "Resource": "nodes",
|
||||
// "Subresource": "",
|
||||
// "Name": "",
|
||||
// "KubernetesRequest": true,
|
||||
// "ResourceRequest": true,
|
||||
// "Path": "/api/v1/nodes"
|
||||
//}
|
||||
// The policy decision is contained in the results returned by the Eval() call. You can inspect the decision and handle it accordingly.
|
||||
results, err := query.Eval(context.Background(), rego.EvalInput(a))
|
||||
// The policy decision is contained in the results returned by the Eval() call. You can inspect the decision and handle it accordingly.
|
||||
results, err := query.Eval(context.Background(), rego.EvalInput(a))
|
||||
|
||||
if err != nil {
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
if err != nil {
|
||||
klog.Errorf("rule syntax error:%s", err)
|
||||
continue
|
||||
}
|
||||
|
||||
if len(results) > 0 && results[0].Expressions[0].Value == true {
|
||||
return authorizer.DecisionAllow, "", nil
|
||||
if len(results) > 0 && results[0].Expressions[0].Value == true {
|
||||
return authorizer.DecisionAllow, "", nil
|
||||
}
|
||||
}
|
||||
|
||||
return authorizer.DecisionDeny, "permission undefined", nil
|
||||
|
||||
@@ -19,22 +19,44 @@
|
||||
package authorizerfactory
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
iamvealpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
|
||||
"kubesphere.io/kubesphere/pkg/client/clientset/versioned/fake"
|
||||
"kubesphere.io/kubesphere/pkg/client/informers/externalversions"
|
||||
"kubesphere.io/kubesphere/pkg/models/iam/am"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestPlatformRole(t *testing.T) {
|
||||
platformRoles := map[string]am.FakeRole{"admin": {
|
||||
Name: "admin",
|
||||
Rego: "package authz\ndefault allow = true",
|
||||
}, "anonymous": {
|
||||
Name: "anonymous",
|
||||
Rego: "package authz\ndefault allow = false",
|
||||
}, "tom": {
|
||||
Name: "tom",
|
||||
Rego: `package authz
|
||||
func prepare() (am.AccessManagementInterface, error) {
|
||||
rules := []*iamvealpha2.PolicyRule{
|
||||
{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: iamvealpha2.PolicyRuleKind,
|
||||
APIVersion: iamvealpha2.SchemeGroupVersion.String()},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "always-allow",
|
||||
},
|
||||
Rego: "package authz\ndefault allow = true",
|
||||
}, {
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: iamvealpha2.PolicyRuleKind,
|
||||
APIVersion: iamvealpha2.SchemeGroupVersion.String(),
|
||||
},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "always-deny",
|
||||
},
|
||||
Rego: "package authz\ndefault allow = false",
|
||||
}, {
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: iamvealpha2.PolicyRuleKind,
|
||||
APIVersion: iamvealpha2.SchemeGroupVersion.String()},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "manage-cluster1-resources",
|
||||
},
|
||||
Rego: `package authz
|
||||
default allow = false
|
||||
allow {
|
||||
resources_in_cluster1
|
||||
@@ -42,11 +64,168 @@ allow {
|
||||
resources_in_cluster1 {
|
||||
input.Cluster == "cluster1"
|
||||
}`,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
operator := am.NewFakeAMOperator()
|
||||
operator.Prepare(platformRoles, nil, nil, nil)
|
||||
roles := []*iamvealpha2.Role{
|
||||
{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: iamvealpha2.RoleKind,
|
||||
APIVersion: iamvealpha2.SchemeGroupVersion.String()},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "global-admin",
|
||||
},
|
||||
Target: iamvealpha2.Target{
|
||||
Scope: iamvealpha2.GlobalScope,
|
||||
Name: "",
|
||||
},
|
||||
Rules: []iamvealpha2.RuleRef{
|
||||
{
|
||||
APIGroup: iamvealpha2.SchemeGroupVersion.String(),
|
||||
Kind: iamvealpha2.PolicyRuleKind,
|
||||
Name: "always-allow",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: iamvealpha2.RoleKind,
|
||||
APIVersion: iamvealpha2.SchemeGroupVersion.String()},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "anonymous",
|
||||
},
|
||||
Target: iamvealpha2.Target{
|
||||
Scope: iamvealpha2.GlobalScope,
|
||||
Name: "",
|
||||
},
|
||||
Rules: []iamvealpha2.RuleRef{
|
||||
{
|
||||
APIGroup: iamvealpha2.SchemeGroupVersion.String(),
|
||||
Kind: iamvealpha2.PolicyRuleKind,
|
||||
Name: "always-deny",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: iamvealpha2.RoleKind,
|
||||
APIVersion: iamvealpha2.SchemeGroupVersion.String()},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "cluster1-admin",
|
||||
},
|
||||
Target: iamvealpha2.Target{
|
||||
Scope: iamvealpha2.GlobalScope,
|
||||
Name: "",
|
||||
},
|
||||
Rules: []iamvealpha2.RuleRef{
|
||||
{
|
||||
APIGroup: iamvealpha2.SchemeGroupVersion.String(),
|
||||
Kind: iamvealpha2.PolicyRuleKind,
|
||||
Name: "manage-cluster1-resources",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
roleBindings := []*iamvealpha2.RoleBinding{
|
||||
{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: iamvealpha2.RoleBindingKind,
|
||||
APIVersion: iamvealpha2.SchemeGroupVersion.String()},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "global-admin",
|
||||
},
|
||||
Scope: iamvealpha2.GlobalScope,
|
||||
RoleRef: iamvealpha2.RoleRef{
|
||||
APIGroup: iamvealpha2.SchemeGroupVersion.String(),
|
||||
Kind: iamvealpha2.RoleKind,
|
||||
Name: "global-admin",
|
||||
},
|
||||
Subjects: []iamvealpha2.Subject{
|
||||
{
|
||||
Kind: iamvealpha2.UserKind,
|
||||
APIGroup: iamvealpha2.SchemeGroupVersion.String(),
|
||||
Name: "admin",
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: iamvealpha2.RoleBindingKind,
|
||||
APIVersion: iamvealpha2.SchemeGroupVersion.String()},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "anonymous",
|
||||
},
|
||||
Scope: iamvealpha2.GlobalScope,
|
||||
RoleRef: iamvealpha2.RoleRef{
|
||||
APIGroup: iamvealpha2.SchemeGroupVersion.String(),
|
||||
Kind: iamvealpha2.RoleKind,
|
||||
Name: "anonymous",
|
||||
},
|
||||
Subjects: []iamvealpha2.Subject{
|
||||
{
|
||||
Kind: iamvealpha2.UserKind,
|
||||
APIGroup: iamvealpha2.SchemeGroupVersion.String(),
|
||||
Name: user.Anonymous,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
TypeMeta: metav1.TypeMeta{
|
||||
Kind: iamvealpha2.RoleBindingKind,
|
||||
APIVersion: iamvealpha2.SchemeGroupVersion.String()},
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "cluster1-admin",
|
||||
},
|
||||
Scope: iamvealpha2.GlobalScope,
|
||||
RoleRef: iamvealpha2.RoleRef{
|
||||
APIGroup: iamvealpha2.SchemeGroupVersion.String(),
|
||||
Kind: iamvealpha2.RoleKind,
|
||||
Name: "cluster1-admin",
|
||||
},
|
||||
Subjects: []iamvealpha2.Subject{
|
||||
{
|
||||
Kind: iamvealpha2.UserKind,
|
||||
APIGroup: iamvealpha2.SchemeGroupVersion.String(),
|
||||
Name: "tom",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
ksClient := fake.NewSimpleClientset()
|
||||
informerFactory := externalversions.NewSharedInformerFactory(ksClient, 0)
|
||||
|
||||
for _, rule := range rules {
|
||||
err := informerFactory.Iam().V1alpha2().PolicyRules().Informer().GetIndexer().Add(rule)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("add rule:%s", err)
|
||||
}
|
||||
}
|
||||
for _, role := range roles {
|
||||
err := informerFactory.Iam().V1alpha2().Roles().Informer().GetIndexer().Add(role)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("add role:%s", err)
|
||||
}
|
||||
}
|
||||
for _, roleBinding := range roleBindings {
|
||||
err := informerFactory.Iam().V1alpha2().RoleBindings().Informer().GetIndexer().Add(roleBinding)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("add role binding:%s", err)
|
||||
}
|
||||
}
|
||||
|
||||
operator := am.NewAMOperator(ksClient, informerFactory)
|
||||
|
||||
return operator, nil
|
||||
}
|
||||
|
||||
func TestGlobalRole(t *testing.T) {
|
||||
|
||||
operator, err := prepare()
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
opa := NewOPAAuthorizer(operator)
|
||||
|
||||
|
||||
@@ -10,7 +10,6 @@ const (
|
||||
FieldLastUpdateTimestamp = "lastUpdateTimestamp"
|
||||
FieldLabel = "label"
|
||||
FieldAnnotation = "annotation"
|
||||
FieldClusterName = "clusterName"
|
||||
FieldNamespace = "namespace"
|
||||
FieldStatus = "status"
|
||||
FieldOwnerReference = "ownerReference"
|
||||
@@ -29,7 +28,6 @@ var ComparableFields = []Field{
|
||||
FieldUID,
|
||||
FieldLabel,
|
||||
FieldAnnotation,
|
||||
FieldClusterName,
|
||||
FieldNamespace,
|
||||
FieldStatus,
|
||||
FieldOwnerReference,
|
||||
|
||||
Reference in New Issue
Block a user