Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable authorization.k8s.io API and update integration tests #13128

Merged
merged 2 commits into from
Mar 2, 2017
Merged

Enable authorization.k8s.io API and update integration tests #13128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
31d089a
Enable authorization.k8s.io API and update integration tests
enj Feb 28, 2017
87fa28d
UPSTREAM: <drop>: admission namespace isAccessReview, remove post 1.7…
enj Mar 1, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
424 changes: 424 additions & 0 deletions api/swagger-spec/openshift-openapi-spec.json
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions pkg/authorization/authorizer/scope/converter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
kapi "k8s.io/kubernetes/pkg/api"
kapierrors "k8s.io/kubernetes/pkg/api/errors"
"k8s.io/kubernetes/pkg/api/unversioned"
kauthorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
"k8s.io/kubernetes/pkg/conversion"
kutilerrors "k8s.io/kubernetes/pkg/util/errors"
"k8s.io/kubernetes/pkg/util/sets"
Expand Down Expand Up @@ -174,6 +175,7 @@ func (userEvaluator) ResolveRules(scope, namespace string, clusterPolicyGetter c
case UserAccessCheck:
return []authorizationapi.PolicyRule{
{Verbs: sets.NewString("create"), APIGroups: []string{authorizationapi.GroupName}, Resources: sets.NewString("subjectaccessreviews", "localsubjectaccessreviews"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
authorizationapi.NewRule("create").Groups(kauthorizationapi.GroupName).Resources("selfsubjectaccessreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups(authorizationapi.GroupName).Resources("selfsubjectrulesreviews").RuleOrDie(),
}, nil
case UserListScopedProjects:
Expand Down
4 changes: 2 additions & 2 deletions pkg/authorization/authorizer/scope/converter_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,12 +45,12 @@ func TestUserEvaluator(t *testing.T) {
{
name: "access",
scopes: []string{UserAccessCheck},
numRules: 3,
numRules: 4,
},
{
name: "both",
scopes: []string{UserInfo, UserAccessCheck},
numRules: 4,
numRules: 5,
},
{
name: "list--scoped-projects",
Expand Down
2 changes: 2 additions & 0 deletions pkg/cmd/server/api/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ var (
APIGroupExtensions = "extensions"
APIGroupApps = "apps"
APIGroupAuthentication = "authentication.k8s.io"
APIGroupAuthorization = "authorization.k8s.io"
APIGroupAutoscaling = "autoscaling"
APIGroupBatch = "batch"
APIGroupCertificates = "certificates.k8s.io"
Expand All @@ -60,6 +61,7 @@ var (
APIGroupExtensions: {"v1beta1"},
APIGroupApps: {"v1beta1"},
APIGroupAuthentication: {"v1beta1"},
APIGroupAuthorization: {"v1beta1"},
APIGroupAutoscaling: {"v1"},
APIGroupBatch: {"v1", "v2alpha1"},
APIGroupCertificates: {"v1alpha1"},
Expand Down
14 changes: 12 additions & 2 deletions pkg/cmd/server/bootstrappolicy/policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ import (

kapi "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apis/apps"
kauthenticationapi "k8s.io/kubernetes/pkg/apis/authentication"
kauthorizationapi "k8s.io/kubernetes/pkg/apis/authorization"
"k8s.io/kubernetes/pkg/apis/autoscaling"
"k8s.io/kubernetes/pkg/apis/batch"
"k8s.io/kubernetes/pkg/apis/certificates"
Expand Down Expand Up @@ -50,6 +52,8 @@ var (
securityGroup = securityapi.GroupName
storageGroup = storage.GroupName
authzGroup = authorizationapi.GroupName
kAuthzGroup = kauthorizationapi.GroupName
kAuthnGroup = kauthenticationapi.GroupName
buildGroup = buildapi.GroupName
deployGroup = deployapi.GroupName
imageGroup = imageapi.GroupName
Expand Down Expand Up @@ -185,7 +189,8 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
// permissions to check access. These creates are non-mutating
authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "resourceaccessreviews",
"selfsubjectrulesreviews", "subjectrulesreviews", "subjectaccessreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups(kAuthzGroup).Resources("selfsubjectaccessreviews", "subjectaccessreviews", "localsubjectaccessreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups(kAuthnGroup).Resources("tokenreviews").RuleOrDie(),
// permissions to check PSP, these creates are non-mutating
authorizationapi.NewRule("create").Groups(securityGroup).Resources("podsecuritypolicysubjectreviews", "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(),
// Allow read access to node metrics
Expand Down Expand Up @@ -299,6 +304,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {

authorizationapi.NewRule(readWrite...).Groups(authzGroup).Resources("roles", "rolebindings").RuleOrDie(),
authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "subjectrulesreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups(kAuthzGroup).Resources("localsubjectaccessreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups(securityGroup).Resources("podsecuritypolicysubjectreviews", "podsecuritypolicyselfsubjectreviews", "podsecuritypolicyreviews").RuleOrDie(),

authorizationapi.NewRule(read...).Groups(authzGroup).Resources("policies", "policybindings", "rolebindingrestrictions").RuleOrDie(),
Expand Down Expand Up @@ -458,6 +464,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
authorizationapi.NewRule("list", "watch").Groups(projectGroup).Resources("projects").RuleOrDie(),
authorizationapi.NewRule("create").Groups(authzGroup).Resources("selfsubjectrulesreviews").RuleOrDie(),
{Verbs: sets.NewString("create"), APIGroups: []string{authzGroup}, Resources: sets.NewString("subjectaccessreviews", "localsubjectaccessreviews"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
authorizationapi.NewRule("create").Groups(kAuthzGroup).Resources("selfsubjectaccessreviews").RuleOrDie(),
},
},
{
Expand All @@ -470,6 +477,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule("create").Groups(authzGroup).Resources("selfsubjectrulesreviews").RuleOrDie(),
{Verbs: sets.NewString("create"), APIGroups: []string{authzGroup}, Resources: sets.NewString("subjectaccessreviews", "localsubjectaccessreviews"), AttributeRestrictions: &authorizationapi.IsPersonalSubjectAccessReview{}},
authorizationapi.NewRule("create").Groups(kAuthzGroup).Resources("selfsubjectaccessreviews").RuleOrDie(),
},
},
{
Expand Down Expand Up @@ -715,8 +723,9 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
},
Rules: []authorizationapi.PolicyRule{
// Needed to check API access. These creates are non-mutating
authorizationapi.NewRule("create").Groups("authentication.k8s.io").Resources("tokenreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups(kAuthnGroup).Resources("tokenreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups(authzGroup).Resources("subjectaccessreviews", "localsubjectaccessreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups(kAuthzGroup).Resources("subjectaccessreviews", "localsubjectaccessreviews").RuleOrDie(),
// Needed to build serviceLister, to populate env vars for services
authorizationapi.NewRule(read...).Groups(kapiGroup).Resources("services").RuleOrDie(),
// Nodes can register themselves
Expand Down Expand Up @@ -821,6 +830,7 @@ func GetBootstrapClusterRoles() []authorizationapi.ClusterRole {
authorizationapi.NewRule("get", "update").Groups(imageGroup).Resources("imagestreams/layers").RuleOrDie(),
authorizationapi.NewRule(readWrite...).Groups(authzGroup).Resources("rolebindings", "roles").RuleOrDie(),
authorizationapi.NewRule("create").Groups(authzGroup).Resources("localresourceaccessreviews", "localsubjectaccessreviews", "subjectrulesreviews").RuleOrDie(),
authorizationapi.NewRule("create").Groups(kAuthzGroup).Resources("localsubjectaccessreviews").RuleOrDie(),
authorizationapi.NewRule(read...).Groups(authzGroup).Resources("policies", "policybindings").RuleOrDie(),

authorizationapi.NewRule("get").Groups(kapiGroup).Resources("namespaces").RuleOrDie(),
Expand Down
15 changes: 12 additions & 3 deletions pkg/cmd/server/kubernetes/master_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,10 +27,10 @@ import (
"k8s.io/kubernetes/pkg/apis/extensions"
apiserveropenapi "k8s.io/kubernetes/pkg/apiserver/openapi"
"k8s.io/kubernetes/pkg/auth/authenticator"
"k8s.io/kubernetes/pkg/auth/authorizer"
kclientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
"k8s.io/kubernetes/pkg/cloudprovider"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
kgenericfilters "k8s.io/kubernetes/pkg/genericapiserver/filters"
openapicommon "k8s.io/kubernetes/pkg/genericapiserver/openapi/common"
"k8s.io/kubernetes/pkg/master"
Expand Down Expand Up @@ -196,7 +196,16 @@ func BuildDefaultAPIServer(options configapi.MasterConfig) (*apiserveroptions.Se
return server, storageFactory, nil
}

func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextMapper kapi.RequestContextMapper, kubeClient kclientset.Interface, informers shared.InformerFactory, admissionControl admission.Interface, originAuthenticator authenticator.Request) (*MasterConfig, error) {
// TODO this function's parameters need to be refactored
func BuildKubernetesMasterConfig(
options configapi.MasterConfig,
requestContextMapper kapi.RequestContextMapper,
kubeClient kclientset.Interface,
informers shared.InformerFactory,
admissionControl admission.Interface,
originAuthenticator authenticator.Request,
kubeAuthorizer authorizer.Authorizer,
) (*MasterConfig, error) {
if options.KubernetesMasterConfig == nil {
return nil, errors.New("insufficient information to build KubernetesMasterConfig")
}
Expand Down Expand Up @@ -283,7 +292,7 @@ func BuildKubernetesMasterConfig(options configapi.MasterConfig, requestContextM

genericConfig.PublicAddress = publicAddress
genericConfig.Authenticator = originAuthenticator // this is used to fulfill the tokenreviews endpoint which is used by node authentication
genericConfig.Authorizer = authorizer.NewAlwaysAllowAuthorizer()
genericConfig.Authorizer = kubeAuthorizer // this is used to fulfill the kube SAR endpoints
genericConfig.AdmissionControl = admissionControl
genericConfig.RequestContextMapper = requestContextMapper
genericConfig.APIResourceConfigSource = getAPIResourceConfig(options)
Expand Down
16 changes: 14 additions & 2 deletions pkg/cmd/server/start/start_master.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import (
kubelettypes "k8s.io/kubernetes/pkg/kubelet/types"
utilwait "k8s.io/kubernetes/pkg/util/wait"

"github.com/openshift/origin/pkg/authorization/authorizer/adapter"
"github.com/openshift/origin/pkg/cmd/server/admin"
configapi "github.com/openshift/origin/pkg/cmd/server/api"
configapilatest "github.com/openshift/origin/pkg/cmd/server/api/latest"
Expand Down Expand Up @@ -357,8 +358,19 @@ func BuildKubernetesMasterConfig(openshiftConfig *origin.MasterConfig) (*kuberne
if openshiftConfig.Options.KubernetesMasterConfig == nil {
return nil, nil
}
kubeConfig, err := kubernetes.BuildKubernetesMasterConfig(openshiftConfig.Options, openshiftConfig.RequestContextMapper, openshiftConfig.KubeClientset(), openshiftConfig.Informers, openshiftConfig.KubeAdmissionControl, openshiftConfig.Authenticator)
return kubeConfig, err
kubeAuthorizer, err := adapter.NewAuthorizer(openshiftConfig.Authorizer)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Find the issue to collapse these. @soltysh did you have a pull that did that?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't recall anything like that. I think sttts has/had a todo for that.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sttts any comments?

if err != nil {
return nil, err
}
return kubernetes.BuildKubernetesMasterConfig(
openshiftConfig.Options,
openshiftConfig.RequestContextMapper,
openshiftConfig.KubeClientset(),
openshiftConfig.Informers,
openshiftConfig.KubeAdmissionControl,
openshiftConfig.Authenticator,
kubeAuthorizer,
)
}

// Master encapsulates starting the components of the master
Expand Down
4 changes: 2 additions & 2 deletions test/cmd/authentication.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,8 @@ accesstoken="$(oc process -f "${OS_ROOT}/test/testdata/authentication/scoped-tok
os::cmd::expect_success_and_text "curl -k -XPOST -H 'Content-Type: application/json' -H 'Authorization: Bearer ${accesstoken}' '${API_SCHEME}://${API_HOST}:${API_PORT}/oapi/v1/namespaces/${project}/localsubjectaccessreviews' -d @${OS_ROOT}/test/testdata/authentication/localsubjectaccessreview.json" '"kind": "SubjectAccessReviewResponse"'
os::cmd::expect_success_and_text "oc policy can-i create pods --token='${accesstoken}' -n '${project}' --ignore-scopes" 'yes'
os::cmd::expect_success_and_text "oc policy can-i create pods --token='${accesstoken}' -n '${project}'" 'no'
os::cmd::expect_success_and_text "oc policy can-i create subjectaccessreviews --token='${accesstoken}' -n '${project}'" 'no'
os::cmd::expect_success_and_text "oc policy can-i create subjectaccessreviews --token='${accesstoken}' -n '${project}' --ignore-scopes" 'yes'
os::cmd::expect_success_and_text "oc policy can-i create subjectaccessreviews.v1. --token='${accesstoken}' -n '${project}'" 'no'
os::cmd::expect_success_and_text "oc policy can-i create subjectaccessreviews.v1. --token='${accesstoken}' -n '${project}' --ignore-scopes" 'yes'
os::cmd::expect_success_and_text "oc policy can-i create pods --token='${accesstoken}' -n '${project}' --scopes='role:admin:*'" 'yes'
os::cmd::expect_success_and_text "oc policy can-i --list --token='${accesstoken}' -n '${project}' --scopes='role:admin:*'" 'get.*pods'
os::cmd::expect_success_and_not_text "oc policy can-i --list --token='${accesstoken}' -n '${project}'" 'get.*pods'
Expand Down
Loading