fix: multi-cluster proxy authentication

Signed-off-by: hongming <talonwan@yunify.com>
2020-06-19 13:30:40 +08:00
parent 0493a352dc
commit ee741858b6
7 changed files with 163 additions and 37 deletions
--- a/pkg/apiserver/authorization/authorizerfactory/rbac.go
+++ b/pkg/apiserver/authorization/authorizerfactory/rbac.go
@@ -230,37 +230,6 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 		}
 	}

-	if requestAttributes.GetResourceScope() == request.ClusterScope || requestAttributes.GetResourceScope() == request.NamespaceScope {
-		if clusterRoleBindings, err := r.am.ListClusterRoleBindings(""); err != nil {
-			if !visitor(nil, "", nil, err) {
-				return
-			}
-		} else {
-			sourceDescriber := &clusterRoleBindingDescriber{}
-			for _, clusterRoleBinding := range clusterRoleBindings {
-				subjectIndex, applies := appliesTo(requestAttributes.GetUser(), clusterRoleBinding.Subjects, "")
-				if !applies {
-					continue
-				}
-				regoPolicy, rules, err := r.am.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "")
-				if err != nil {
-					visitor(nil, "", nil, err)
-					continue
-				}
-				sourceDescriber.binding = clusterRoleBinding
-				sourceDescriber.subject = &clusterRoleBinding.Subjects[subjectIndex]
-				if !visitor(sourceDescriber, regoPolicy, nil, nil) {
-					return
-				}
-				for i := range rules {
-					if !visitor(sourceDescriber, "", &rules[i], nil) {
-						return
-					}
-				}
-			}
-		}
-	}
-
 	if requestAttributes.GetResourceScope() == request.WorkspaceScope || requestAttributes.GetResourceScope() == request.NamespaceScope {

 		var workspace string
@@ -338,6 +307,35 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 			}
 		}
 	}
+
+	if clusterRoleBindings, err := r.am.ListClusterRoleBindings(""); err != nil {
+		if !visitor(nil, "", nil, err) {
+			return
+		}
+	} else {
+		sourceDescriber := &clusterRoleBindingDescriber{}
+		for _, clusterRoleBinding := range clusterRoleBindings {
+			subjectIndex, applies := appliesTo(requestAttributes.GetUser(), clusterRoleBinding.Subjects, "")
+			if !applies {
+				continue
+			}
+			regoPolicy, rules, err := r.am.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "")
+			if err != nil {
+				visitor(nil, "", nil, err)
+				continue
+			}
+			sourceDescriber.binding = clusterRoleBinding
+			sourceDescriber.subject = &clusterRoleBinding.Subjects[subjectIndex]
+			if !visitor(sourceDescriber, regoPolicy, nil, nil) {
+				return
+			}
+			for i := range rules {
+				if !visitor(sourceDescriber, "", &rules[i], nil) {
+					return
+				}
+			}
+		}
+	}
 }

 // appliesTo returns whether any of the bindingSubjects applies to the specified subject,
--- a/pkg/apiserver/authorization/proxy/doc.go
+++ b/pkg/apiserver/authorization/proxy/doc.go
@@ -0,0 +1,17 @@
+/*
+Copyright 2020 The KubeSphere Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package proxy
--- a/pkg/apiserver/authorization/proxy/proxy.go
+++ b/pkg/apiserver/authorization/proxy/proxy.go
@@ -0,0 +1,33 @@
+/*
+Copyright 2020 The KubeSphere Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package proxy
+
+import (
+	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+)
+
+// NewAuthorizer returns an authorizer which accepts cluster proxy request.
+// If multi-cluster mode is enabled, request should authorize by target apiserver.
+func NewAuthorizer(multiClusterEnabled bool) authorizer.Authorizer {
+	return authorizer.AuthorizerFunc(func(a authorizer.Attributes) (authorizer.Decision, string, error) {
+		// in multi cluster mode, the request will be dispatch.
+		if multiClusterEnabled && a.GetCluster() != "" {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionNoOpinion, "", nil
+	})
+}
--- a/pkg/apiserver/authorization/proxy/proxy_test.go
+++ b/pkg/apiserver/authorization/proxy/proxy_test.go
@@ -0,0 +1,80 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package proxy
+
+import (
+	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+	"testing"
+)
+
+func TestNewAuthorizer(t *testing.T) {
+	tests := []struct {
+		multiClusterEnabled bool
+		request             authorizer.AttributesRecord
+		expectResult        authorizer.Decision
+	}{
+		{
+			multiClusterEnabled: false,
+			request: authorizer.AttributesRecord{
+				Workspace:         "ws",
+				Namespace:         "ns",
+				KubernetesRequest: false,
+				ResourceRequest:   false,
+			},
+			expectResult: authorizer.DecisionNoOpinion,
+		},
+		{
+			multiClusterEnabled: false,
+			request: authorizer.AttributesRecord{
+				Cluster:           "cluster1",
+				Workspace:         "ws",
+				Namespace:         "ns",
+				KubernetesRequest: false,
+				ResourceRequest:   false,
+			},
+			expectResult: authorizer.DecisionNoOpinion,
+		},
+		{
+			multiClusterEnabled: true,
+			request: authorizer.AttributesRecord{
+				Cluster:           "cluster1",
+				Workspace:         "ws",
+				Namespace:         "ns",
+				KubernetesRequest: false,
+				ResourceRequest:   false,
+			},
+			expectResult: authorizer.DecisionAllow,
+		},
+		{
+			multiClusterEnabled: true,
+			request: authorizer.AttributesRecord{
+				Workspace:         "ws",
+				Namespace:         "ns",
+				KubernetesRequest: false,
+				ResourceRequest:   false,
+			},
+			expectResult: authorizer.DecisionNoOpinion,
+		},
+	}
+	for i, test := range tests {
+		a := NewAuthorizer(test.multiClusterEnabled)
+		result, _, _ := a.Authorize(test.request)
+		if result != test.expectResult {
+			t.Errorf("case %d, got %#v, expected %#v", i, result, test.expectResult)
+		}
+	}
+}