hongming
@@ -29,20 +29,21 @@ type opaAuthorizer struct {
|
||||
am am.AccessManagementInterface
|
||||
}
|
||||
|
||||
// Make decision by request attributes
|
||||
func (o *opaAuthorizer) Authorize(attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
|
||||
|
||||
// Make decisions based on the authorization policy of different levels of roles
|
||||
platformRole, err := o.am.GetPlatformRole(attr.GetUser().GetName())
|
||||
if err != nil {
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
|
||||
// check platform role policy rules
|
||||
if a, r, e := makeDecision(platformRole, attr); a == authorizer.DecisionAllow {
|
||||
return a, r, e
|
||||
if authorized, reason, err = makeDecision(platformRole, attr); authorized == authorizer.DecisionAllow {
|
||||
return authorized, reason, err
|
||||
}
|
||||
|
||||
// it's not in cluster resource, permission denied
|
||||
// TODO declare implicit cluster info in request Info
|
||||
if attr.GetCluster() == "" {
|
||||
return authorizer.DecisionDeny, "permission undefined", nil
|
||||
}
|
||||
@@ -78,7 +79,7 @@ func (o *opaAuthorizer) Authorize(attr authorizer.Attributes) (authorized author
|
||||
}
|
||||
|
||||
if attr.GetNamespace() != "" {
|
||||
namespaceRole, err := o.am.GetNamespaceRole(attr.GetNamespace(), attr.GetUser().GetName())
|
||||
namespaceRole, err := o.am.GetNamespaceRole(attr.GetCluster(), attr.GetNamespace(), attr.GetUser().GetName())
|
||||
if err != nil {
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
@@ -102,6 +103,29 @@ func makeDecision(role am.Role, a authorizer.Attributes) (authorized authorizer.
|
||||
return authorizer.DecisionDeny, "", err
|
||||
}
|
||||
|
||||
// data example
|
||||
//{
|
||||
// "User": {
|
||||
// "Name": "admin",
|
||||
// "UID": "0",
|
||||
// "Groups": [
|
||||
// "admin"
|
||||
// ],
|
||||
// "Extra": null
|
||||
// },
|
||||
// "Verb": "list",
|
||||
// "Cluster": "cluster1",
|
||||
// "Workspace": "",
|
||||
// "Namespace": "",
|
||||
// "APIGroup": "",
|
||||
// "APIVersion": "v1",
|
||||
// "Resource": "nodes",
|
||||
// "Subresource": "",
|
||||
// "Name": "",
|
||||
// "KubernetesRequest": true,
|
||||
// "ResourceRequest": true,
|
||||
// "Path": "/api/v1/nodes"
|
||||
//}
|
||||
// The policy decision is contained in the results returned by the Eval() call. You can inspect the decision and handle it accordingly.
|
||||
results, err := query.Eval(context.Background(), rego.EvalInput(a))
|
||||
|
||||
|
||||
@@ -27,8 +27,29 @@ import (
|
||||
)
|
||||
|
||||
func TestPlatformRole(t *testing.T) {
|
||||
platformRoles := map[string]am.FakeRole{"admin": {
|
||||
Name: "admin",
|
||||
Rego: "package authz\ndefault allow = true",
|
||||
}, "anonymous": {
|
||||
Name: "anonymous",
|
||||
Rego: "package authz\ndefault allow = false",
|
||||
}, "tom": {
|
||||
Name: "tom",
|
||||
Rego: `package authz
|
||||
default allow = false
|
||||
allow {
|
||||
resources_in_cluster1
|
||||
}
|
||||
resources_in_cluster1 {
|
||||
input.Cluster == "cluster1"
|
||||
}`,
|
||||
},
|
||||
}
|
||||
|
||||
opa := NewOPAAuthorizer(am.NewFakeAMOperator(cache.NewSimpleCache()))
|
||||
operator := am.NewFakeAMOperator(cache.NewSimpleCache())
|
||||
operator.Prepare(platformRoles, nil, nil, nil)
|
||||
|
||||
opa := NewOPAAuthorizer(operator)
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
@@ -36,7 +57,7 @@ func TestPlatformRole(t *testing.T) {
|
||||
expectedDecision authorizer.Decision
|
||||
}{
|
||||
{
|
||||
name: "list nodes",
|
||||
name: "admin can list nodes",
|
||||
request: authorizer.AttributesRecord{
|
||||
User: &user.DefaultInfo{
|
||||
Name: "admin",
|
||||
@@ -60,7 +81,7 @@ func TestPlatformRole(t *testing.T) {
|
||||
expectedDecision: authorizer.DecisionAllow,
|
||||
},
|
||||
{
|
||||
name: "list nodes",
|
||||
name: "anonymous can not list nodes",
|
||||
request: authorizer.AttributesRecord{
|
||||
User: &user.DefaultInfo{
|
||||
Name: user.Anonymous,
|
||||
@@ -82,13 +103,54 @@ func TestPlatformRole(t *testing.T) {
|
||||
Path: "/api/v1/nodes",
|
||||
},
|
||||
expectedDecision: authorizer.DecisionDeny,
|
||||
}, {
|
||||
name: "tom can list nodes in cluster1",
|
||||
request: authorizer.AttributesRecord{
|
||||
User: &user.DefaultInfo{
|
||||
Name: "tom",
|
||||
},
|
||||
Verb: "list",
|
||||
Cluster: "cluster1",
|
||||
Workspace: "",
|
||||
Namespace: "",
|
||||
APIGroup: "",
|
||||
APIVersion: "v1",
|
||||
Resource: "nodes",
|
||||
Subresource: "",
|
||||
Name: "",
|
||||
KubernetesRequest: true,
|
||||
ResourceRequest: true,
|
||||
Path: "/api/v1/clusters/cluster1/nodes",
|
||||
},
|
||||
expectedDecision: authorizer.DecisionAllow,
|
||||
},
|
||||
{
|
||||
name: "tom can not list nodes in cluster2",
|
||||
request: authorizer.AttributesRecord{
|
||||
User: &user.DefaultInfo{
|
||||
Name: "tom",
|
||||
},
|
||||
Verb: "list",
|
||||
Cluster: "cluster2",
|
||||
Workspace: "",
|
||||
Namespace: "",
|
||||
APIGroup: "",
|
||||
APIVersion: "v1",
|
||||
Resource: "nodes",
|
||||
Subresource: "",
|
||||
Name: "",
|
||||
KubernetesRequest: true,
|
||||
ResourceRequest: true,
|
||||
Path: "/api/v1/clusters/cluster2/nodes",
|
||||
},
|
||||
expectedDecision: authorizer.DecisionDeny,
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range tests {
|
||||
decision, _, err := opa.Authorize(test.request)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
t.Errorf("test failed: %s, %v", test.name, err)
|
||||
}
|
||||
if decision != test.expectedDecision {
|
||||
t.Errorf("%s: expected decision %v, actual %+v", test.name, test.expectedDecision, decision)
|
||||
|
||||
Reference in New Issue
Block a user