fix: multi-cluster proxy authentication

Signed-off-by: hongming <talonwan@yunify.com>
2020-06-19 13:30:40 +08:00
parent 0493a352dc
commit ee741858b6
7 changed files with 163 additions and 37 deletions
--- a/pkg/apiserver/authorization/authorizerfactory/rbac.go
+++ b/pkg/apiserver/authorization/authorizerfactory/rbac.go
@@ -230,37 +230,6 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 		}
 	}

-	if requestAttributes.GetResourceScope() == request.ClusterScope || requestAttributes.GetResourceScope() == request.NamespaceScope {
-		if clusterRoleBindings, err := r.am.ListClusterRoleBindings(""); err != nil {
-			if !visitor(nil, "", nil, err) {
-				return
-			}
-		} else {
-			sourceDescriber := &clusterRoleBindingDescriber{}
-			for _, clusterRoleBinding := range clusterRoleBindings {
-				subjectIndex, applies := appliesTo(requestAttributes.GetUser(), clusterRoleBinding.Subjects, "")
-				if !applies {
-					continue
-				}
-				regoPolicy, rules, err := r.am.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "")
-				if err != nil {
-					visitor(nil, "", nil, err)
-					continue
-				}
-				sourceDescriber.binding = clusterRoleBinding
-				sourceDescriber.subject = &clusterRoleBinding.Subjects[subjectIndex]
-				if !visitor(sourceDescriber, regoPolicy, nil, nil) {
-					return
-				}
-				for i := range rules {
-					if !visitor(sourceDescriber, "", &rules[i], nil) {
-						return
-					}
-				}
-			}
-		}
-	}
-
 	if requestAttributes.GetResourceScope() == request.WorkspaceScope || requestAttributes.GetResourceScope() == request.NamespaceScope {

 		var workspace string
@@ -338,6 +307,35 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 			}
 		}
 	}
+
+	if clusterRoleBindings, err := r.am.ListClusterRoleBindings(""); err != nil {
+		if !visitor(nil, "", nil, err) {
+			return
+		}
+	} else {
+		sourceDescriber := &clusterRoleBindingDescriber{}
+		for _, clusterRoleBinding := range clusterRoleBindings {
+			subjectIndex, applies := appliesTo(requestAttributes.GetUser(), clusterRoleBinding.Subjects, "")
+			if !applies {
+				continue
+			}
+			regoPolicy, rules, err := r.am.GetRoleReferenceRules(clusterRoleBinding.RoleRef, "")
+			if err != nil {
+				visitor(nil, "", nil, err)
+				continue
+			}
+			sourceDescriber.binding = clusterRoleBinding
+			sourceDescriber.subject = &clusterRoleBinding.Subjects[subjectIndex]
+			if !visitor(sourceDescriber, regoPolicy, nil, nil) {
+				return
+			}
+			for i := range rules {
+				if !visitor(sourceDescriber, "", &rules[i], nil) {
+					return
+				}
+			}
+		}
+	}
 }

 // appliesTo returns whether any of the bindingSubjects applies to the specified subject,