admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reorder request filters

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-07-26 10:35:22 +08:00
parent 72e9f7da90
commit f8c0e9addc
4 changed files with 6 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/apiserver/apiserver.go
View File

@@ -41,7 +41,6 @@ import (
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory" "kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizerfactory"
authorizationoptions "kubesphere.io/kubesphere/pkg/apiserver/authorization/options" authorizationoptions "kubesphere.io/kubesphere/pkg/apiserver/authorization/options"
"kubesphere.io/kubesphere/pkg/apiserver/authorization/path" "kubesphere.io/kubesphere/pkg/apiserver/authorization/path"
"kubesphere.io/kubesphere/pkg/apiserver/authorization/proxy"
unionauthorizer "kubesphere.io/kubesphere/pkg/apiserver/authorization/union" unionauthorizer "kubesphere.io/kubesphere/pkg/apiserver/authorization/union"
apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config" apiserverconfig "kubesphere.io/kubesphere/pkg/apiserver/config"
"kubesphere.io/kubesphere/pkg/apiserver/dispatch" "kubesphere.io/kubesphere/pkg/apiserver/dispatch"
@@ -265,12 +264,6 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) {
s.Config.AuditingOptions.WebhookUrl, stopCh)) s.Config.AuditingOptions.WebhookUrl, stopCh))
} }
if s.Config.MultiClusterOptions.Enable {
clusterDispatcher := dispatch.NewClusterDispatch(s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters(),
s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters().Lister())
handler = filters.WithMultipleClusterDispatcher(handler, clusterDispatcher)
}
var authorizers authorizer.Authorizer var authorizers authorizer.Authorizer
switch s.Config.AuthorizationOptions.Mode { switch s.Config.AuthorizationOptions.Mode {
@@ -284,10 +277,15 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) {
excludedPaths := []string{"/oauth/*", "/kapis/config.kubesphere.io/*", "/kapis/version"} excludedPaths := []string{"/oauth/*", "/kapis/config.kubesphere.io/*", "/kapis/version"}
pathAuthorizer, _ := path.NewAuthorizer(excludedPaths) pathAuthorizer, _ := path.NewAuthorizer(excludedPaths)
amOperator := am.NewReadOnlyOperator(s.InformerFactory) amOperator := am.NewReadOnlyOperator(s.InformerFactory)
authorizers = unionauthorizer.New(pathAuthorizer, proxy.NewAuthorizer(s.Config.MultiClusterOptions.Enable), authorizerfactory.NewRBACAuthorizer(amOperator)) authorizers = unionauthorizer.New(pathAuthorizer, authorizerfactory.NewRBACAuthorizer(amOperator))
} }
handler = filters.WithAuthorization(handler, authorizers) handler = filters.WithAuthorization(handler, authorizers)
if s.Config.MultiClusterOptions.Enable {
clusterDispatcher := dispatch.NewClusterDispatch(s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters(),
s.InformerFactory.KubeSphereSharedInformerFactory().Cluster().V1alpha1().Clusters().Lister())
handler = filters.WithMultipleClusterDispatcher(handler, clusterDispatcher)
}
loginRecorder := im.NewLoginRecorder(s.KubernetesClient.KubeSphere()) loginRecorder := im.NewLoginRecorder(s.KubernetesClient.KubeSphere())
// authenticators are unordered // authenticators are unordered

17
pkg/apiserver/authorization/proxy/doc.go
View File

@@ -1,17 +0,0 @@
/*
Copyright 2020 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package proxy

33
pkg/apiserver/authorization/proxy/proxy.go
View File

@@ -1,33 +0,0 @@
/*
Copyright 2020 The KubeSphere Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package proxy
import (
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
)
// NewAuthorizer returns an authorizer which accepts cluster proxy request.
// If multi-cluster mode is enabled, request should authorize by target apiserver.
func NewAuthorizer(multiClusterEnabled bool) authorizer.Authorizer {
return authorizer.AuthorizerFunc(func(a authorizer.Attributes) (authorizer.Decision, string, error) {
// in multi cluster mode, the request will be dispatch.
if multiClusterEnabled && a.GetCluster() != "" {
return authorizer.DecisionAllow, "", nil
}
return authorizer.DecisionNoOpinion, "", nil
})
}

80
pkg/apiserver/authorization/proxy/proxy_test.go
View File

@@ -1,80 +0,0 @@
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package proxy
import (
"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
"testing"
)
func TestNewAuthorizer(t *testing.T) {
tests := []struct {
multiClusterEnabled bool
request authorizer.AttributesRecord
expectResult authorizer.Decision
}{
{
multiClusterEnabled: false,
request: authorizer.AttributesRecord{
Workspace: "ws",
Namespace: "ns",
KubernetesRequest: false,
ResourceRequest: false,
},
expectResult: authorizer.DecisionNoOpinion,
},
{
multiClusterEnabled: false,
request: authorizer.AttributesRecord{
Cluster: "cluster1",
Workspace: "ws",
Namespace: "ns",
KubernetesRequest: false,
ResourceRequest: false,
},
expectResult: authorizer.DecisionNoOpinion,
},
{
multiClusterEnabled: true,
request: authorizer.AttributesRecord{
Cluster: "cluster1",
Workspace: "ws",
Namespace: "ns",
KubernetesRequest: false,
ResourceRequest: false,
},
expectResult: authorizer.DecisionAllow,
},
{
multiClusterEnabled: true,
request: authorizer.AttributesRecord{
Workspace: "ws",
Namespace: "ns",
KubernetesRequest: false,
ResourceRequest: false,
},
expectResult: authorizer.DecisionNoOpinion,
},
}
for i, test := range tests {
a := NewAuthorizer(test.multiClusterEnabled)
result, _, _ := a.Authorize(test.request)
if result != test.expectResult {
t.Errorf("case %d, got %#v, expected %#v", i, result, test.expectResult)
}
}
}