From f8c0e9addcbd294bd027eb86a6374cb00523c534 Mon Sep 17 00:00:00 2001 From: hongming Date: Sun, 26 Jul 2020 10:35:22 +0800 Subject: [PATCH] Reorder request filters Signed-off-by: hongming --- pkg/apiserver/apiserver.go | 14 ++-- pkg/apiserver/authorization/proxy/doc.go | 17 ---- pkg/apiserver/authorization/proxy/proxy.go | 33 -------- .../authorization/proxy/proxy_test.go | 80 ------------------- 4 files changed, 6 insertions(+), 138 deletions(-) delete mode 100644 pkg/apiserver/authorization/proxy/doc.go delete mode 100644 pkg/apiserver/authorization/proxy/proxy.go delete mode 100644 pkg/apiserver/authorization/proxy/proxy_test.go diff --git a/pkg/apiserver/apiserver.go b/pkg/apiserver/apiserver.go index 12b8ce8c6..dc928afc1 100644 --- a/pkg/apiserver/apiserver.go +++ b/pkg/apiserver/apiserver.go @@ -41,7 +41,6 @@ import ( "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory" authorizationoptions "kubesphere.io/kubesphere/pkg/apiserver/authorization/options" "kubesphere.io/kubesphere/pkg/apiserver/authorization/path" - "kubesphere.io/kubesphere/pkg/apiserver/authorization/proxy" unionauthorizer "kubesphere.io/kubesphere/pkg/apiserver/authorization/union" apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config" "kubesphere.io/kubesphere/pkg/apiserver/dispatch" @@ -265,12 +264,6 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) { s.Config.AuditingOptions.WebhookUrl, stopCh)) } - if s.Config.MultiClusterOptions.Enable { - clusterDispatcher := dispatch.NewClusterDispatch(s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters(), - s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters().Lister()) - handler = filters.WithMultipleClusterDispatcher(handler, clusterDispatcher) - } - var authorizers authorizer.Authorizer switch s.Config.AuthorizationOptions.Mode { @@ -284,10 +277,15 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) { excludedPaths := []string{"/oauth/*", "/kapis/config.kubesphere.io/*", "/kapis/version"} pathAuthorizer, _ := path.NewAuthorizer(excludedPaths) amOperator := am.NewReadOnlyOperator(s.InformerFactory) - authorizers = unionauthorizer.New(pathAuthorizer, proxy.NewAuthorizer(s.Config.MultiClusterOptions.Enable), authorizerfactory.NewRBACAuthorizer(amOperator)) + authorizers = unionauthorizer.New(pathAuthorizer, authorizerfactory.NewRBACAuthorizer(amOperator)) } handler = filters.WithAuthorization(handler, authorizers) + if s.Config.MultiClusterOptions.Enable { + clusterDispatcher := dispatch.NewClusterDispatch(s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters(), + s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters().Lister()) + handler = filters.WithMultipleClusterDispatcher(handler, clusterDispatcher) + } loginRecorder := im.NewLoginRecorder(s.KubernetesClient.KubeSphere()) // authenticators are unordered diff --git a/pkg/apiserver/authorization/proxy/doc.go b/pkg/apiserver/authorization/proxy/doc.go deleted file mode 100644 index adc9a30a5..000000000 --- a/pkg/apiserver/authorization/proxy/doc.go +++ /dev/null @@ -1,17 +0,0 @@ -/* -Copyright 2020 The KubeSphere Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package proxy diff --git a/pkg/apiserver/authorization/proxy/proxy.go b/pkg/apiserver/authorization/proxy/proxy.go deleted file mode 100644 index aae1c17e2..000000000 --- a/pkg/apiserver/authorization/proxy/proxy.go +++ /dev/null @@ -1,33 +0,0 @@ -/* -Copyright 2020 The KubeSphere Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package proxy - -import ( - "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer" -) - -// NewAuthorizer returns an authorizer which accepts cluster proxy request. -// If multi-cluster mode is enabled, request should authorize by target apiserver. -func NewAuthorizer(multiClusterEnabled bool) authorizer.Authorizer { - return authorizer.AuthorizerFunc(func(a authorizer.Attributes) (authorizer.Decision, string, error) { - // in multi cluster mode, the request will be dispatch. - if multiClusterEnabled && a.GetCluster() != "" { - return authorizer.DecisionAllow, "", nil - } - return authorizer.DecisionNoOpinion, "", nil - }) -} diff --git a/pkg/apiserver/authorization/proxy/proxy_test.go b/pkg/apiserver/authorization/proxy/proxy_test.go deleted file mode 100644 index 51f45e8f2..000000000 --- a/pkg/apiserver/authorization/proxy/proxy_test.go +++ /dev/null @@ -1,80 +0,0 @@ -/* -Copyright 2018 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package proxy - -import ( - "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer" - "testing" -) - -func TestNewAuthorizer(t *testing.T) { - tests := []struct { - multiClusterEnabled bool - request authorizer.AttributesRecord - expectResult authorizer.Decision - }{ - { - multiClusterEnabled: false, - request: authorizer.AttributesRecord{ - Workspace: "ws", - Namespace: "ns", - KubernetesRequest: false, - ResourceRequest: false, - }, - expectResult: authorizer.DecisionNoOpinion, - }, - { - multiClusterEnabled: false, - request: authorizer.AttributesRecord{ - Cluster: "cluster1", - Workspace: "ws", - Namespace: "ns", - KubernetesRequest: false, - ResourceRequest: false, - }, - expectResult: authorizer.DecisionNoOpinion, - }, - { - multiClusterEnabled: true, - request: authorizer.AttributesRecord{ - Cluster: "cluster1", - Workspace: "ws", - Namespace: "ns", - KubernetesRequest: false, - ResourceRequest: false, - }, - expectResult: authorizer.DecisionAllow, - }, - { - multiClusterEnabled: true, - request: authorizer.AttributesRecord{ - Workspace: "ws", - Namespace: "ns", - KubernetesRequest: false, - ResourceRequest: false, - }, - expectResult: authorizer.DecisionNoOpinion, - }, - } - for i, test := range tests { - a := NewAuthorizer(test.multiClusterEnabled) - result, _, _ := a.Authorize(test.request) - if result != test.expectResult { - t.Errorf("case %d, got %#v, expected %#v", i, result, test.expectResult) - } - } -}