hongming
@@ -44,16 +44,14 @@ type AccessManagementInterface interface {
|
||||
ListClusterRoles(query *query.Query) (*api.ListResult, error)
|
||||
ListWorkspaceRoles(query *query.Query) (*api.ListResult, error)
|
||||
ListGlobalRoles(query *query.Query) (*api.ListResult, error)
|
||||
|
||||
ListGlobalRoleBindings(username string) ([]*iamv1alpha2.GlobalRoleBinding, error)
|
||||
ListClusterRoleBindings(username string) ([]*rbacv1.ClusterRoleBinding, error)
|
||||
ListWorkspaceRoleBindings(username, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error)
|
||||
ListRoleBindings(username, namespace string) ([]*rbacv1.RoleBinding, error)
|
||||
|
||||
GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) (string, []rbacv1.PolicyRule, error)
|
||||
GetGlobalRole(globalRole string) (*iamv1alpha2.GlobalRole, error)
|
||||
GetWorkspaceRole(workspace string, name string) (*iamv1alpha2.WorkspaceRole, error)
|
||||
CreateOrUpdateGlobalRoleBinding(username string, globalRole string) error
|
||||
CreateGlobalRoleBinding(username string, globalRole string) error
|
||||
CreateOrUpdateWorkspaceRole(workspace string, workspaceRole *iamv1alpha2.WorkspaceRole) (*iamv1alpha2.WorkspaceRole, error)
|
||||
CreateOrUpdateGlobalRole(globalRole *iamv1alpha2.GlobalRole) (*iamv1alpha2.GlobalRole, error)
|
||||
DeleteWorkspaceRole(workspace string, name string) error
|
||||
@@ -64,11 +62,11 @@ type AccessManagementInterface interface {
|
||||
GetNamespaceRole(namespace string, name string) (*rbacv1.Role, error)
|
||||
CreateOrUpdateNamespaceRole(namespace string, role *rbacv1.Role) (*rbacv1.Role, error)
|
||||
DeleteNamespaceRole(namespace string, name string) error
|
||||
CreateOrUpdateWorkspaceRoleBinding(username string, workspace string, role string) error
|
||||
CreateWorkspaceRoleBinding(username string, workspace string, role string) error
|
||||
RemoveUserFromWorkspace(username string, workspace string) error
|
||||
CreateOrUpdateNamespaceRoleBinding(username string, namespace string, role string) error
|
||||
CreateNamespaceRoleBinding(username string, namespace string, role string) error
|
||||
RemoveUserFromNamespace(username string, namespace string) error
|
||||
CreateOrUpdateClusterRoleBinding(username string, role string) error
|
||||
CreateClusterRoleBinding(username string, role string) error
|
||||
RemoveUserFromCluster(username string) error
|
||||
GetControlledNamespace(devops string) (string, error)
|
||||
GetControlledWorkspace(namespace string) (string, error)
|
||||
@@ -371,7 +369,7 @@ func (am *amOperator) GetGlobalRole(globalRole string) (*iamv1alpha2.GlobalRole,
|
||||
return obj.(*iamv1alpha2.GlobalRole), nil
|
||||
}
|
||||
|
||||
func (am *amOperator) CreateOrUpdateGlobalRoleBinding(username string, globalRole string) error {
|
||||
func (am *amOperator) CreateGlobalRoleBinding(username string, globalRole string) error {
|
||||
|
||||
_, err := am.GetGlobalRole(globalRole)
|
||||
|
||||
@@ -428,11 +426,9 @@ func (am *amOperator) CreateOrUpdateGlobalRoleBinding(username string, globalRol
|
||||
}
|
||||
|
||||
func (am *amOperator) CreateOrUpdateWorkspaceRole(workspace string, workspaceRole *iamv1alpha2.WorkspaceRole) (*iamv1alpha2.WorkspaceRole, error) {
|
||||
|
||||
if workspaceRole.Labels == nil {
|
||||
workspaceRole.Labels = make(map[string]string, 0)
|
||||
}
|
||||
|
||||
workspaceRole.Labels[tenantv1alpha1.WorkspaceLabel] = workspace
|
||||
workspaceRole.Rules = make([]rbacv1.PolicyRule, 0)
|
||||
|
||||
@@ -452,15 +448,10 @@ func (am *amOperator) CreateOrUpdateWorkspaceRole(workspace string, workspaceRol
|
||||
}
|
||||
}
|
||||
|
||||
old, err := am.GetWorkspaceRole("", workspaceRole.Name)
|
||||
|
||||
if err != nil && !errors.IsNotFound(err) {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var created *iamv1alpha2.WorkspaceRole
|
||||
if old != nil {
|
||||
var err error
|
||||
|
||||
if workspaceRole.ResourceVersion != "" {
|
||||
created, err = am.ksclient.IamV1alpha2().WorkspaceRoles().Update(workspaceRole)
|
||||
} else {
|
||||
created, err = am.ksclient.IamV1alpha2().WorkspaceRoles().Create(workspaceRole)
|
||||
@@ -469,7 +460,7 @@ func (am *amOperator) CreateOrUpdateWorkspaceRole(workspace string, workspaceRol
|
||||
return created, err
|
||||
}
|
||||
|
||||
func (am *amOperator) CreateOrUpdateWorkspaceRoleBinding(username string, workspace string, role string) error {
|
||||
func (am *amOperator) CreateWorkspaceRoleBinding(username string, workspace string, role string) error {
|
||||
|
||||
_, err := am.GetWorkspaceRole(workspace, role)
|
||||
|
||||
@@ -526,7 +517,7 @@ func (am *amOperator) CreateOrUpdateWorkspaceRoleBinding(username string, worksp
|
||||
return nil
|
||||
}
|
||||
|
||||
func (am *amOperator) CreateOrUpdateClusterRoleBinding(username string, role string) error {
|
||||
func (am *amOperator) CreateClusterRoleBinding(username string, role string) error {
|
||||
|
||||
_, err := am.GetClusterRole(role)
|
||||
|
||||
@@ -582,7 +573,7 @@ func (am *amOperator) CreateOrUpdateClusterRoleBinding(username string, role str
|
||||
return nil
|
||||
}
|
||||
|
||||
func (am *amOperator) CreateOrUpdateNamespaceRoleBinding(username string, namespace string, role string) error {
|
||||
func (am *amOperator) CreateNamespaceRoleBinding(username string, namespace string, role string) error {
|
||||
|
||||
_, err := am.GetNamespaceRole(namespace, role)
|
||||
|
||||
@@ -727,15 +718,10 @@ func (am *amOperator) CreateOrUpdateGlobalRole(globalRole *iamv1alpha2.GlobalRol
|
||||
}
|
||||
}
|
||||
|
||||
old, err := am.GetGlobalRole(globalRole.Name)
|
||||
|
||||
if err != nil && !errors.IsNotFound(err) {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var created *iamv1alpha2.GlobalRole
|
||||
if old != nil {
|
||||
var err error
|
||||
|
||||
if globalRole.ResourceVersion != "" {
|
||||
created, err = am.ksclient.IamV1alpha2().GlobalRoles().Update(globalRole)
|
||||
} else {
|
||||
created, err = am.ksclient.IamV1alpha2().GlobalRoles().Create(globalRole)
|
||||
@@ -763,16 +749,9 @@ func (am *amOperator) CreateOrUpdateClusterRole(clusterRole *rbacv1.ClusterRole)
|
||||
clusterRole.Rules = append(clusterRole.Rules, role.Rules...)
|
||||
}
|
||||
}
|
||||
|
||||
old, err := am.GetClusterRole(clusterRole.Name)
|
||||
|
||||
if err != nil && !errors.IsNotFound(err) {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var created *rbacv1.ClusterRole
|
||||
if old != nil {
|
||||
var err error
|
||||
if clusterRole.ResourceVersion != "" {
|
||||
created, err = am.k8sclient.RbacV1().ClusterRoles().Update(clusterRole)
|
||||
} else {
|
||||
created, err = am.k8sclient.RbacV1().ClusterRoles().Create(clusterRole)
|
||||
@@ -801,16 +780,9 @@ func (am *amOperator) CreateOrUpdateNamespaceRole(namespace string, role *rbacv1
|
||||
role.Rules = append(role.Rules, role.Rules...)
|
||||
}
|
||||
}
|
||||
|
||||
old, err := am.GetNamespaceRole(namespace, role.Name)
|
||||
|
||||
if err != nil && !errors.IsNotFound(err) {
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var created *rbacv1.Role
|
||||
if old != nil {
|
||||
var err error
|
||||
if role.ResourceVersion != "" {
|
||||
created, err = am.k8sclient.RbacV1().Roles(namespace).Update(role)
|
||||
} else {
|
||||
created, err = am.k8sclient.RbacV1().Roles(namespace).Create(role)
|
||||
|
||||
@@ -17,12 +17,14 @@ limitations under the License.
|
||||
package tenant
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/runtime"
|
||||
"k8s.io/apimachinery/pkg/types"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
"k8s.io/klog"
|
||||
@@ -36,6 +38,7 @@ import (
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/query"
|
||||
"kubesphere.io/kubesphere/pkg/apiserver/request"
|
||||
kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
|
||||
"kubesphere.io/kubesphere/pkg/informers"
|
||||
"kubesphere.io/kubesphere/pkg/models/auditing"
|
||||
@@ -61,11 +64,15 @@ type Interface interface {
|
||||
UpdateWorkspace(workspace *tenantv1alpha2.WorkspaceTemplate) (*tenantv1alpha2.WorkspaceTemplate, error)
|
||||
DescribeWorkspace(workspace string) (*tenantv1alpha2.WorkspaceTemplate, error)
|
||||
ListWorkspaceClusters(workspace string) (*api.ListResult, error)
|
||||
|
||||
Events(user user.Info, queryParam *eventsv1alpha1.Query) (*eventsv1alpha1.APIResponse, error)
|
||||
QueryLogs(user user.Info, query *loggingv1alpha2.Query) (*loggingv1alpha2.APIResponse, error)
|
||||
ExportLogs(user user.Info, query *loggingv1alpha2.Query, writer io.Writer) error
|
||||
Auditing(user user.Info, queryParam *auditingv1alpha1.Query) (*auditingv1alpha1.APIResponse, error)
|
||||
DescribeNamespace(workspace, namespace string) (*corev1.Namespace, error)
|
||||
DeleteNamespace(workspace, namespace string) error
|
||||
UpdateNamespace(workspace string, namespace *corev1.Namespace) (*corev1.Namespace, error)
|
||||
PatchNamespace(workspace string, namespace *corev1.Namespace) (*corev1.Namespace, error)
|
||||
PatchWorkspace(workspace *tenantv1alpha2.WorkspaceTemplate) (*tenantv1alpha2.WorkspaceTemplate, error)
|
||||
}
|
||||
|
||||
type tenantOperator struct {
|
||||
@@ -99,10 +106,10 @@ func (t *tenantOperator) ListWorkspaces(user user.Info, queryParam *query.Query)
|
||||
listWS := authorizer.AttributesRecord{
|
||||
User: user,
|
||||
Verb: "list",
|
||||
APIGroup: "tenant.kubesphere.io",
|
||||
APIVersion: "v1alpha2",
|
||||
APIGroup: "*",
|
||||
Resource: "workspaces",
|
||||
ResourceRequest: true,
|
||||
ResourceScope: request.GlobalScope,
|
||||
}
|
||||
|
||||
decision, _, err := t.authorizer.Authorize(listWS)
|
||||
@@ -154,9 +161,9 @@ func (t *tenantOperator) ListWorkspaces(user user.Info, queryParam *query.Query)
|
||||
}
|
||||
|
||||
result := resources.DefaultList(workspaces, queryParam, func(left runtime.Object, right runtime.Object, field query.Field) bool {
|
||||
return resources.DefaultObjectMetaCompare(left.(*tenantv1alpha1.Workspace).ObjectMeta, right.(*tenantv1alpha1.Workspace).ObjectMeta, field)
|
||||
return resources.DefaultObjectMetaCompare(left.(*tenantv1alpha2.WorkspaceTemplate).ObjectMeta, right.(*tenantv1alpha2.WorkspaceTemplate).ObjectMeta, field)
|
||||
}, func(workspace runtime.Object, filter query.Filter) bool {
|
||||
return resources.DefaultObjectMetaFilter(workspace.(*tenantv1alpha1.Workspace).ObjectMeta, filter)
|
||||
return resources.DefaultObjectMetaFilter(workspace.(*tenantv1alpha2.WorkspaceTemplate).ObjectMeta, filter)
|
||||
})
|
||||
|
||||
return result, nil
|
||||
@@ -167,11 +174,10 @@ func (t *tenantOperator) ListNamespaces(user user.Info, workspace string, queryP
|
||||
listNSInWS := authorizer.AttributesRecord{
|
||||
User: user,
|
||||
Verb: "list",
|
||||
APIGroup: "",
|
||||
APIVersion: "v1",
|
||||
Workspace: workspace,
|
||||
Resource: "namespaces",
|
||||
ResourceRequest: true,
|
||||
ResourceScope: request.WorkspaceScope,
|
||||
}
|
||||
|
||||
decision, _, err := t.authorizer.Authorize(listNSInWS)
|
||||
@@ -238,22 +244,80 @@ func (t *tenantOperator) ListNamespaces(user user.Info, workspace string, queryP
|
||||
}
|
||||
|
||||
func (t *tenantOperator) CreateNamespace(workspace string, namespace *corev1.Namespace) (*corev1.Namespace, error) {
|
||||
|
||||
_, err := t.resourceGetter.Get(tenantv1alpha1.ResourcePluralWorkspace, "", workspace)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if namespace.Annotations == nil {
|
||||
namespace.Annotations = make(map[string]string, 0)
|
||||
}
|
||||
|
||||
namespace.Annotations[tenantv1alpha1.WorkspaceLabel] = workspace
|
||||
|
||||
namespace = appendWorkspaceLabel(namespace, workspace)
|
||||
return t.k8sclient.CoreV1().Namespaces().Create(namespace)
|
||||
}
|
||||
|
||||
func appendWorkspaceLabel(namespace *corev1.Namespace, workspace string) *corev1.Namespace {
|
||||
if namespace.Labels == nil {
|
||||
namespace.Labels = make(map[string]string, 0)
|
||||
}
|
||||
namespace.Labels[tenantv1alpha1.WorkspaceLabel] = workspace
|
||||
return namespace
|
||||
}
|
||||
|
||||
func (t *tenantOperator) DescribeNamespace(workspace, namespace string) (*corev1.Namespace, error) {
|
||||
obj, err := t.resourceGetter.Get("namespaces", "", namespace)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ns := obj.(*corev1.Namespace)
|
||||
if ns.Labels[tenantv1alpha1.WorkspaceLabel] != workspace {
|
||||
err := errors.NewNotFound(corev1.Resource("namespace"), namespace)
|
||||
klog.Error(err)
|
||||
return nil, err
|
||||
}
|
||||
return ns, nil
|
||||
}
|
||||
|
||||
func (t *tenantOperator) DeleteNamespace(workspace, namespace string) error {
|
||||
_, err := t.DescribeNamespace(workspace, namespace)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return t.k8sclient.CoreV1().Namespaces().Delete(namespace, metav1.NewDeleteOptions(0))
|
||||
}
|
||||
|
||||
func (t *tenantOperator) UpdateNamespace(workspace string, namespace *corev1.Namespace) (*corev1.Namespace, error) {
|
||||
_, err := t.DescribeNamespace(workspace, namespace.Namespace)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
namespace = appendWorkspaceLabel(namespace, workspace)
|
||||
return t.k8sclient.CoreV1().Namespaces().Update(namespace)
|
||||
}
|
||||
|
||||
func (t *tenantOperator) PatchNamespace(workspace string, namespace *corev1.Namespace) (*corev1.Namespace, error) {
|
||||
_, err := t.DescribeNamespace(workspace, namespace.Name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if namespace.Labels != nil {
|
||||
namespace.Labels[tenantv1alpha1.WorkspaceLabel] = workspace
|
||||
}
|
||||
data, err := json.Marshal(namespace)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return t.k8sclient.CoreV1().Namespaces().Patch(namespace.Name, types.MergePatchType, data)
|
||||
}
|
||||
|
||||
func (t *tenantOperator) PatchWorkspace(workspace *tenantv1alpha2.WorkspaceTemplate) (*tenantv1alpha2.WorkspaceTemplate, error) {
|
||||
_, err := t.DescribeWorkspace(workspace.Name)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
data, err := json.Marshal(workspace)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return t.ksclient.TenantV1alpha2().WorkspaceTemplates().Patch(workspace.Name, types.MergePatchType, data)
|
||||
}
|
||||
|
||||
func (t *tenantOperator) CreateWorkspace(workspace *tenantv1alpha2.WorkspaceTemplate) (*tenantv1alpha2.WorkspaceTemplate, error) {
|
||||
return t.ksclient.TenantV1alpha2().WorkspaceTemplates().Create(workspace)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user