admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix role patch API

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-08-03 21:40:52 +08:00
parent 6acea75a76
commit fbfbb8b8d2
1 changed files with 49 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
pkg/models/iam/am/am.go
View File

@@ -393,19 +393,16 @@ func (am *amOperator) CreateOrUpdateWorkspaceRole(workspace string, workspaceRol
} }
workspaceRole.Labels[tenantv1alpha1.WorkspaceLabel] = workspace workspaceRole.Labels[tenantv1alpha1.WorkspaceLabel] = workspace
workspaceRole.Rules = make([]rbacv1.PolicyRule, 0) workspaceRole.Rules = make([]rbacv1.PolicyRule, 0)
if aggregateRoles := am.getAggregateRoles(workspaceRole.ObjectMeta); aggregateRoles != nil {
var aggregateRoles []string
if err := json.Unmarshal([]byte(workspaceRole.Annotations[iamv1alpha2.AggregationRolesAnnotation]), &aggregateRoles); err == nil {
for _, roleName := range aggregateRoles { for _, roleName := range aggregateRoles {
role, err := am.GetWorkspaceRole("", roleName) aggregationRole, err := am.GetWorkspaceRole("", roleName)
if err != nil { if err != nil {
klog.Error(err) klog.Error(err)
return nil, err return nil, err
} }
workspaceRole.Rules = append(workspaceRole.Rules, role.Rules...) workspaceRole.Rules = append(workspaceRole.Rules, aggregationRole.Rules...)
} }
} }
var created *iamv1alpha2.WorkspaceRole var created *iamv1alpha2.WorkspaceRole
var err error var err error
if workspaceRole.ResourceVersion != "" { if workspaceRole.ResourceVersion != "" {
@@ -426,20 +423,16 @@ func (am *amOperator) PatchGlobalRole(globalRole *iamv1alpha2.GlobalRole) (*iamv
// rules cannot be override // rules cannot be override
globalRole.Rules = old.Rules globalRole.Rules = old.Rules
// aggregate roles if annotation has change // aggregate roles if annotation has change
if aggregateRolesAnnotation := globalRole.Annotations[iamv1alpha2.AggregationRolesAnnotation]; aggregateRolesAnnotation != "" { if aggregateRoles := am.getAggregateRoles(globalRole.ObjectMeta); aggregateRoles != nil {
globalRole.Rules = make([]rbacv1.PolicyRule, 0) globalRole.Rules = make([]rbacv1.PolicyRule, 0)
var aggregateRoles []string for _, roleName := range aggregateRoles {
if err := json.Unmarshal([]byte(aggregateRolesAnnotation), &aggregateRoles); err == nil { aggregationRole, err := am.GetGlobalRole(roleName)
for _, roleName := range aggregateRoles { if err != nil {
role, err := am.GetGlobalRole(roleName) klog.Error(err)
if err != nil { return nil, err
klog.Error(err)
return nil, err
}
globalRole.Rules = append(globalRole.Rules, role.Rules...)
} }
globalRole.Rules = append(globalRole.Rules, aggregationRole.Rules...)
} }
} }
@@ -451,6 +444,17 @@ func (am *amOperator) PatchGlobalRole(globalRole *iamv1alpha2.GlobalRole) (*iamv
return am.ksclient.IamV1alpha2().GlobalRoles().Patch(globalRole.Name, types.MergePatchType, data) return am.ksclient.IamV1alpha2().GlobalRoles().Patch(globalRole.Name, types.MergePatchType, data)
} }
func (am *amOperator) getAggregateRoles(obj metav1.ObjectMeta) []string {
if aggregateRolesAnnotation := obj.Annotations[iamv1alpha2.AggregationRolesAnnotation]; aggregateRolesAnnotation != "" {
var aggregateRoles []string
if err := json.Unmarshal([]byte(aggregateRolesAnnotation), &aggregateRoles); err != nil {
klog.Warningf("invalid aggregation role annotation found %+v", obj)
}
return aggregateRoles
}
return nil
}
func (am *amOperator) PatchWorkspaceRole(workspace string, workspaceRole *iamv1alpha2.WorkspaceRole) (*iamv1alpha2.WorkspaceRole, error) { func (am *amOperator) PatchWorkspaceRole(workspace string, workspaceRole *iamv1alpha2.WorkspaceRole) (*iamv1alpha2.WorkspaceRole, error) {
old, err := am.GetWorkspaceRole(workspace, workspaceRole.Name) old, err := am.GetWorkspaceRole(workspace, workspaceRole.Name)
if err != nil { if err != nil {
@@ -465,20 +469,16 @@ func (am *amOperator) PatchWorkspaceRole(workspace string, workspaceRole *iamv1a
// rules cannot be override // rules cannot be override
workspaceRole.Rules = old.Rules workspaceRole.Rules = old.Rules
// aggregate roles if annotation has change // aggregate roles if annotation has change
if aggregateRolesAnnotation := workspaceRole.Annotations[iamv1alpha2.AggregationRolesAnnotation]; aggregateRolesAnnotation != "" { if aggregateRoles := am.getAggregateRoles(workspaceRole.ObjectMeta); aggregateRoles != nil {
workspaceRole.Rules = make([]rbacv1.PolicyRule, 0) workspaceRole.Rules = make([]rbacv1.PolicyRule, 0)
var aggregateRoles []string for _, roleName := range aggregateRoles {
if err := json.Unmarshal([]byte(aggregateRolesAnnotation), &aggregateRoles); err == nil { aggregationRole, err := am.GetWorkspaceRole("", roleName)
for _, roleName := range aggregateRoles { if err != nil {
role, err := am.GetWorkspaceRole("", roleName) klog.Error(err)
if err != nil { return nil, err
klog.Error(err)
return nil, err
}
workspaceRole.Rules = append(workspaceRole.Rules, role.Rules...)
} }
workspaceRole.Rules = append(workspaceRole.Rules, aggregationRole.Rules...)
} }
} }
@@ -499,20 +499,16 @@ func (am *amOperator) PatchNamespaceRole(namespace string, role *rbacv1.Role) (*
// rules cannot be override // rules cannot be override
role.Rules = old.Rules role.Rules = old.Rules
// aggregate roles if annotation has change // aggregate roles if annotation has change
if aggregateRolesAnnotation := role.Annotations[iamv1alpha2.AggregationRolesAnnotation]; aggregateRolesAnnotation != "" { if aggregateRoles := am.getAggregateRoles(role.ObjectMeta); aggregateRoles != nil {
role.Rules = make([]rbacv1.PolicyRule, 0) role.Rules = make([]rbacv1.PolicyRule, 0)
var aggregateRoles []string for _, roleName := range aggregateRoles {
if err := json.Unmarshal([]byte(aggregateRolesAnnotation), &aggregateRoles); err == nil { aggregationRole, err := am.GetNamespaceRole(namespace, roleName)
for _, roleName := range aggregateRoles { if err != nil {
role, err := am.GetNamespaceRole(namespace, roleName) klog.Error(err)
if err != nil { return nil, err
klog.Error(err)
return nil, err
}
role.Rules = append(role.Rules, role.Rules...)
} }
role.Rules = append(role.Rules, aggregationRole.Rules...)
} }
} }
@@ -533,20 +529,16 @@ func (am *amOperator) PatchClusterRole(clusterRole *rbacv1.ClusterRole) (*rbacv1
// rules cannot be override // rules cannot be override
clusterRole.Rules = old.Rules clusterRole.Rules = old.Rules
// aggregate roles if annotation has change // aggregate roles if annotation has change
if aggregateRolesAnnotation := clusterRole.Annotations[iamv1alpha2.AggregationRolesAnnotation]; aggregateRolesAnnotation != "" { if aggregateRoles := am.getAggregateRoles(clusterRole.ObjectMeta); aggregateRoles != nil {
clusterRole.Rules = make([]rbacv1.PolicyRule, 0) clusterRole.Rules = make([]rbacv1.PolicyRule, 0)
var aggregateRoles []string for _, roleName := range aggregateRoles {
if err := json.Unmarshal([]byte(aggregateRolesAnnotation), &aggregateRoles); err == nil { aggregationRole, err := am.GetClusterRole(roleName)
for _, roleName := range aggregateRoles { if err != nil {
role, err := am.GetClusterRole(roleName) klog.Error(err)
if err != nil { return nil, err
klog.Error(err)
return nil, err
}
role.Rules = append(role.Rules, role.Rules...)
} }
clusterRole.Rules = append(clusterRole.Rules, aggregationRole.Rules...)
} }
} }
@@ -787,19 +779,16 @@ func (am *amOperator) RemoveUserFromCluster(username string) error {
func (am *amOperator) CreateOrUpdateGlobalRole(globalRole *iamv1alpha2.GlobalRole) (*iamv1alpha2.GlobalRole, error) { func (am *amOperator) CreateOrUpdateGlobalRole(globalRole *iamv1alpha2.GlobalRole) (*iamv1alpha2.GlobalRole, error) {
globalRole.Rules = make([]rbacv1.PolicyRule, 0) globalRole.Rules = make([]rbacv1.PolicyRule, 0)
if aggregateRoles := am.getAggregateRoles(globalRole.ObjectMeta); aggregateRoles != nil {
var aggregateRoles []string
if err := json.Unmarshal([]byte(globalRole.Annotations[iamv1alpha2.AggregationRolesAnnotation]), &aggregateRoles); err == nil {
for _, roleName := range aggregateRoles { for _, roleName := range aggregateRoles {
role, err := am.GetGlobalRole(roleName) aggregationRole, err := am.GetGlobalRole(roleName)
if err != nil { if err != nil {
klog.Error(err) klog.Error(err)
return nil, err return nil, err
} }
globalRole.Rules = append(globalRole.Rules, role.Rules...) globalRole.Rules = append(globalRole.Rules, aggregationRole.Rules...)
} }
} }
var created *iamv1alpha2.GlobalRole var created *iamv1alpha2.GlobalRole
var err error var err error
if globalRole.ResourceVersion != "" { if globalRole.ResourceVersion != "" {
@@ -807,21 +796,19 @@ func (am *amOperator) CreateOrUpdateGlobalRole(globalRole *iamv1alpha2.GlobalRol
} else { } else {
created, err = am.ksclient.IamV1alpha2().GlobalRoles().Create(globalRole) created, err = am.ksclient.IamV1alpha2().GlobalRoles().Create(globalRole)
} }
return created, err return created, err
} }
func (am *amOperator) CreateOrUpdateClusterRole(clusterRole *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) { func (am *amOperator) CreateOrUpdateClusterRole(clusterRole *rbacv1.ClusterRole) (*rbacv1.ClusterRole, error) {
clusterRole.Rules = make([]rbacv1.PolicyRule, 0) clusterRole.Rules = make([]rbacv1.PolicyRule, 0)
var aggregateRoles []string if aggregateRoles := am.getAggregateRoles(clusterRole.ObjectMeta); aggregateRoles != nil {
if err := json.Unmarshal([]byte(clusterRole.Annotations[iamv1alpha2.AggregationRolesAnnotation]), &aggregateRoles); err == nil {
for _, roleName := range aggregateRoles { for _, roleName := range aggregateRoles {
role, err := am.GetClusterRole(roleName) aggregationRole, err := am.GetClusterRole(roleName)
if err != nil { if err != nil {
klog.Error(err) klog.Error(err)
return nil, err return nil, err
} }
clusterRole.Rules = append(clusterRole.Rules, role.Rules...) clusterRole.Rules = append(clusterRole.Rules, aggregationRole.Rules...)
} }
} }
var created *rbacv1.ClusterRole var created *rbacv1.ClusterRole
@@ -837,8 +824,7 @@ func (am *amOperator) CreateOrUpdateClusterRole(clusterRole *rbacv1.ClusterRole)
func (am *amOperator) CreateOrUpdateNamespaceRole(namespace string, role *rbacv1.Role) (*rbacv1.Role, error) { func (am *amOperator) CreateOrUpdateNamespaceRole(namespace string, role *rbacv1.Role) (*rbacv1.Role, error) {
role.Rules = make([]rbacv1.PolicyRule, 0) role.Rules = make([]rbacv1.PolicyRule, 0)
role.Namespace = namespace role.Namespace = namespace
var aggregateRoles []string if aggregateRoles := am.getAggregateRoles(role.ObjectMeta); aggregateRoles != nil {
if err := json.Unmarshal([]byte(role.Annotations[iamv1alpha2.AggregationRolesAnnotation]), &aggregateRoles); err == nil {
for _, roleName := range aggregateRoles { for _, roleName := range aggregateRoles {
aggregationRole, err := am.GetNamespaceRole(namespace, roleName) aggregationRole, err := am.GetNamespaceRole(namespace, roleName)
if err != nil { if err != nil {
@@ -848,7 +834,6 @@ func (am *amOperator) CreateOrUpdateNamespaceRole(namespace string, role *rbacv1
role.Rules = append(role.Rules, aggregationRole.Rules...) role.Rules = append(role.Rules, aggregationRole.Rules...)
} }
} }
var created *rbacv1.Role var created *rbacv1.Role
var err error var err error
if role.ResourceVersion != "" { if role.ResourceVersion != "" {