Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
259f706c
Unverified
Commit
259f706c
authored
Mar 29, 2019
by
Kubernetes Prow Robot
Committed by
GitHub
Mar 29, 2019
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #75834 from jlucktay/golint_pkg/auth/authorizer/abac
Golint pkg/auth/authorizer/abac
parents
16a03518
dbb69650
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
14 additions
and
11 deletions
+14
-11
.golint_failures
hack/.golint_failures
+0
-1
abac.go
pkg/auth/authorizer/abac/abac.go
+13
-9
abac_test.go
pkg/auth/authorizer/abac/abac_test.go
+1
-1
No files found.
hack/.golint_failures
View file @
259f706c
...
@@ -61,7 +61,6 @@ pkg/apis/storage/v1
...
@@ -61,7 +61,6 @@ pkg/apis/storage/v1
pkg/apis/storage/v1/util
pkg/apis/storage/v1/util
pkg/apis/storage/v1beta1
pkg/apis/storage/v1beta1
pkg/apis/storage/v1beta1/util
pkg/apis/storage/v1beta1/util
pkg/auth/authorizer/abac
pkg/capabilities
pkg/capabilities
pkg/cloudprovider/providers/fake
pkg/cloudprovider/providers/fake
pkg/cloudprovider/providers/photon
pkg/cloudprovider/providers/photon
...
...
pkg/auth/authorizer/abac/abac.go
View file @
259f706c
...
@@ -14,11 +14,9 @@ See the License for the specific language governing permissions and
...
@@ -14,11 +14,9 @@ See the License for the specific language governing permissions and
limitations under the License.
limitations under the License.
*/
*/
// Package abac authorizes Kubernetes API actions using an Attribute-based access control scheme.
package
abac
package
abac
// Policy authorizes Kubernetes API actions using an Attribute-based access
// control scheme.
import
(
import
(
"bufio"
"bufio"
"fmt"
"fmt"
...
@@ -31,6 +29,8 @@ import (
...
@@ -31,6 +29,8 @@ import (
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/kubernetes/pkg/apis/abac"
"k8s.io/kubernetes/pkg/apis/abac"
// Import latest API for init/side-effects
_
"k8s.io/kubernetes/pkg/apis/abac/latest"
_
"k8s.io/kubernetes/pkg/apis/abac/latest"
"k8s.io/kubernetes/pkg/apis/abac/v0"
"k8s.io/kubernetes/pkg/apis/abac/v0"
)
)
...
@@ -49,10 +49,13 @@ func (p policyLoadError) Error() string {
...
@@ -49,10 +49,13 @@ func (p policyLoadError) Error() string {
return
fmt
.
Sprintf
(
"error reading policy file %s: %v"
,
p
.
path
,
p
.
err
)
return
fmt
.
Sprintf
(
"error reading policy file %s: %v"
,
p
.
path
,
p
.
err
)
}
}
type
policyList
[]
*
abac
.
Policy
// PolicyList is simply a slice of Policy structs.
type
PolicyList
[]
*
abac
.
Policy
// NewFromFile attempts to create a policy list from the given file.
//
// TODO: Have policies be created via an API call and stored in REST storage.
// TODO: Have policies be created via an API call and stored in REST storage.
func
NewFromFile
(
path
string
)
(
p
olicyList
,
error
)
{
func
NewFromFile
(
path
string
)
(
P
olicyList
,
error
)
{
// File format is one map per line. This allows easy concatenation of files,
// File format is one map per line. This allows easy concatenation of files,
// comments in files, and identification of errors by line number.
// comments in files, and identification of errors by line number.
file
,
err
:=
os
.
Open
(
path
)
file
,
err
:=
os
.
Open
(
path
)
...
@@ -62,7 +65,7 @@ func NewFromFile(path string) (policyList, error) {
...
@@ -62,7 +65,7 @@ func NewFromFile(path string) (policyList, error) {
defer
file
.
Close
()
defer
file
.
Close
()
scanner
:=
bufio
.
NewScanner
(
file
)
scanner
:=
bufio
.
NewScanner
(
file
)
pl
:=
make
(
p
olicyList
,
0
)
pl
:=
make
(
P
olicyList
,
0
)
decoder
:=
abac
.
Codecs
.
UniversalDecoder
()
decoder
:=
abac
.
Codecs
.
UniversalDecoder
()
...
@@ -220,8 +223,8 @@ func resourceMatches(p abac.Policy, a authorizer.Attributes) bool {
...
@@ -220,8 +223,8 @@ func resourceMatches(p abac.Policy, a authorizer.Attributes) bool {
return
false
return
false
}
}
// Authorize
r
implements authorizer.Authorize
// Authorize implements authorizer.Authorize
func
(
pl
p
olicyList
)
Authorize
(
a
authorizer
.
Attributes
)
(
authorizer
.
Decision
,
string
,
error
)
{
func
(
pl
P
olicyList
)
Authorize
(
a
authorizer
.
Attributes
)
(
authorizer
.
Decision
,
string
,
error
)
{
for
_
,
p
:=
range
pl
{
for
_
,
p
:=
range
pl
{
if
matches
(
*
p
,
a
)
{
if
matches
(
*
p
,
a
)
{
return
authorizer
.
DecisionAllow
,
""
,
nil
return
authorizer
.
DecisionAllow
,
""
,
nil
...
@@ -233,7 +236,8 @@ func (pl policyList) Authorize(a authorizer.Attributes) (authorizer.Decision, st
...
@@ -233,7 +236,8 @@ func (pl policyList) Authorize(a authorizer.Attributes) (authorizer.Decision, st
// Then, add Caching only if needed.
// Then, add Caching only if needed.
}
}
func
(
pl
policyList
)
RulesFor
(
user
user
.
Info
,
namespace
string
)
([]
authorizer
.
ResourceRuleInfo
,
[]
authorizer
.
NonResourceRuleInfo
,
bool
,
error
)
{
// RulesFor returns rules for the given user and namespace.
func
(
pl
PolicyList
)
RulesFor
(
user
user
.
Info
,
namespace
string
)
([]
authorizer
.
ResourceRuleInfo
,
[]
authorizer
.
NonResourceRuleInfo
,
bool
,
error
)
{
var
(
var
(
resourceRules
[]
authorizer
.
ResourceRuleInfo
resourceRules
[]
authorizer
.
ResourceRuleInfo
nonResourceRules
[]
authorizer
.
NonResourceRuleInfo
nonResourceRules
[]
authorizer
.
NonResourceRuleInfo
...
...
pkg/auth/authorizer/abac/abac_test.go
View file @
259f706c
...
@@ -815,7 +815,7 @@ func TestSubjectMatches(t *testing.T) {
...
@@ -815,7 +815,7 @@ func TestSubjectMatches(t *testing.T) {
}
}
}
}
func
newWithContents
(
t
*
testing
.
T
,
contents
string
)
(
p
olicyList
,
error
)
{
func
newWithContents
(
t
*
testing
.
T
,
contents
string
)
(
P
olicyList
,
error
)
{
f
,
err
:=
ioutil
.
TempFile
(
""
,
"abac_test"
)
f
,
err
:=
ioutil
.
TempFile
(
""
,
"abac_test"
)
if
err
!=
nil
{
if
err
!=
nil
{
t
.
Fatalf
(
"unexpected error creating policyfile: %v"
,
err
)
t
.
Fatalf
(
"unexpected error creating policyfile: %v"
,
err
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment